One statement that Risk Managers hear quite often these days is that the COVID-19 pandemic is, after all, an unexpected event and therefore one on which we did not provide enough warning to our companies or our clients. However, recent history tells us that this is not true. So far, the first score of the 21st century has had three regional epidemics such as SARS (2003), Swine Flu (2009), and MERS (2012).
Additionally, pandemic risk was among those most frequently highlighted in the last ten years by the Global Risk Report of the World Economic Forum (WEF) Global Risks Report, and consistently ranked among the 5 most impactful risks in the WEF report. It can however be observed that over time it has fallen in the probability scale, while remaining indicated with a high impact. This shows that, despite warning signals, the perception was no longer adequate and more recently the focus has shifted towards new risks, such as cyber risks, without putting enough emphasis on the fact that most corporate risk management system are not adequately prepared to be resilient to an event like the current COVID-19 crisis.
However, the existence and significance of this potential risk, has been known for years. We can also add that the implementation of a shutdown to slow‑down the spread of an epidemic and to mitigate its consequences in terms of death toll and improve sustainability of the national healthcare systems of different countries falls within the recommendations provided by the World Health Organization.
The statement that all companies were caught unprepared is false. The advantage of having a Business Continuity Plan in place can to benefit the organization regardless of the type of disaster which strikes the company. However, there are certain aspects that are specific of each type of risk and therefore need to be addressed individually. In the case of pandemic, one of the immediate impacts that each of us is experiencing is “social distancing”. The need to reduce the opportunities for contact between employees is a consequence of the shutdown recommended by WHO and therefore this is also something that should not have been unexpected.
Current threat exposure
Pandemics such as the current Coronavirus (COVID‑19) do not represent a traditional business continuity risk. For instance, they do not impact a single physical location over a finite period of time. The Coronavirus epidemic is challenging the way many organizations respond to risk. In this case, their physical assets (factories and systems) are available for use, but the employees, suppliers and customers are likely affected and not available. There is also the added pressure to the bottom line as traditional insurance coverages do not respond to business interruption in the case of a pandemic.
Most organizations have developed an approach to managing crises and in many cases have business continuity plans in place. The key question, however, is how effective is this approach during a pandemic situation? Many stakeholders are starting to question existing policies and plans and as a result are finding it difficult to provide the levels of reassurance that are being sought.
How will technology change the risk profile of organizations?
Some of the consequences of the government guidelines that have been put in place in order to mitigate the impact of COVID‑19 (stay‑at‑home order, social distancing, etc.) have accelerated the migration of business processes towards technological platforms, in order to maintain the day‑by‑day activities. Two examples of this acceleration can be seen in both the collaborative technological tools with full capabilities that support telework and distance education, and robotic process automation (RPA) solutions supporting business and operational processes.
These technological solutions are arriving in this specific moment with incredible speed, beyond any imaginable maturity process. This mandatory, very fast and “urgent” migration towards technology solutions together with the natural development of the technology occurring before the COVID‑19 pandemic like the internet of things/ internet of people (IoT/IoP), artificial intelligence (AI), robotization, etc. all of which are governed by Moore’s law. Moore’s Law is the theory affirming the speed and capability of computers doubles about every two years. All of these factors will generate a technology‑driven future faster than expected, and theories regarding technology in the near future (technological singularity, etc.) made by futurologists like Alvin Toffler (“The Third Wave”) and Ray Kurzweil (“The Singularity is Near”), may soon be proven correct.
How will this technological development impact the overall risk profile of organizations?
a) the emergence of technology risk as one of the most important risks being faced by organizations;
b) the way how this risk will be managed, in this case both IT risks (Information Technology) and OT risks (Operational Technology) will be managed in an integrated environment, building an Enterprise‑Wide Technology Risk Management System;
c) the integration of the different risk transference products (insurance policies, etc.) in a single solution that includes all type of technology risks like cyber, property, liabilities, etc. and including time element coverages (consequential impacts), like Business Interruption (Non-Damages Business Interruption, etc.);
d) the characteristic of the risk professionals managing this type of risk, who will have to have both strong technological skill and competencies as well as a corporate holistic approach of the business models. The silos vision in the organization is over for this type of risk professional.
Lessons learned
The first, and one of the most important, steps in the risk management process, is risk identification. As mentioned earlier, the pandemic risk has, again and again, been included as one of the most important risks, in the Global Risk Reports presented during the annual World Economic Forum. Additionally, Risk Management organisations, such as FERMA, RIMS, Fundalarys, ANRA and APOGERIS, Anra have identified all the impacts from the COVID‑19 pandemic that have occurred over the last few weeks and months, both direct and consequential, in their prior studies. Likewise, these risks were identified in benchmarking studies conducted by risk consultants like RCG, Ankura and Augustas.
However, many organizations and countries did not address some of the impacts that have happened since the beginning of the pandemic. This lack of preparation led to the world exploding into extreme chaos and gravely affecting the lifestyle of people all around the world. This pandemic shows us that all risks that have been identified (even when they seem impossible to occur at the earliest stages) must be managed. Once a risk is identified, countries and organisations should immediately start with the assessment of their potential impacts, in order to select the best risk management techniques for mitigation, including transference to the insurance / reinsurance market.
We are sure that in the near future there will be many ways identified to deal with the outcomes of pandemic risk. Professional risk advisors are needed more than ever as risk managers and brokers together will be putting pressure on insurers and reinsurers for more restructured insurance plans and risk transfer and management solutions. Additionally, companies will ask for favorable attitudes and understanding from regulators, who will need to keep an open mind like with the pools and governments working together after the terrorist acts in 2001, regarding the development of innovative solutions for risk mitigation, retention and, of course, insurance products to cover these kind of risks.
Risk managers and risk management consultants, like the ones that are part of the Brokerslink risk management practice, are ready and willing to work together with brokers, insurers and reinsurers to design better solutions to manage the pandemic risk. If risk management recommendations are taken into more serious consideration, negative unexpected consequences from identified risks like COVID‑19 could potentially be reduced or even avoided altogether.
Note: Corey Gooch (Ankura) and Maurizio Castelli (Augustas) are members of the board of the Brokerslink Management Practice Group (RMPG), chaired by Jorge Luzzi.
