Operational risk management: what a tiny virus has taught us

What’s arguably the most important risk you should avoid? It’s the risk of doing nothing, to remain idle, Mihai Stroe, who helped us put this article together, told us. That’s why this blog is a go-to guide for your organisation to review key aspects of the Operational Risk Management (ORM) Framework in place. 

When the world almost shut down in March 2020, a month carved in our collective memory, organisations had to act as fast as possible to ensure business continuity. Because of their preparedness and flexibility, some dealt with the crisis better and even saw it as an opportunity for transformation and the creation of innovative products or services. Since then, operations, digitalisation, cybersecurity, risk management, to name a few, have become a priority on the growing list of “things to change” in the business realm.

However, in most organisations, a COVID-19-pandemic type of crisis was barely incorporated in their risk management framework or in their internal control environment (or not at all). During the first months of the “coronavirus”, most organisations had to improvise and come up with a workaround to spade the rapid development of the crisis. They only started to adjust their way of doing business in a second stage. 

Sometimes at a medium pace, sometimes galloping, business transformation started to happen, but soon the new setting and the new ways needed to be harmonised and aligned with the entire governance and internal control frameworks. 

COVID-19 pandemic, like any other challenging business experience, has a silver lining. The coronavirus’ lessons learnt are definitely strengthening the ORM function. At this point, a few business leaders, if any, could question the importance of effective ORM, fully embedded in the organisational culture.

ORM englobes business continuity plans and risks linked to the environment,  process systems, third-party fraud, workforce and technology (including cybersecurity and cyber fraud).  All of them have been in the spotlight over the last 15 months, playing a critical role for all organisations.

When thinking of implementing new processes or for the ones newly implemented as a result of a crisis situation, reflect on these questions:
Is this new process workaround which I was forced to implement in line with my risk appetite or is the organisation taking additional unwanted risks?

What is the impact of these new activities on my other processes and controls? Have any of them been bypassed?

Has any new conflict of interest arisen after these new/revised processes?

Advice, even from the “cheap seats” (or a virus): reflecting on ORM in times of pandemic

You may have thought quite differently about the ORM that your organisation had put in place before the pandemic took us by surprise. Likely, we all thought we were well-prepared to deal with any risk bigger than a tiny piece of RNA that, according to science, isn’t even fully alive.

But COVID-19 came and what could have taken months or years to happen in terms of digitalisation and innovation, was accelerated. Businesses finally came around to the fact that transformation wasn’t a nice-to-have but a must. 

The sui generis context in which we have all had to work, the situations that businesses had to face in terms of operations, procurement, supply chain, people management and security among others, and the personal and work experiences that each and everyone of us lived, have provided us with valuable insights into how robust or agile our organisations are, their strengths and weaknesses. 

It’s time to reflect on what made our organisations survive, bet on innovation, fail on some aspects or shut down certain units or even entirely. These experiences should be capitalised and enhanced because the sustainability, resilience and flexibility criteria you will embed in your strategy as of now are greatly influenced by the COVID-19 crisis.

See, these questions are handy to guide your reflection exercise: 

  • What were the positive aspects of the crisis?
  • What were the main issues encountered when taking action to face the pandemic? 
  • In case of limited possibility to act, what were the causes? 
  • Based on the previous answer, what should be the areas of improvement?
  • What should be definitely changed in the future so the business’s ORM strategy upgrades and strengthens?
Recharging the ORM batteries

ORM has, in a way, a lot to thank the COVID-19 pandemic, as bizarre as it may sound. After all, the latter has been a booster, a fact that has made more obvious the importance of ORM to us all, but especially to the organisations whose attention to it was little or insufficient.

It’s time to grasp the nettle without further delay. Start by performing an overall risk assessment of your organisation, analysing not only how ready it was at the beginning of the pandemic and through the crisis, but also how it is today and for the future to come. Think of your readiness in the context of new types of crisis or disruptions. 

The in-depth assessment will unequivocally result in a set of lessons learnt. Then, enhance the positive aspects and define actions to take to avoid what went wrong. 

Let’s take a dive into the assessment. 

We recommend you consider the following key areas (see the infographic below) that give you an eagle-eye view on how to overcome challenges that your organisation have likely encountered during the pandemic. It includes specificities determined in the assessment phase.

Keep the focus on risk indicators

The entire assessment process needs appropriate monitoring. A set of relevant key risk indicators (KRI) will ensure that all potential perils the organisation might be exposed to, are taken into account. 

By definition, any change in the KRIs setup should be supported by aligning and strengthening the data collection process.

You want to address all the above focus areas in a more comprehensive and thorough way than in the past. This is precisely the right moment to put in to practice the lessons that the last challenging months have taught us.

When performing this exercise, your organisation has the chance to identify and discontinue processes that aren’t working as expected and to replace them with effective, robust and sustainable ones.

The result of these assessments should strengthen each component of your ORM framework, making your organisation more resilient and mature, and ready to face new challenges.

What we think 
Alexandre Lambin, Risk Assurance Partner at PwC Luxembourg
Alexandre Lambin, Risk Assurance Partner at PwC Luxembourg

Companies could benefit from an improved ORM framework triggered by the pandemic to boost their efficiency and, ultimately, profitability. 

Jean Philippe Maes, Risk Management Partner at PwC Luxembourg
Jean Philippe Maes, Risk Management Partner at PwC Luxembourg

For the last 2 years (i.e. even before the pandemic hit), we have observed a strong renewed focus on operational risk from regulators and supervisors alike. Working remotely arrangements that have happened over the past year will only make this focus stronger.

Have a look at our Operational Risk Management website and discover our services!

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top