The rapidly growing and ever changing global developments of COVID-19 are creating unprecedented levels of disruption from both a human and economic perspective and unprecedented levels of uncertainty on a global, political, business and personal level. As compassionate humans our priority is human safety and the protection of life impacted directly by the virus. At the same time however, we must also ensure we look to the medium and longer terms and realise that the impact on humanity also comes indirectly from the impact on economies, on employers who provide our livelihoods and so on. Most importantly in the long term we must look to recovery.
At Protecht, we are passionate about the role that risk management can and should play in all phases of this pandemic's life, from managing the current day to day rapidly changing environment, addressing the medium term by managing the indirect risks affected by COVID-19, as well as the longer term impacts and ultimate recovery.
We are developing a range of information and methods to communicate with you, our fellow risk managers and business managers, from live webinars, blogs and ebooks to short videos. This page will consolidate all of this information to provide a single source. We will be continually updating the page and related resources as we are concious that information can soon become out of date given the speed that COVID-19 is developing and changing.
We hope this information is a help to you.
A rational look at COVID-19 risks
Humans fear what we don't understand. Many humans don't understand risk well and especially the COVID-19 risk. This leads to fear and irrational behaviour which exacerbates the situation, compounding the negative impacts on our world. I am sure most of you have read the toilet roll panic buying in Australia a few weeks back - irrational and driven by fear!
Applying Operational Risk Management thinking to COVID-19Join our 4-part webinar, relevant for all industries, to learn how you can respond to this pandemic.To be fair, it is difficult to understand something like a pandemic that happens very rarely, and when it does, it is different from those that have gone before. COVID-19 is different. In addition, available information ranges from the highly technical to the downright irresponsible and everything else in between.
This makes the management of COVID-19 much harder, especially in relation to how we should respond. What treatment methods, including controls should we implement? Even our bodies were not ready for this one as it's the first time it has been transmitted to, and between, humans. It is "novel".
Rather than panic, it is times like these we should go back to fundamental risk principles and use the robust risk management frameworks we have invested heavily in.
The starting point is getting a rational view of risk.
We at Protecht like the Risk Bow Tie technique to help get a rational and pragmatic view of risk. This technique, although not perfect, helps to analyse risk logically so that we can be sensible with our responses and have a robust framework to understand and manage the risk(s). For those not familiar with the Risk Bow Tie method, here is a quick summary.
Figure 1. Example Risk Bow Tie
This analysis breaks risk down into its main component parts:
- The root causes. Where the risk begins. For COVID-19, this is transmission of the virus from animal to human.
- The risk events. The events that link the causes to the impact. The main event (being the centre of the bow tie) is the point of losing control of the situation. It is usually the short name for the risk.
- The risk impacts. These are the impacts on the objectives, remembering that "Risk is the effect of uncertainty on objectives".
- Controls. "Measures that maintain and or modify the risk". For threat risk, these are measures that reduce the likelihood and or the impact of the risk.
If we apply this methodology to COVID-19, what might it look like?
The following are two examples of COVID-19 related Risk Bow Ties from the perspective of:
- an individual
- an organisation
This shows an individual's perspective focused on the objectives of physical and mental well-being, together with some example controls:
Figure 2. Example Bow Tie from an individual's perspective – Residual Risk with controls.
The individual's bow tie analysis above includes controls such as regular hand washing as recommended by the World Health Organisation (WHO):
The best way to prevent and slow down transmission is be well informed about the COVID-19 virus, the disease it causes and how it spreads. Protect yourself and others from infection by washing your hands or using an alcohol based rub frequently and not touching your face.
A separate blog article will be dedicated to looking at risk treatments methods and controls over the COVID-19 risks.
This individual perspective Risk Bow Tie, is relatively straightforward. However, the following illustrates an example COVID-19 risk profile for an organisation:
Figure 3. Bow Tie from an organisation's perspective - Inherent Risk with no controls.
What does this tell us?
- The COVID-19 risk scenario is complex.
- The COVID-19 scenario potentially impacts every key risk of an organisation covering the full range of financial, operational and strategic risks and every objective of the organisation. In many ways, it is a perfect storm.
What is clear is that we cannot take a narrow view of the COVID-19 risk. We must ensure that all key risks of the organisation are assessed, monitored and managed. We will have different priorities as the pandemic plays out, initially focusing on the physical health of our people and the public but we must ensure that all impacted risks are managed to the best of our abilities.
This is the time for a well-developed, well-embedded and well-operated enterprise risk management framework and processes to be lent upon. This is the one of the key reasons Enterprise Risk Management exists. It is not a time to throw away risk management thinking. It is a time to bring it into action.
What can you do?
- Ensure that the risk impact of COVID-19 is fully analysed and understood by the organisation. Hopefully the above diagrams will help your thinking.
- Ensure that your full range of risks (in priority of what matters the most) are updated and reassessed to ensure you have the right treatments and controls in place.
- Ensure you have the right reporting in place to provide a live dynamic profile of your risks as this pandemic unfolds to those that need to know.
- Ensure staff are engaged with what is required from a risk management perspective and that their actions are being monitored.
This is a time for strong leadership and rational thinking and strong risk management is the core to that strength.
It is not a time to throw away risk management thinking. It is a time to bring it into action.
Moving from Pandemic Planning to Pandemic Reality
One could argue whether the current COVID-19 pandemic is a “Black Swan” according to Taleb's definition or not. Whatever your view, what is clear, is that prior to its emergence it was a very low likelihood, very high impact event.
As a result , pandemic risk usually showed up on the bottom right corner of the traditional risk matrix:
Figure 1. Traditional Risk Matrix
As a result, we typically analyse pandemic risk through stress testing and scenario analysis. As it was low likelihood we typically focus on reactive / corrective controls such as Pandemic Plans, Disaster Recovery Plans and Business Continuity Plans. We did our best with limited information and knowledge as by the very nature of a pandemic, we have little collective past experience.
As the "black swan’s" egg has hatched and the we move into pandemic reality, the risk profile has completely changed in nature:
- The risk of pandemic (uncontrolled virus) has now occurred. The likelihood from a global and country perspective is 100%. We are now in reactive mode. COVID-19 infection is now a domestic chicken, the most prolific bird in the world.
- A range of new risks have emerged e.g. the risk of food shortages or lack of medical care for our staff.
- Many new controls and treatment methods have and are being implemented. These controls are not proven and they themselves are creating a new range of risks – the unintended or undesirable side effects of controls. As the ISO31000:2018 standard says "Controls may not always exert the intended or assumed modifying effect". The emotional and mental well-being impact of isolation, not to mention the economic impact, is expected to be huge.
- Many existing business-as-usual risks have changed. Cyber risk is a different beast now that we have staff working from home with a range of portable and perhaps less secure devices.
In addition, the world is changing rapidly in ways we thought unimaginable a few weeks ago. This creates an ever-changing and dynamic environment and operating model which, by default, creates a dynamic and ever-changing risk profile.
So how do we keep on top of all of this?
- We must not take our eyes off the ball with regard to the full range of risks that we need to manage.
- We need to understand the effect that COVID-19 has on our range of key risks. What is the effect of working from home on cyber and data security risk?
- We need to be fully informed of the current risk profile for all of our key risks and how they are changing over time so we can make appropriate decisions early. This requires us to have a consolidated real time view of our key risks and how they are changing over time. This should include data for each risk type such as:
- Risk Indicators
- Summary of incidents
- Understanding as to the effectiveness of our key controls
- Summary of compliance attestations to ensure staff are complying with the rapidly changing behavioural requirements
We at Protecht refer to this as "live" risk profile "Risk In Motion". This provides a dynamic review of risk and given the rapidly changing COVID-19 landscape, a dynamic view of risk has never been more important.
Figure 2. Risk In Motion
When this is all over, and of course it will be, we then need to reflect. We need to be able to look back and say we did well, we made good decisions and our risk management capabilities did us proud. We need to learn from the experience, what went well and not so well? How will we factor these learnings back into our collective risk management knowledge from changing our operating models to improving our control frameworks?
These will mainly involve review and updating of our Pandemic, Disaster Recovery and Business Continuity plans but may also feed through to more business as usual controls and practices to make us less vulnerable and more resilient to the next pandemic.
Risk Velocity and flattening the COVID-19 curve
Much has been spoken about "flattening the COVID-19 curve". This refers to:
- Reducing the number of open infected cases at any point in time
- Extending the period over which the virus is active
Figure 1. A sample epidemic curve, with and without precautions like social distancing.
Source: CDC/Drew Harris/Johannes Kalliauer
The purpose of "flattening the curve" is to:
- reduce the overall number of infected cases and thereby reduce the overall number of deaths and illness, i.e. reducing the overall impact;
- limit the maximum number of infected cases at the peak so as to ensure that our health systems are not pushed past capacity leading to higher death rates.
As the Australian Health Protection Principal Committee (AHPPC) says in their 17 March 2020 coronavirus (COVID-19) statement:
[...] demonstrates the impact of effective social distancing and other interventions on the timing and size of the peak burden of disease.[...] the intent is to ensure the burden of disease does not exceed the capacity of the health system to manage. [...] The overarching goal of our recommendations is to slow the spread of the virus and flatten the epidemic curve.
The assessment of the size of a risk traditionally involves assessing the likelihood of the risk occurring and the impact/consequence if the risk was to occur. This two dimensional approach has, and is, being commonly used across the majority of risk frameworks. Risk velocity as a separate concept, however, represents the third dimension of risk.
A focus on "flattening the COVID-19 curve" brings the importance of risk velocity back into focus.
Velocity, as defined in physics, is the length of time taken by an object to move between two points. When applied to risk, risk velocity is the speed at which a risk travels between two parts of its life.
The lifecycle of a risk has several phases. These can be illustrated using an example "COVID-19" risk bow tie analysis. The following analysis is shown from the perspective of an individual (as opposed to the world, a country or an organisation).
Figure 2. Example Example COVID-19 Risk Bow Tie
Prior to a risk eventuating, the key time points are:
- Causes: The point at which the risk commences. There may be one or multiple causes.
- Events: The various events that occur between the risk causes and the risk impacts. There are usually many events associated with a risk.
- The impact of the risk on objectives.
- Recovery: The point where we have recovered back to the original position or to the best position that is possible.
The velocity of risk may well change inherently across many parts of its life, from cause to impact, from event to event and so on. Velocity controls seek to modify the speed at which a risk travels through its life. The question is, for a threat risk such as COVID-19, how do we wish to modify velocity?
Applying Operational Risk Management thinking to COVID-19Join our 4-part webinar with a focus on Financial Services to learn how you can respond to this pandemic.To be fair, it is difficult to understand something like a pandemic that happens very rarely, and when it does, it is different from those that have gone before. COVID-19 is different. In addition, available information ranges from the highly technical to the downright irresponsible and everything else in between.
Generally, for a threat risk, the faster the velocity, the greater the risk. I used to fly hang gliders and the velocity of risk (falling from the sky) has a direct effect on impact, quite literally! However, there is another effect of velocity and that is the faster the velocity, the less time we have to manage the risk before impact is felt. Slowing risk velocity provides greater time to manage the risk which allows more resources to be thrown at it.
The natural progression is then to apply velocity reducing controls. In hang gliding, this is the parachute, literally slowing the velocity at which you fall from the sky. This reduces the direct impact with the ground but also provides more time to deal with the situation on the way down to move the glider away from power lines, main roads and bodies of water. Consider the following velocity reducing controls:
- Fire water sprinklers
- Fire retardant doors
- A bilge pump on a sinking ship
- Speed limits and speed cameras
The same is true for COVID-19. We need to slow it down. As with the parachute, slower velocity will reduce the overall impact (reduced deaths) and provide more time to manage the risk so that our health systems are not overloaded and we can cope much better with the risk over time.
So how do we slow it down? The most obvious is to slow the spread of infection. This includes:
- Social distancing and at the extreme, isolation.
- Increasing testing so that infected people are identified and able to be isolated earlier.
The issue we face now is that the COVID-19 risk is well underway and has great momentum. It is like slowing a racing train and only the best brakes are going to have an effect. The sooner we apply those brakes, the more chance we have of slowing this thing and allowing our limited health resources to cope.
That said, there is one part of COVID-19’s life where we want to rapidly increase velocity and that is time to recovery, something I am sure we are all so looking forward to.
5 Australian Health Protection Principal Committee (AHPPC) coronavirus (COVID-19) statement on 17 March 2020
Prior to COVID-19, most of us would have had "pandemic" risk on our risk registers together with the key controls of Pandemic, Disaster Recovery and Business Continuity planning.
Now that the Pandemic risk has "hatched" and we are operating in the midst of its development, it has produced a substantially changed risk profile by modifying many of our existing risks as well as adding some new risks. For our pre-existing risks that have been impacted, it is critical that these are reassessed in light of COVID-19 and continually monitored and reassessed on an ongoing basis as the virus develops and the world continues to change.
Once these risk assessments are updated, we need to identify risks that are outside of our risk appetite. In the case of threat risks, particularly health and safety risks, our risk appetite will be determined by "As Low As Reasonably Practicable" (ALARP) or "So Far As Reasonably Practicable" (SFARP).
- Achieve ALARP / SFARP level
- Balance the costs and benefits of each control.
The decision as to which treatment methods and controls should be put in place is the key to good risk management. The factors to consider in making the decision are:
- What are my objectives during the COVID-19 period? Are my objectives to not get infected and not infect others or are they to provide medical assistance to infected patients and so on?
- What is the expected effect on the level of risk, both the likelihood of it occurring and / or the impact if it does occur?
- What are the costs of risk treatment methods and controls? The cost of a treatment method is made up of four components. They are:
- The $ cost
- The time cost
- The impact on the objectives
- The additional risks created by the control.
We then have to weigh up the effect the control has on the size of risk against the total cost.
This is the decision dilemma.
Compliance Management and COVID-19 - Joined at the Hip
Compliance at the best of times is often met with sighs and feelings of burden and "we need to do it because we’ve been told to" attitude. In a COVID-19 world, there is an even greater chance of this reaction when we consider there are so many more important things to do and worry about.
Yet, compliance is one of the most critical functions when it comes to managing and defeating COVID-19.
Compliance means conforming to "rules". The rules applying to an organisation are referred to as "Compliance Obligations".
So what are these compliance obligations for? Fundamentally, compliance obligations are there to ensure human and organisational behaviour stays within the risk appetite of the jurisdictions we operate in, within the risk appetite of parties who we are transacting with and within the risk appetite of the organisation itself.
Leverage your ERM Framework Regulatory & Ethical Compliance in a COVID-19 worldLearn how you can use your compliance capability to help manage you through the COVID-19 related risks.So how does compliance and COVID-19 fit together and affect each other?
1. Method of implementing and enforcing minimum controls across society
The whole purpose of this is to ensure minimum controls over COVID-19 infection risk are in place and working. Compliance is there to protect us!
2. Deferred compliance changes
We have seen a number of regulators deferring the implementation of new regulatory regimes in response to COVID-19 in order to give relief in these difficult times. We need to change our compliance projects to defer the work for more important matters.
3. Adding new compliance requirements and commitments
We are seeing a raft of new compliance requirements being imposed almost on a daily basis, primarily around social distancing and isolation. Also, in financial services, we are seeing a range of government-led compliance changes to relieve financial suffering to customers.
4. Increasing risk of non-compliance of existing obligations
COVID-19 has increased the risks of non-compliance in many areas. For example:
- HR practices of standing down staff may breach employment law
- Working from home has increased the risk of breaching data privacy laws
- New rules around the treatment of financial services customers has increased the risk of breaching conduct laws
Managing compliance and related compliance risks is no easy task and is made harder in the current environment. It is critical organisations do not "drop the ball" during this difficulty period as the repercussions will only exacerbate the impact of the current situation. Read more about Compliance Management and COVID-19 here.
Operational Resilience: Where will you bounce?
In a recent post by Warren Black, he stated:
"Clearly, organisational resilience in the face of disruption, is not about bouncing back but rather about bouncing forward."
Such wise words!
Viewing this from an organisational rather than personal perspective, when the dust begins to settle on COVID-19, where will your business bounce?
Here are six questions for you to consider:
- What is the inherent risk level of your organisation to COVID-19.
- What level of resilience did you have prior to COVID-19 developing?
- How are you reacting to COVID-19 as it develops from an operational point of view?
- How well are you managing all of your other risks, may adversely impacted by COVID-19, during this period in order to limit further damage?
- How well are you, and will you, learn from this experience?
- How well are you identifying and acting on opportunities that present themselves?
You need to consider which of the above you can influence right now in the short term and not fret about those you cannot.
We believe that great risk management is the key to doing the best that you can so after this is all over you can look back and be proud that you did your best and that you bounced as far forward as was possible. Read more about Organisational Resilience and Recovery from COVID-19 here.
Assessing your COVID-19 Organisational Health
To help you manage COVID-19 related issues in your business, we've created a free assessment tool which you can use as a starting point for assessing your COVID-19 Organisational Health.
The tool is only an example and not aimed at covering every issue that needs to be considered in every industry. To make the most out of the tool, use the workbook to create a custom COVID-19 health check for your industry by:
- Tailoring the 8 example areas of focus included in the workbook and
- Tailoring the example questions for each area of focus.
Example COVID-19 Management Assessment summary which can be included in your reporting pack.
About the Author
David Tattam is the founder and current Director Research and Training for the Protecht Group, an Australian firm specialising in risk management software, consulting, advisory and training to a wide range of clients both locally and overseas. David’s passion is risk training, having developed numerous risk courses and trained many thousands over the past 2 decades.