Charlie looks at risk management in response to the ongoing COVID-19 outbreak and Black Lives Matter movement.
I wanted to write about risk management and what I perceive is a massive failure of the process and implementation in ensuring that organisations were ready for a pandemic. The continuing momentum of the Black Lives Matter movement and organisations revisiting their links, associations, history and policies on racism has given me an opportunity to look at risk management as a process and explore ways in which it can become more relevant, useful and dynamic.
It’s interesting to me that there has been very little comment, which I have seen, on the failure of organisations to prepare for a pandemic, especially the organisations which have a risk management process in place. In the National Risk Register of Civil Emergencies, 2017 edition (see figure 1), a pandemic is the highest risk, with a likelihood of 4 out of 5 of occurring within the next 5 years, and a severity impact of 5. If risk management has any purpose, it is to identify the most severe and likely risk to an organisation and then something can be done to mitigate the risk. Many organisations, if not most, seemed unprepared for a pandemic, and when it happened, they were scrambling around to find solutions and making up their response as they went along. The response of our government seems a good example of some of the issues which they are only now starting to get on top of, such as lack of PPE or preventing COVID-19 taking a hold in care homes. They didn’t seem to be prepared for even the most obvious issues associated with a pandemic. With good preparation prior to the event, these could have been minor rather than major issues. Some have portrayed this as a ‘black swan’ or a ‘grey rhino’ event, something out of the blue, but for me and being blunt, it was a well-documented, known risk, but many organisations chose to do nothing to prepare.
Figure 1 - Extract from National Risk Register
In my opinion the main risk management failure was that we knew that the virus was gaining momentum in China as early as January, and cases were starting to appear in other countries. There was six weeks or so when it was fairly likely that it was going to be a pandemic and still many organisations were not prepared. The government introduced the lockdown with only a few days’ notice and many organisations scrabbled around to buy laptops and deploy Microsoft Teams licences. There were some organisations who anticipated an ongoing pandemic, such as a worldwide supply chain/logistics company we work with and when they saw their operations in China affected, they started preparing the rest of their operations worldwide. In addition to preparing they were able to conduct exercises in the UK to ensure that their plans would work. I suspect Brexit preparation helped, so they had teams of people who had recent experience of contingency planning.
The failure of risk management is not the process, but the people who operate the system. Risk management was right about identifying a pandemic as a risk and we have seen with the economy shrinking by 20% that the impact has been high. Therefore, my first point is that if you have a risk management process, take the findings seriously and prepare for your highest identified risks.
The second issue I see with risk management is that often it is very static. You do your risk assessment, as you know that you are meant to do one, and then you revisit it periodically as little as up to a year. I was a board member of a charity and persuaded them to carry out a risk assessment, which they rather reluctantly did. They updated it once a year at the annual weekend board, mainly I suspect to keep me quiet. They saw no benefit in it and it was a tick box exercise. For me, risk assessment must be dynamic and has to be revisited often to make sure it takes into account new and developing risks. Most organisations who have incident management in place, have a criterion for activating their plan. This is a stage, before activating the plan, where the identified issues or events can be reviewed and then action taken, to either mitigate the risk, to prevent it becoming a risk or crisis, or prepare for it if it does affect the organisation. In this bulletin we have often talked about the role of the business continuity manager in horizon scanning for new threats and Issues, so this role of reviewing the risk register dynamically could be allocated to them.
This brings us on to Black Lives Matter. The movement has been around for several years, but I am not sure that anyone anticipated that the death of a single person at the hands of the Minnesota Police would cause worldwide soul searching for organisations, institutions and countries roles in carrying out racist acts or having racist attitudes. Statues, places names, past events and even TV programmes are under scrutiny and review. The role of the Business Continuity Manager is to identify this as an issue and then examine their organisation’s exposure. If the organisation has a long history then they may have at some time benefited from slavery, the organisation may be based in a building or street which has racist associations, has the organisation put out products which could be seen as inappropriate? The pulling of ‘Little Britain’ off BritBox is an example of this. Has the organisation had a party or celebration involving fancy dress which would now been seen inappropriate? There are lots of different ways organisations can be vulnerable, and if we can understand quickly our organisation’s exposure, we can take appropriate action or have a defence in place if our organisation is named or associated with racism.
In terms of the response to COVID-19, there are two lessons. If we are to take risk management seriously then we need to listen to the information which comes from our assessment and then take appropriate action. Secondly, our risk management needs to be dynamic so that as events occur, we can review them against our risks or identify them as new risks and ensure that our organisation takes appropriate action to deal with them, before they become a crisis for the company.