Risk is a function of probability & impact. It’s what can go wrong and, which one doesn’t see coming. It may be a threat, vulnerability, loss, damage, impairment or injury. It’s the uncertainty and unpredictability that makes risk interesting & difficult at the same time.
The world is clearly looked at as the pre- and post-Covid era.
Even before the closing stages of pre-Covid era, in 2019, global economy was slowing down. Business was facing reduced margins, and many corporates were finding it difficult to survive. Both Numbers and monetary values of frauds were increasing, especially cyber frauds. Governance issues were cropping up and there was a general degeneration of ethics. Geo-political tensions were rising and climate change was causing widespread disruptions globally. Social media was an integral part of everyone’s daily lives and internet was all pervasive. Technology was making deep inroads in terms of innovation and speed to market. Artificial Intelligence, Blockchain, Cloud computing (ABC) were rapidly becoming the new normal. Business Continuity Planning and Disaster Recovery were factored in risk assessments. The world was exposed to Black Swan events post the 2008 Global crisis; however, risk assessment, though rigorously mandated by regulators, found compliance largely with the letter of law and not in spirit, perhaps due to the costs and efforts involved.
This is when Covid 19 struck & turned the world upside down in 2020. Vaccines are now available and vaccination is gradually happening. However newer strains of virus and eruption of second and third wave of the pandemic is still causing uncertainty. The virus progression is a classic case of risk identification failure. When it first stuck in Wuhan, in late- 2019, no one saw it coming and this was a classic risk identification failure. Once identified, post the impact, none could measure the volatility and amount of global disruption it could cause. Remedy has been found but too early to call it a complete success. The spreads have been drastically curtailed but that has taken its own time and has come at a heavy cost. Communication on current situation is still not very clear. There are still some mis-conceptions post unlocking, with people freely violating social distancing & masking norms.
Let’s look at the risk scenario change that Covid-19 brought about –
1) It has made us realize that risks can come in any shape and size, striking devastatingly. The speed at which risk can travel across globally causing wide-spread damage alongside is now part of risk record books. Risk identification will now factor even the blackest of the black swan risks.
2) Technology has still to catch-up. Innovations in health care industry will continue to get increased funding.
3) People can adapt with times and the lockdown phase proved that people can live frugally with minimal basic needs taken care of. If this psyche remains, apart from lack of purchasing power due to dwindling incomes, it will lead to closure of many businesses catering to luxury or discretionary spending. Only the fitter amongst the fittest will survive. Consolidation already happening across industries will be even quicker.
4) Personal Health and Hygiene, long neglected by many, will be in limelight. Preventive immunity will be the buzzword.
5) ‘Work from Home’ culture will continue. There would be hybrid work models. Business Continuity Planning will need to factor in long term disruption scenarios and adapt appropriately. Data availability and confidentiality will assume increased importance.
6) Unemployment levels will rise, necessitating people to re-skill. Mental toughness, Collaboration, Grit, Resilience, Networking, Creativity, Critical Thinking, Communication, Self-Awareness, Decision making skills, Empathy will be in demand. Online or Digital will be trending. Many business models will undergo changes.
7) The urgent necessity will be having a service / product which addresses a serious pain point or a real problem. Value will be the sole deciding factor with right pricing and speed being the key.
In all these scenarios, Risk function will need to evolve with the time, being strategically dynamic, flexible and adaptable to the new, changing normal. It will get the focus it rightly deserves.
1) Risk identification and Assessment–
Capturing probability and impact of an event will be even more pro-active, detailed, scientific, prudent, automated and comprehensive. The function will be focussed, specialized and manned by people with diverse skillsets. Processes will be more pro-active, preventive and continuously ongoing. The same will apply to risk evaluation, analysis, measurement and monitoring. The entire gamut of risks currently identified will be reviewed and looked afresh with more stringent stress testing norms. Risk Appetite, Risk Tolerance levels and limits will be re-defined.
2) Control mapping –
Identifying efficacy of current controls addressing risks (both design and implementation) will need to be comprehensively reviewed and re-looked afresh. Focus will be on pro-active, automated controls. Cost will be the key criteria and hence prioritization would be a must. Redundant controls will be weeded out to eliminate waste, make processes simpler, smoother and faster. Corroborative, deterrent and corrective controls will continue to be widely used. There will be zero tolerance for ethical violations and things will have to be done right first time. Human Resource function will need to be more active to especially handle skillset upgradation, work engagement, mental stress, delicately tackling termination and pay-cut issues.
3) Gap – Vulnerability analysis –
Solving or addressing the real threat or the main issue, will be a pivotal exercise in all organizations. Prudence, Conservatism, Scepticism will need fine balancing for optimal results within overall business strategy. This will be an ongoing exercise with no room for complacency at any stage. Risk owners will need to stringently meet deadlines and accountability will be non-negotiable. Each resource will need pro-active risk readiness at all times
The basic philosophy of risk can and will never change. It’s the focussed remediation or mitigation that will matter. The Risk function will have to manage disruptions better to avoid extinction. Perform or Perish will be the mantra.
The Blog solely reflects the personal views of the author(s).
Internal Auditing – Venturing beyond mandated boundaries
P.S. Have you fastened your seat belt?
Organising BCAS RRC – Learnings for Internal Audit
A bag full of ideas… An Internal Auditor’s journey
Internal Audit: A Case for Advocacy