Risk Management Programs for the Post-COVID Environment

After a year spent managing increased business risks—including security, IT resiliency and cybersecurity concerns—business leaders need to adjust their mindset when it pertains to risk management and avoid the more traditional approach to crisis management and business continuity planning. The past year has also changed the inherent risks companies, both globally and here in the U.S., now face as they seek to navigate the intersection of geopolitical uncertainty and ensuring continuity of business operations.

During this time, it’s critical that business leaders remain flexible when planning for the post-COVID-19 environment as ever-evolving variants remain an increasing concern across the globe. With this in mind, security leaders must work alongside C-suite executives to rethink how security and resilience teams can best integrate and align to support the core business more effectively—from the strategic goals through to operational and tactical objectives. With this in mind, the following are considerations for business leaders as they navigate this new operational environment. 

Business Leaders Must Update Traditional Risk Management Programs

Risk management programs that had previously relied on outdated models and response frameworks for pandemic response and recovery efforts must now rethink their approach to planning and management. Additionally, the pandemic has demonstrated a new urgency to ensure that risk management programs are cohesive across the entire organization and that they are optimized by data, metrics and technology after a recent trend that involved aligning risk management programs under the same function or management structure. 

It’s critical that functions across the organization recommit to working together to combat risks. That’s primarily because if an organization experiences an incident such as a cyberattack, it has the potential to impact the entire operations of the business. One way businesses can do this is by ensuring that each organizational function—whether it’s HR, legal or IT, for example—shares data that details cross-functional dependencies across the business. This sharing of information and data will, in turn, enable the transparent measurement of program maturity via robust metrics and reporting visualized in real-time dashboards. 

Risk Management Programs Must be Flexible

One of the most important lessons from the past year is that an effective approach to all hazards planning and procedures enables the business to remain agile in its response and recovery, enabling it to be prepared to manage any incident that may impact the business. Indeed, most business leaders didn’t plan on a global pandemic upending their organizations. From a preparedness perspective, program owners and response teams must maintain a level of operational flexibility in their planning by broadening their perspective on possible risk scenarios while engaging in horizon scanning via a program that integrates multiple sources and is driven by intelligence gathering and reporting. In a post-pandemic world, the need to better understand current events and how they impact your business will play a critical role in assessing risks while ensuring an effective forward response to actualized threats to the organization.

In addition to having a better understanding of the world around us, de-escalation is also a critical piece of any risk management program. Traditional risk management assumes that actualized threats and acute crises can be managed in every stage of an event using the same command and control protocols throughout the life cycle of a crisis. COVID-19 and political unrest over the past year have demonstrated in the harshest terms the need to create frameworks and risk management playbooks that are agile, well-communicated and understood. This in turn enables a scalable approach that allows for efficient escalation and deescalation to better manage the limited resources dedicated to operational risk management activities.

IT resiliency Must be Incorporated

While companies found themselves able to work remotely and even to thrive operationally during the pandemic, the need to ensure the absolute protection of IT infrastructure and the data it holds has never been clearer. We’ve seen large-scale businesses—the Colonial Pipeline attack being the most notable—that demonstrate in stark terms how critical it is that business leaders incorporate cybersecurity protections into their risk management programs. As employers look to consider their long-term hybrid work strategies as part of their rebound, they must integrate IT and digital risks into all aspects of the discussion around protecting the business.  

In reviewing the three areas of focus above, we see that in today’s environment, the key to getting—and keeping—your organization on the right foot is ensuring it is equipped with the capabilities and tools to continuously scan for emerging threats, to anticipate what’s coming next, and provide relevant information to make the right decisions and take decisive action. By ensuring the approach to risk management and the operational plans that support it are up-to-date, flexible and address cybersecurity threats, organizations will be prepared for the next phase of work. 

Avatar photo

Ammi Small

Ammi Small is a Principal in Control Risks’ Crisis and Resilience Consulting practice. He is based in New York City and brings over 18 years of experience working both in-house and as a consultant across sectors and industries including technology, financial services, manufacturing, insurance, pharmaceuticals and government institutions.

ammi-small has 1 posts and counting.See all posts by ammi-small