What COVID-19 tells us about disruptive risks, and how chief risk officers can manage them
Friday, July 24, 2020
By L.A. Winokur
“I thought I had seen it all,” recalled Paul Fabara, chief risk officer at Visa, referring to previous financial crises that have taken place during his decades-long career at other credit card and financial services companies, as well as to what horrifically happened on 9/11 and the fallout from it.
However, he emphasized that the crises that came before can't compare with what companies have had to take on when it comes to COVID-19, “not by a long stretch.”
“The speed and breadth of this left us all gasping for air,” he admitted.
There is no question that the COVID-19 crisis has impacted the way risk professionals, and particularly CROs, do their jobs. One minute the world was going about its business; the next, everything seemed to change overnight.
When the pandemic hit, risk professionals were put on high alert. They immediately went into triage mode, tackling a plethora of new and pressing problems while temporarily pushing aside non-urgent work. And yet, ironically, the COVID crisis has also given risk professionals pause.
Risk Frameworks Put to the Test
“This crisis will test all of the enterprise risk frameworks that have been set up since the last crisis,” said Clifford Rossi, a former CRO, consultant with Chesapeake Risk Advisors, and Professor-of-the-Practice and Executive-in-Residence at the University of Maryland's Robert H. Smith School of Business.
Experts are encouraging risk managers to use this time for a risk management reset of sorts; to take stock and regroup. They are advising them to: reprioritize risks, giving non-financial risks a more prominent place on the radar screen; expand enterprise risk management programs to better reflect what is happening in real time; rethink risk management models, many of which came up short in this crisis; reassess what they need from risk managers in response to what has essentially been an ad hoc all-hands-on-deck mandate, and revisit reporting lines to make sure the right information gets to the right people.
Risk consultants are convinced crises like COVID-19 will come and go, but disruptive risks as risks to be managed are here to stay. Companies are perhaps facing an even tougher challenge as they prepare for an uncertain future.
The sooner companies come to terms with this reality, the better, consultants say.
This is “the new normal,” cautions James Lam, a Boston area-based consultant with James Lam & Associates; director at E*TRADE and RiskLens Inc., a cyber risk quantification company, and a former CRO at GE Capital Markets Services and Fidelity Investments.
“We've been evolving into a new normal for a while,” he explained. “The speed of risk has escalated at a rapid rate. Disruptive risks are risks we have to consider.”
Disruptive risks, of which COVID-19 is one, are no longer events that only happen once in a hundred years, he said. “It's the world we live in.” Lam lists technology (artificial intelligence, blockchain, and the Internet of Things), cybersecurity, climate change and geopolitical events as areas to watch.
Lam noted that in the 1990s, market risk management had to migrate to real time to account for global trading operations going 24 hours a day. However, with the pandemic, it's not just about market risk, but also “credit, operational, supply chain, third party and strategic risks, all changing on a continuous, real-time basis,” he said.
“The CRO and risk management are responsible for looking at and managing many of the most complex and challenging risks an institution has,” according to Edward Hida, a partner in Deloitte's Risk and Financial Advisory practice. Add a pandemic that significantly impacts the firm's ability to operate, and “it's not business as usual.”
“Customers are strained,” he continued. “The workforce is strained…It is all-hands-on-deck for the risk team and the CRO…They are working long hours with many different kinds of challenges.”
“The environment has changed, and because the environment has changed, the role of risk management has changed,” he said. “The aperture of risk management has widened.”
Fabara's experience with COVID-19 at Visa is testament to this. He noted that “in a nanosecond,” he went from “looking at key risk components” of the risk management framework to expanding this to include “a wide range of components.”
Pressure from Every Direction
The COVID crisis has made it difficult for CROs and others to know where to turn first when demands are being made from all directions.
It has also added to the workload.
Lam offered that he is currently working with three CROs - in healthcare, engineering and construction, and asset management. “There is a lot of stress and work they're responsible for,” he said, including “seven to eight Zoom meetings a day across different time zones; communications to the board and senior management, and managing teams remotely.”
He characterized the COVID situation as a “move from a risk management mode to more of a crisis management mode.”
Visa's Fabara recounted how in the first four weeks of the pandemic, “meetings related to crisis management increased.” The executive committee met twice a day, seven days a week and remained on stand-by to meet by phone or video at a moment's notice, the CRO said. Responsibilities also included keeping the executive committee and board updated and tracking the pandemic by staying on top of reports of COVID-19 outbreaks globally and the different rules and regulations over lockdowns.
And there's more. The CRO helped see to it that employees who were sent home to work remotely were not only safe, but well situated, right down to worrying about whether employees had “comfortable workstations and good, solid, reliable Wi-Fi.”
“It goes on and on and on,” the CRO volunteered. “It changed the way I had to deploy myself and my resources.”
A New Risk Playbook
A “primary focus” coming out of the pandemic is business resilience as a risk to be managed, according to Deloitte's Hida.
“We're seeing how risk can be transmitted from one form to another; …how a very severe public health event became an economic event,” he explained, adding it is “shaping how institutions and stakeholders - clients, regulators and others - look at risk management.”
Lam pointed out that every company faces potential crises and disruptions; that companies have to “think about the potential impact of disruptive risks on a continual basis.”
He emphasized that they also need to plan for it. Lam serves as a director of two companies, where he chairs the risk and audit committees, and works with several other boards as an advisor. He told Risk Intelligence that one of the boards - he declined to name which one -- approved a pandemic management plan two years ago.
By “having the playbook, people trained, the plan tested [and] essential equipment,” he noted, “The company very smoothly went into a work-at-home environment.”
“Having that plan in place made the response [to COVID] much, much better,” he said.
This company has a best practice enterprise risk management program with scenario analysis and pandemic planning built into that framework, Lam shared.
Without an effective enterprise risk management program, he added, any company might otherwise be “fighting fires on a regular basis.”
Perhaps most significant of all, and key to a company's survival, is setting aside a “crisis reserve” and pricing for it, the risk expert advised, explaining that it is important that “the cost of risk is considered in how the company runs its business.”
“The cost of risk has increased in terms of expected and unexpected loss and estimates need to be revised upward,” he stated, and as a result, “the pricing of products and services, along with capital and liquidity plans, needs to be adjusted.”
He insists companies cannot operate “without having a buffer.”
Fabara, the Visa CRO, said that coming out of the crisis risk professionals have a “duty and responsibility” to ensure that companies have plans in place that are “real” and “very much plugged in to the current state of the business.”
Re-Thinking Risk Models
Risk professionals have relied on models to help them make assessments and predictions about risk. However, the pandemic has proven that these models in many ways missed the mark.
“We as a profession have embraced the analytical,” noted Rossi. “We still haven't figured out how to appropriately measure non-financial risks: operational, business resiliency, people, systems integrity [and] strategic risks.”
“These aren't easily modeled,” he said. Rossi was a risk manager on the front lines during the 2008 financial crisis as CRO for the Consumer Lending Division of Citigroup.
In an opinion piece published in early May in The Hill, Rossi wrote: “I spent the last major global crisis in the vortex of hell, surrounded by data and models that turned out to be misleading, trying to make sense of an unprecedented worldwide financial catastrophe.”
“It looked a lot like what's happening now in the grips of the coronavirus pandemic,” he continued. “Just as we did, they're leaning heavily on data for a problem the models can't comprehend.”
Rossi pointed out to Risk Intelligence, “At the end of the day,” the models are “only as good as the data that people feed into them.”
Risk professionals also continue to make the case that for enterprise risk management to be most effective, a company needs to support cross-silo communications, not to mention have a clear plan in place for how conversations get elevated to the C-suite and board.
“The CRO and the governance process are vehicles for the integration of risk to be elevated and vetted,” Rossi explained.
“The problem is two to three levels below where all the action of mapping risk on an integrated basis is happening,” the consultant continued. “The first line folks are embedded on the business side, and second line is corporate risk management.”
“Everybody lives in a silo with regard to their areas of expertise,” he added. “A company needs to have the ability to span across risks and see the impact of one on another. Companies today need to think first and foremost about risk integration points; the intersection of one risk with another.”
Creating a Risk Culture
“You can have the right infrastructure in place,” he cautioned, “but if the culture isn't there to support that environment, then game over.”
Lam also advocates for a corporate culture that makes it clear what is expected of employees when it comes to risk communications.
Companies need to have a “risk appetite statement and established risk escalation policy that is board approved and communicated to all employees,” he argues.
He also believes it is necessary for boards to have much better reporting from an outside-in and forward-looking perspective, rather than inside-out and backward-looking. That helps make board discussions more productive and useful, he said.
Boards also need to have oversight of the role of the CRO and the effectiveness of enterprise risk management, he added.
The days when boards “turned a blind eye to risk,” Lam mused, “I think those days are over.”
Calling COVID-19 “a Black Swan event that no one could have seen coming is a cop-out,” Lam, said.
Lam believes companies can learn from COVID, much in the way that risk professionals learned from the 2008 financial crisis, after which banks built up risk management along with capital and liquidity reserves.
“It's a good thing,” Lam reasoned, “or we would have a public health crisis on top of an economic crisis on top of a banking crisis. We would be in a much deeper hole. That one helped prepare for this one. This one will help prepare for the next one.”
“We're still in the throes of managing through this situation, and expect more to come,” Hida, the Deloitte consultant specializing in risk, said.
“A number of folks have thought of the impact from the pandemic to be a precursor for what could happen with climate risk,” he shared. “Climate risk is getting more attention because of the magnitude of what happened with COVID.”
Rossi noted a lot “depends on how long COVID-19 sits around,” and on when companies are able to “size up the economic damage from a risk perspective.” “People will say, post-COVID, as they did after the 2008 financial crisis, “we can never let this happen again.”
Putting a twist on an old adage, Rossi said: “Everyone gets religion when they're in the foxhole.”