While IRM’s initial Covid-19 survey showed that most risk managers were serving their organisations well during the pandemic, sectors are responding differently, according to an additional report compiled by IRM’s regional and special interest groups.

The articles in the document show how each industry surveyed responded to the initial shock of the pandemic and shares the key lessons learnt.

“A core principle of risk management is to learn from experience and improve; there will be lessons from the experiences of dealing with the challenges of Covid-19 which will result in improved resilience and better risk management in the future,” Iain Wright, CFIRM, IRM Chair says in the introduction to the document. “Professional risk management will deliver the resilience that organisations will need to emerge and recover from the pandemic crisis, the role of the risk manager has never been more important.” 

Key lessons

While the lessons learnt may be unique to individual sectors, the report also has advice that could benefit any organisation. For example, the IRM Charity Special Interest Group (SIG) said that:

  • An increased emphasis on continuity planning, IT testing and training is important. How quickly and successfully you respond to a crisis is often down to having a process for making decisions at pace
  • Smaller charities will benefit from access to greater support on continuity planning from sector bodies and others
  • Regular communications are vital to ensure stakeholders understand the response. Regardless of size, understanding your stakeholders is critical and our website contains a useful guide to Stakeholder Mapping.

Maria Singende, IRMCert, risk manager at Barclays Bank and Keith Webb, director of consulting, business risk at Xcina Consulting of the IRM Financial Services SIG, said that there were a series of lessons to be learnt:

  • Alterations to resilience plans and the testing of them. This includes preventative measures and the capabilities in people, processes, technology and culture
  • A greater understanding of the dependencies around third parties and the sensitivities in relation to resilience strategies. This includes a clear understanding of key business activities and accurately identifying the key risks and mitigation strategies
  • The need to ensure there are effective frameworks to identify risks, set minimum expectations for controls, and plan for critical systems and processes failing eventually
  • The importance of maintaining adequate liquidity and having diversified portfolios
  • An understanding of the importance of front office activities, and the ability to quickly adapt to protect assets, employees and customers ensuring there is a good balance between automation and manual activities.
  • The need for highly skilled people with diverse specialisms and professional qualifications that bring pragmatic approaches to solutions

New ways

Michael Bartlett, co-chair of IRM’s Risk and Complexity SIG said that professional Enterprise Risk Management leaders were well placed to consider how the Covid-19 experience might suggest a new way of risk management thinking. 

“We can acknowledge that current methods which focus on a team’s subjective identification and evaluation of risk do not effectively consider generic risks or complexities and interactions,” he said. 

An alternate approach would be a blend of three components: 

  • A generic risk profile based on project characteristics 
  • A specific set of true causal risks identified by project experts but evaluated by risk experts 
  • A model of cumulative impact that reflects that the interaction characteristics of risks are far more influential than the discrete items themselves