Beyond COVID-19 Risk Management: The Need to be Solid as a ROC (Risk Operations Center)
Written by Atul Vashistha & John Bree
COVID-19 will go down in history as an epochal event: a pivotal point after which business will probably never operate or function quite the same again. For risk professionals, Covid-19 is requiring a sustained effort to monitor and manage all risk actions and is laying bare the need for all enterprises to have a sustainable rapid risk response mechanism. What does this mean for the future of risk management? We must think beyond the immediate crisis and look to enhance our ongoing risk management operations.
The threat of a global pandemic is not new. In May 2006, the Homeland Security Council issued the National Strategy for Pandemic Influenza Implementation Plan. The chapter devoted to Continuity of Operations urged the private sector to plan with the assumption that up to 40% of their staff may be absent for periods of 2 weeks or longer at the height of a pandemic wave. The report further elaborated that in addition to those who are incapacitated by the virus itself, absences may be due to employees under voluntary quarantine, employees caring for ill family members, or employees simply feeling safer at home. Ironically, absenteeism that many businesses are currently facing due to workers mandated to stay home as a result of government restrictions was not included. Unfortunately, most companies did not heed the recommendations of this 2006 report and were largely ill prepared for a large percentage of employees and contractors to work remotely when the COVID-19 pandemic did arrive.
We believe that COVID-19 is a watershed moment for business. A turning point from which managing business disruption risk should never be the same. Many companies will recognize this in hindsight, but we urge you NOT to treat this outbreak as an anomaly. In our current interconnected business ecosystem, it is unlikely to be the last disease outbreak with global business ramifications. On top of that, add the increasing likelihood of other catastrophic natural disasters like extreme weather events or geo-political events with global impact and thus the need for a new risk management model is evident.
In a crisis like COVID, enabling employees to effectively work remotely is just the tip of the iceberg. It’s become clear because of COVID that the impact to business is not limited to a specific area. It is impacting the entire organization, from the way companies provide instructions, enable people to work, enable third parties to meet contractual obligations, deal with absenteeism, technology shortcomings and much more. This isn’t simply a HR and Technology issue of protecting employees’ health and enabling secure remote working capabilities. When all is said and done, it will involve every aspect and business function within a company.
Any serious disruption or crisis requires immediate attention, whether it has arrived or is imminent. But situations like COVID are novel. This crisis is constantly changing if not by the hour, by the day. COVID is not an incident that happened in the past, like an earthquake or storm, and we simply have to react to a single event. COVID lives in the present, future and is changing every day much like a chain reaction. This situation is new and different and cannot be treated as a routine emergency. Specialized, experienced and expert thinking is critical. These types of crises unfold faster than we have experienced, and companies need a dynamic nerve center to be able to respond effectively.
Unlike others who propose setting up a COVID specific center, we are thinking beyond this crisis and are proposing a permanent Risk Operations Center (ROC) that can be staffed up or down as the risk environment requires but is always functioning, planning, acting and ready to react instantly to risk changes or an actual crisis. The nerve center that is only activated when a crisis reaches a certain threshold is reactive by design. We believe treating risk mitigation in a reactionary manner is a mistake. By the time you re-establish the nerve center you have lost critical time to collect data and make timely mitigation decisions. You will be behind the eight ball so to speak instead of ahead of the curve.
Risk Operations Center (ROC)
We believe the answer is a proactive risk identification, management and mitigation response program with a ROC at the center, comprised of the following components:
The Listening Post is the nerve center of the ROC and collects data and intelligence on all risk types and categories that matter to your businesses. The data collection must be dynamic in that it is real-time and continuous. Additionally, it must take a multi-vector approach and be applied against a broad framework of risks. The process and system validate the truth in data obtained from multiple sources. The Listening Post can be automated; however, a combination of automation and Subject Matter Expert type analysts offer the best solution. When there is a confirmed risk event or validated change in risk, an alert is issued.
A suggested risk framework should include at a minimum, monitoring the following risks:
Relevant and validated information has to be routed to the right people depending on the type and the level of risk. A workflow tool could be a Governance, Risk & Compliance (GRC) platform or Incident Management System.
The Response Center is staffed with Intelligent Digital Technologies, Analysts and Crisis Managers. Their job is to quickly assess the intelligence collected for relevance to the organization. The analysts trigger actions to be taken, both internal and external, and provide guidance to the relevant business functions and manage the Incident to closure. For instance, the circumstances might warrant an internal BCP activation or perhaps a BCP activation at an external third party.
The Response Center would focus, at a minimum, on one or more of the following workstreams depending on the current situation:
- Progression of the incident or issue
- Workforce: availability, location, communications, etc. for both internal and third parties
- Technology: availability, capacity, access, security, etc.
- Location Health: geo-political, legal, financial, scalability, macro-economic, infrastructure, business, quality of life
- Financial Health: real-time financial reports* plus added stress scenarios
- Authorities: actions, restrictions, rules, compliance, coordination
- Facilities Health: access, capabilities, policies, etc.
- Third-Party Health: financial, cyber, people, client, solutions maturity, and governance, regulatory & compliance
*During a dynamic crisis such as the current COVID pandemic, it’s more critical than ever that financial reports are updated with real-time intelligence. Financial reports that rely on static and historical point-in-time data have extremely limited, if any, value when managing risk during a fluid crisis situation. For many third parties, we anticipate their financial health and even the health of their people to deteriorate in the coming months. This necessitates continuous monitoring and not one-time assessments.
Whatever the action taken, it’s important to know what is working and what is not. In the previous example of a BCP activation, results would need to be fed back into the workflow tool. There may be triggers and notices of what needs to be done in the next stage. It’s important to know what alternative actions are available in case something isn’t working. Multistage After Action Reports (AARs) are a critical component of the Feedback Loop.
Now that you understand the need for a ROC and what’s inside the ROC, the next step is how to set up a ROC. That will be the subject of our next article on this topic.
In the meantime, please read an article Supply Wisdom published recently, Responding to Coronavirus 2019 (COVID -19): Business Continuity and Resilience where we provide guidance and best practices. Since 2012, Supply Wisdom has been monitoring location-based and third party risks around the world and alerting our clients to these risks of disruption in real-time, including those controlled by Mother Nature (who we like to refer to as the Ultimate Regulator) such as natural disasters, extreme weather, and even disease outbreaks. For years, we have been evangelizing the critical need for businesses to monitor location-based risks to minimize business disruption risks.
Supply Wisdom’s Location and Third-Party Disruption Alerts Related to COVID-19 Available for Free
All COVID-19 alerts from Supply Wisdom, which are usually subscriber only, are now available for free on our website. Please visit:
About the Authors
Atul Vashistha is recognized globally as one of the leading experts on global business services, sourcing and risk. Atul was named to Consulting Magazine’s “Top 25 Most Influential Consultants” and “Top 6 IT Powerbrokers”. He is the founder and Chairman of Supply Wisdom and Neo Group. Supply Wisdom is a leading real-time and continuous risk intelligence and monitoring solution used by the largest banks, health care, insurance and others such firms to manage third party and location risks. Atul serves on the Shared Assessments Board of Advisors and is also the Vice Chairman of the Defense Business Board at the USA Department of Defense.
John Bree is Chief Evangelist for Supply Wisdom. Prior to joining Supply Wisdom, John held senior positions in New York, Tokyo, Singapore and London for Citi and Deutsche Bank covering corporate, investment, commercial and consumer banking operations. John has managed global staffs and corresponding budgets in multiple locations and delivered cost efficient and operationally effective programs ensuring compliance with local and global regulatory requirements. Through interaction with Business Units, Internal Audit and regulatory agencies, John resolved MRIAs, MRAs and Findings, on time and without penalty. John is a member of the Shared Assessments US and UK Steering Committees and Co-Chair of the Financial Industry Vertical Strategy Group. He has authored numerous articles and blogs on Third-Party Risk Management and Governance in the Digital era.
To read our next article where we will detail how to set up a ROC (Risk Operations Center), subscribe to our blog.