Why do policies and procedures exist? They provide a road-map for the smooth day-to-day operation of business activities. They can provide guidance on how to be compliant with laws and regulations, ensure sound customer and business outcomes, help to streamline decision-making, and generally make business activities as trouble-free as possible. In both normal times and uncertain times, policies and procedures seek to give all employees support in the carriage of business activities.

The current COVID-19/coronavirus social and economic crisis is, however, putting to the test existing, proven and robust policies and procedures in all organisations. The normal operational rhythm has been disrupted, and new ways of operating many business activities are being developed in real time. Many business activities that have operated unchanged for many years are having to be redesigned and reshaped.

Risk managers are now asking themselves many questions: Should we continue to operate our existing enterprise risk or operational risk management frameworks (‘risk frameworks’) unchanged in this environment? Do we temporarily pause our existing risk framework for a while? Do we continue to operate our risk frameworks ‘as is’ but acknowledge the significant disruption to normal activities? Do we need to rewrite our risk frameworks to reflect an extended period of disruption?

Will ‘normal programming’ resume shortly – as the television service message used to say?

The goal for organisations of any size should be to have a dynamic, living and breathing set of operational protocols, policies, and procedures. These should enable a dynamic and flexible approach to doing business that readily flexes and adapts to a changing external and internal environment. The coronavirus crisis, however, is putting to the test the ability of organisations to adapt to a dramatically changing environment.

As has been stated many times, this crisis is unprecedented. Few governance and risk management frameworks can have contemplated the extent of disruption being experienced. Accordingly, risk managers must put aside any desire they harbour to continue ‘business as usual’ without making adjustments that reflect the changing external environment. A fresh approach (and clear head) is needed.

Key activities and priorities for operational risk and compliance managers in this period of significant disruption will include:

Deferring any low priority or non-essential operational risk activities. Existing risk and governance frameworks, reflecting compliance and regulatory requirements, require a range of scheduled periodic activities. This will include, for example, annual or biannual product reviews. Risk managers should look to have many of these deferred to free up the business unit and risk resources for more urgent, higher priority activities.

Liaising closely with internal governance forums and regulators to discuss and agree on revisions to approved governance frameworks in this period. Regulators have already demonstrated significant flexibility in deferring or suspending the legislative agenda and regulatory change projects. All internal and external stakeholders recognize this period is not ‘business as usual’.

Focus on supporting business functions and activities that are being significantly redesigned in response to the crisis. These business functions will have a very different operating model for an extended period. Seek to quickly complete abridged risk assessments so that business changes can be quickly implemented (or even defer completion of the risk assessments until shortly thereafter). Look to redirect operational risk resources temporarily or permanently from business activities that are substantially quieter (or have ceased to operate) in this period.

Maintain strong oversight of key compliance and customer outcomes. All financial institutions will need to continue to ensure that expected customer outcomes are delivered in this period. Financial institutions now see record levels of financial hardship across their consumer and business loan portfolios. In addition, new arrangements are being quickly designed and put in place. High priority needs to be given to ensuring these are robust processes – an important role for compliance and operational risk managers.

Look to bring forward automation and process efficiency initiatives that can support a leaner and more nimble organisation. It will be necessary to cancel or defer many initiatives that may disrupt critical business activities or cannot be funded due to profitability challenges. However, there will be some initiatives that can help the organisation operate more effectively and efficiently in this period. These should be reprioritized and brought forward.

Review management reporting to governance forums and business partners to ensure focus on business-critical activities that have already been disrupted. Risk committee members and executives will want to understand the changing risk profile of the business.

Conduct a review of material third party arrangements. Risk managers and internal stakeholders should be urgently seeking to identify any suppliers, vendors or third-party business partners that have been impacted and/or may be encountering financial stress.

Monitor the impact of restructuring and downsizing. The short-term financial impact of the economic shock of the coronavirus will inevitably lead to significant cost-cutting. It will be incumbent on risk managers to ensure that nothing ‘slips between the cracks’ in this period, and that the organisation is fully aware of the changed risk profile post-restructuring. Risk management functions themselves will also be the subject of restructuring. This will all require significant change management and operational risk support.

A new rhythm will need to be developed for an extended period of disruption ahead. Once the external environment begins to normalize – and it is unlikely that it will return to its previous state – a new operating model may need to be developed for risk governance.

In the medium to longer term, the priorities of both the risk management function and the organisation will likewise evolve. The lasting effects of the coronavirus crisis are not yet known, however there will undoubtedly be significant medium and long-term change for many businesses. For example, those with extensive outsourced and/or overseas operations may look to reassess this operating model. Organisations will inevitably be looking to adopt greater automation – continuing a trend evident for many years.

In summary, normal programming is unlikely to resume in the short, medium or long term. The challenge – and opportunity – for risk managers is, however, unchanged. They should seek to assist and guide their respective organisations through what will be an extended period of change and disruption.


This article was first published on the website of GRC Solutions on 3 April 2020.

#operationalrisks #enterpriseriskmanagement #coronavirus #pandemic