• What happens if the coronavirus expands and becomes a pan-Asia crisis?
• What do we do if our supply chain in large parts of Asia is threatened?
• Does potential market upheaval have the potential to threaten critical capital projects?
• Will this disrupt R&D that relies on technical research taking place in the region?

As troubling as these questions are, there is a wider view that is potentially even more unsettling.

The curse of living in interesting times

“May you live in interesting times” is a proverb that was supposedly intended as a curse upon enemy states. Recent events demonstrate why that should not be considered a blessing. Houston endured a 500-year flood three years in a row. Preemptive power shutdowns last year in Northern California illustrate the effects of colliding risks (wildfires from extended droughts and inadequate energy infrastructure) on the business environment. Geopolitical risks with far-reaching ramifications (from the unknowns of Brexit to the escalating tensions between the U.S. and Iran) are mushrooming.

Applying a traditional approach to enterprise risk management in such turbulent times could lead to disastrous results. Fortunately, the coronavirus crisis offers three valuable lessons that could help all organizations be much better prepared to face similar challenges.

1. The wisdom of crowds

To illustrate how dangerous it can be to rely solely on estimates provided by experts, author James Surowiecki uses a classic example in his book The Wisdom of Crowds. Asked to guess the weight of a cow, individuals from crowds of fairgoers did so more accurately, and with greater consistency, than professional butchers. In an article written not long after the publication of Surowiecki’s book, Dave Pollard extends this concept to risk management.

Pollard takes issue with the Davos World Economic Forum’s Global Risk Report for that year, which had the potential for pandemics listed as a 6% likelihood at the time. “The likelihood of a pandemic, for example, as anyone knowledgeable about the topic will tell you, is more than 6% in the next decade,” he writes. Pollard argues that the root of this faulty estimate lies in the limited number of people involved. “Instead of asking so-called experts, get the ‘crowd’ to make the call. Average out their predictions, and you’re likely to have a much more accurate assessment of both the likelihood and severity of different types of risk than the ‘experts’ at Davos could hope to muster.”

Not just a crowd, but a diverse crowd

To form an accurate estimate, crowds need one key element to be successful — diversity. Surowiecki explains the rationale this way: “Diversity and independence are important because the best collective decisions are the product of disagreement and contest, not consensus or compromise.” University of Michigan professor Scott E. Page even constructed a mathematical proof to demonstrate the role diversity plays. He concludes that “a diverse crowd will always be more accurate than its average member, not sometimes but always.”

What this lesson teaches us is that to be prepared for the next coronavirus, organizations need to rely on crowds (specifically, diverse crowds) to power the enterprise risk identification and assessment process. That means it needs to be relatively easy to manage the process of asking a larger number of resources to participate, and it also needs to be easy for them to respond.

Takeaway: Assess how easy it is for your organization to broaden and diversify the risk identification and assessment process.

2. “We don't rise to the level of our expectations, we fall to the level of our training.” ― Archilochus (frequently quoted in Navy Seal training)

Being aware of these potential emerging risks accomplishes little on its own. To mitigate the risks that, seemingly overnight, can threaten operations and strategic goals, effective response plans must also be developed. Unfortunately, many organizations view this as a simple checkbox exercise designed to produce a document and then return those participating back to their day jobs as quickly as possible.

This approach leads to response plans that may be functionally useless at exactly the moment when they are needed most. In the Deepwater Horizon crisis, for example, only a single page (out of 600) in BP’s emergency procedures were dedicated to “source control” or how to stop the flow of oil. In court, BP was accused of having “... nothing more than a plan to make a plan.”

Two halves of the process

Creating a functional plan (and a process to keep it up-to-date) without overwhelming the plan’s authors is only half of the challenge. The other component is training and testing. Reliance on resources that are missing, instructions that are ambiguous, or procedures that simply cannot be executed will just as surely lead to failure as having no plans at all. Training and testing are the only way to overcome this. The Information Management article 7 tips for Stress Testing a Disaster Recovery Plan notes the importance of making this a strategic, enterprise-level process:

This is worth restating: disaster recovery is a whole-business effort. That means your DR plan must work for the whole business, the whole business must participate in stress testing, and the plan and testing schedule you develop should depend on the needs, budget, and risk tolerance of your business as a whole.

Because of that, there’s no single way to do it. The key is just to do it and keep doing it so that you’re always ready for something to go wrong."

Takeaway: Disaster recovery plans need to be more than a checkbox exercise. Enterprise-wide training and testing are critical components to success.

3. It’s all related

In an age of highly interrelated risks, an approach that attempts to manage risks despite the presence of silos is likely to struggle. When cross-selling activities at Wells Fargo created a crisis, one potential contributing factor was a fragmented approach to addressing risk silos. As the Risk & Insurance article Wells Fargo, Reputation and the Wisdom of Crowds notes:

At Wells Fargo, Reputation Risk is under the purview of the Corporate Responsibility Committee; Enterprise Risk is under a separate Risk Committee to whom the Chief Risk Officer is also attached; Ethics/Business Conduct Risk is under the Audit Committee, and Compensation Risk is under the purview of Human Resources Committee.

With each group looking at only one portion of the risk, it is easy to lose sight of the big picture and the cumulative risk associated with it. With a risk like SARS, MERS, or the current strain of the coronavirus, which can span many different organizational units simultaneously, maintaining the high-level view is essential.

Linking business continuity with enterprise risk

One way to break down silos and foster that big picture assessment is to view the operation of a disaster recovery or Business Continuity Management (BCM) process itself as one input of an ERM program. In this perspective, BCM (or internal audit, compliance, or any GRC function) is essentially a top-level internal control used to mitigate associated enterprise risks. Linking these functions, which are typically siloed, with shared risk data and control testing plans helps unite the enterprise. It can also help to ensure the big picture never gets lost. Integrated GRC is not just a buzzword. It represents the idea that sharing data is the only way to truly overcome silos.

Takeaway: The success (or failure) of each individual integrated GRC component can affect the success of ERM just as any other control would, so they need to be linked.

The right recipe

It takes a different perspective to plan for rapidly emerging risks like the coronavirus. Integrated GRC technology that helps you tap into the wisdom of crowds, prepares your organization to rise to the level of your training and testing, and eliminates the traditional silos that cripple effective enterprise risk management is an essential building block for ensuring your organization is ready for dramatic shocks to business that, in an unstable world, are sure to come.

See for yourself how to make your organization ready for the next big risk. Request a demo of Origami Risk today.