The impact of COVID-19 on enterprise-level risk management

Assessment of the COVID-19 pandemic management from a risk management perspective

Let's look at a current example: the government of country “A” does not dare to take the risk of quickly introducing vaccines from the pharmaceutical companies. In contrast, the government of country “B” chooses a different strategy: it allows an emergency introduction procedure for vaccines that look promising, bringing forward the date for mass vaccination significantly. While Country B's government is spending billions of dollars to finance the mass production of vaccines, Country A's negotiators are stubbornly insisting on low vaccine prices in price negotiations with pharmaceutical companies. In the current situation, Country A is achieving very expensive savings with this strategy: starting mass vaccination later will cost much more to maintain the prolonged closures than it will by negotiating prices and not funding drug research.

The example above is a modern-day lesson in the false assessment of risk and the incorrect response to it. Decision-makers need to assess risk and make the best possible decision more quickly and efficiently than ever before. What worked before with speed and risk management strategy may not work now that since the COVID-19 pandemic has broken out

- said György Kálmán,
Risk Advisory, Deloitte.

The new world of risk management

In the absence of appropriate risk management (GRC) infrastructure and strategy, it is difficult to understand the impact of existing risks and the new risks posed by COVID-19.

What does this mean? Many hope that Artificial Intelligence (AI) will provide the answers to these challenges. However, the science of predicting unpredictability is still proving to be a difficult task for AI. Before companies and governments can think about predictive analytics in risk management, they need to focus their efforts on cleaning and integrating risk management data.

A cautious approach should be taken to how a company harnesses the power of AI in risk management. First, it needs a risk management infrastructure. Its first and most important task is to harmonize risk management data across business units and processes. A comprehensive view of the risk landscape will help companies leverage GRC platforms and move them closer to predicting adverse events.

COVID-19 as an igniter in risk assessment

The epidemic situation creates not only a crisis, but also new opportunities to learn lessons. In my view, from a purely risk management perspective, COVID-19 will represent a shift towards more frequent risk identification and risk management. In the past, the lack of data was an obstacle to predicting adverse events; today, the necessary data is already available. This was the case before the pandemic outbreak, but the crisis and the increased digitalization that comes with it inevitably require better processing and understanding of data

- said Zoltán Szöllősi,
Director of Deloitte Risk Advisory.

There is no single technology solution at this stage of GRC evolution that provides a holistic view of a company's risks, regardless of how integrated the company is. Even companies that have successfully broken down the boundaries between processes have underdeveloped technology departments, or in many business areas have implemented best-of-breed GRC solutions that solve the specific problems of each department but do not provide a solution for the overall risk map. Thus, it remains a challenge for them to effectively use all the information they collect to get a 360-degree view of risk. This factor currently makes it difficult to effectively deploy AI in GRC technology.

A solution to this challenge can be to collect data from various GRC platforms, report management systems, ERP systems and many other solutions, load them into data warehouses and then use data analytics tools to support key risk management decisions.

The challenges of technology

For companies to truly benefit from GRC technology, they need to integrate GRC technology into their operational IT strategy if they have not already done so. On the flip side, the consequence of the current situation is that it also encourages companies to adopt technology that they have previously dismissed.

To successfully integrate GRC technology, companies also need to build an organizational culture and maturity around GRC technology. This may not seem difficult, but often-negative attitudes from employees make it impossible to implement GRC systems.

Lack of understanding of the GRC platform can lead to incomplete or over-defined GRC functions or data. Inadequate interpretation or omission of data from risk management analysis affects the algorithm used by GRC platforms to identify and assess risk events.

Therefore, it is of utmost importance to educate and inform both managers and employees about the role and functions of GRC platforms, as this helps to spread the common risk language and builds an internal risk-aware culture.

GRC vision

We still have a long way to go before GRC's technology platforms can really make use of artificial intelligence. So, let's not get too far ahead of ourselves, but focus on what is really important today in terms of leveraging GRC technology: eliminating the separation of business processes from a risk management perspective.

Staying with the COVID-19 example above, if the government of country “A” also looked at the vaccine situation holistically (not separately in terms of vaccine cost and the impact of economic damage from closures), it would make the decisions that the government of country “B” has made. Country “A” could spend hundreds of times more on drug research and funding higher vaccine prices. It would still be much cheaper than the cost of maintaining the closures. This is the current lesson of risk management for all of us.