Crisis management – predictable unpredictability?
If any internal auditors have not yet been directly affected by the coronavirus then they and their organisations must be operating in the kind of isolation normally reserved for those on the International Space Station. In the three months after the first case was identified in December in the city of Wuhan, around 100,000 people were infected and more than 3,000 died as the virus quickly spread beyond China. Soon almost every country had cases and many were coping with disastrous outbreaks, stretching medical facilities to the limit.
Governments, initially slow to react, started to bring in stringent measures with increasing speed. Stock markets crashed and the economic hit became alarmingly clear. Within just a few days, airlines and holiday and leisure companies warned of imminent disaster as they were forced to shut down and lay off vast numbers of staff. International borders closed, flights were cancelled and tourist attractions from Alpine ski resorts, to the Louvre museum in Paris, New York’s Broadway theatre district and the centre of Rome, closed for business. Global sporting events were cancelled and governments told whole populations to stay at home. The financial implications spiralled out ever further as component supply chains collapsed and customers stopped spending.
At the time of going to press, the only thing that is clear is that we are not yet at the height of the pandemic and the global economy will suffer huge consequences. In March, the Economist Intelligence Unit cut its global GDP growth projection for the year from 2.2% to 1.8%, but just a week or so later this figure was already seen as laughably optimistic. By the time you read this, things will have moved on, one way or another, significantly – but the eventual outcome may not be much clearer.
Outside wartime, the kind of restrictions and drastic measures that governments have taken to control the pandemic are unprecedented. Elections have been postponed and normal life has, in many places, ground to a halt. It’s tempting, therefore, to see its impacts on organisations as similarly unprecedented. However, that’s not quite accurate.
First, it was not wholly unexpected. We have already seen two global pandemics involving respiratory viruses in recent years: SARS (severe acute respiratory syndrome) from 2002-04 and then H1N1, or “swine flu”, from 2009-10. As attendees at the Chartered IIA’s Leaders’ Summit in March were reminded, the risk of an infectious disease pandemic was listed in tenth place in terms of impact on the World Economic Forum’s “Risk Index 2020” (although its likelihood was ranked lower). Second, although Covid-19 is more pervasive than its predecessors and has a higher case-fatality rate than seasonal flu, that does not necessarily mean it will put all businesses under stresses they have not previously endured.
Howard Mannella, managing principal of Alternative Resiliency Services Corp, says that when companies evaluate risks they should resist the tendency to think about causes and instead focus on the effects these causes are likely to have on their operations. “There’s always going to be something new – the next virus, cyber attack, geopolitical threat – but the impacts on business are also always going to fall into a few predictable categories,” he says. These include supply, people, locations, assets, technology and reputation (or SPLATR for fans of acronyms).
Bought to tiers
One of the most common of these six pain points for businesses, as it relates to Covid-19, is supply chains. Even before the pandemic, the ongoing trade war between the US and China had already prompted large organisations such as Apple, Microsoft and Google to consider pulling some of their manufacturing out of Asia’s largest economy in favour of factories in Vietnam, Thailand and other nearby markets. Coronavirus has accelerated those plans, with flagship products such as the Google Pixel 4a being produced in Vietnam since April.
Solving supply chain disruptions is far from straightforward. Professor Michael Essig of Munich’s Bundeswehr University estimates that an average multinational company has 5,000 direct, or tier-one, suppliers. Each of these has an average of 250 tier-two suppliers. This means a multinational has around 1.25 million suppliers, an inventory that is impossible to track in full. However, it is important that businesses understand the concentration of risk in their supply chains as best they can and put proportionate contingencies in place to prepare for potential crises and the likelihood that key suppliers will be forced offline.
Operational resilience
Last December, the UK’s Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) issued consultation papers on new requirements to strengthen operational resilience in the financial services sector. The public consultation will close in the autumn. Among the proposals, they recommend that firms set “impact tolerances” for each of their critical business services and conduct mapping exercises, identifying and documenting the people, processes, technology, facilities and data that support those business services.
Another of their recommendations is to carry out “lessons learnt exercises” so that they can identify, prioritise and invest in response and recovery capabilities in order to bounce back from unforeseen incidents as quickly and effectively as possible.
This is sound advice for businesses in all sectors and is an area where the third line of defence can come into play. “One of the things that internal audit brings to this table is the reminder of the lessons to learn and not just the lessons from your own organisation, but from across your sector or particular geographical location – particularly if you’re in an organisation that is diversifying, relocating and acquiring and merging with other companies,” says Liz Sandwith, chief professional practice adviser at the Chartered IIA.
Reasonable predictions
Learning from past mistakes and adapting operations is one thing, but is it possible to prepare for the unknown? Unlike commercial businesses, humanitarian organisations such as the Red Cross must run towards the fire when crises strike. Increasingly, the charity is taking a risk-centric approach to its missions by pre-empting developments before they emerge.
“The Red Cross is omnipresent and historically dealt with issues as they occurred with emergency responses. But the organisation is realising there’s a lot it can do to predict disasters,” says Anthony Garnett, director of internal audit and investigations at the International Federation of the Red Cross and Red Crescent Societies. “We have something called ‘forecast-based financing of humanitarian action’. The idea is that you forecast the finance you will need to respond to something in advance. You pre-position goods and experience in the relevant geographies by making reasonable predictions about where crises will occur, so there is the capacity to respond quicker, better and more cost effectively.”
One area where this approach is well suited to help is in forecasting famine. The organisation can analyse meteorological forecasts to see where and when droughts are likely to occur, and how deep the shortages are likely to be and for how long. The charity can then put the personnel and resources in place to respond. “That also involves thinking about climate change and the impact of climate change on communities,” says Garnett.
There’s little doubt that climate risk is increasing. Climate-related weather events are becoming more common, whether you’re affected by the recent devastating bushfires in Australia (made 30 per cent more likely by climate change, according to research from World Weather Attribution), or repeated storms and flooding in the UK’s 2019-20 abnormally wet winter.
Technology can help both to improve the accuracy of forecasts and the way we model the consequences of crises. The UK government announced in February that the Met Office will spend £1.2bn to acquire the world’s most powerful climate supercomputer. Once in service, this will not only generate better forecasts, including rainfall predictions, but will help emergency workers to deploy mobile flood barriers, balance the energy grid and help industries to brace for the impact of extreme weather.
Small steps matter
However, it’s not enough to improve the way you identify emerging risks unless you also drive action by convincing the board or management to take specific steps, says Ian Beale, vice-president of advisory at Gartner and a former audit and risk director. Rather than just thinking about probability versus impact versus velocity of risks, he says we should pay more attention to what Gartner calls “low-regret responses”. These are the low-cost, incremental measures that would not fully mitigate a risk, but would benefit the company even if a given risk never materialised or had only a limited impact.
One example is nationalisation risk in overseas markets. Businesses with operations in countries where there is a possibility that the government will commandeer assets should, of course, keep on top of political and public sentiment and look for early indicators that the risk of nationalisation is rising. These might include warning signs such as subsidies being awarded to local competitors or increasing rhetoric against foreigners. “That company could then revisit its branding and see what it can do to emphasise that it’s a company with the nation’s interests at heart,” says Beale. “So it’s not seen as a UK company operating a factory and making profits, but as a local business that understands the market, has been there for years, pays local taxes and employs local people. The company may also choose to recruit more locals into management roles.”
At a time when all the news is focused on the alarming rise and consequences of Covid-19, it is worth remembering that this is an extreme case of a well-known risk. No one predicted this particular illness, however pandemics, like other disasters, have happened before, and will happen again. Most businesses will be affected, some far more seriously than others, however it’s important we all learn the lessons from this experience and look at whether these could help to make organisations more resilient to crises of all kinds in future. It’s also worth remembering that small actions can often better prepare businesses for high-impact, low-probability risks than drastic, costly measures. The worst option is to learn nothing and do nothing.
Biases and fallacies
Humans and, by extension, businesses are not good at determining and prioritising risk. “There are a number of cognitive biases that impede our understanding. We’re built to be blind,” says Howard Mannella at Alternative Resiliency Services Corp, who gives talks on “black swans”, disaster management and operational resiliency.
Here are a number of biases relevant to risk management that should inform internal audit’s understanding of how businesses identify – and misidentify – their key risks.
The Gambler’s Fallacy:
The false belief that if a particular event has occurred frequently in the past then it is less likely to occur again in future, even if such events are statistically independent.
The Anchoring Fallacy:
The tendency to over-rely on past information and events to make present-day judgments. Businesses and internal audit must counter this bias by factoring in emerging threats and global trends. “The only guarantee is that the next event will be different from the last,” says Mannella.
Normalcy Bias:
The bias towards believing things will always function the way they have normally functioned, leading to the underestimation of the probability of disasters and their potential effects. This is particularly relevant today as, for example, climate change risk surpasses levels businesses have seen at any point since the industrial revolution.
Zero-Risk Bias:
The tendency to prefer the total elimination of a risk to a higher overall reduction across a threat surface. Given choices for actions or controls to reduce risk, people are likely to select an action or control that eliminates a five-point risk over one that results in a one-point reduction across six risks.
Availability Bias:
The tendency to overestimate the risks of prominent or publicly visible occurrences, such as plane crashes or abductions. “How many companies still have policies prohibiting multiple executives from flying together?” asks Mannella. “Now, how many companies have no policy on executives sharing a car, where the probability of an accident or casualty is far greater?”
The Texas Sharpshooter Fallacy
(also known as the “false clause fallacy”). This occurs when data or outcomes are either ignored or overemphasised to fit a pre-existing hypothesis. “This is relevant because many executives point to an event’s outcome and use it to justify whether their investment or non-investment in operational resiliency is warranted,” says Mannella.
Further reading:
The institute’s blog on “Business resilience and crisis planning”.
“Building the UK financial sector’s operational resilience”
This article was first published in May 2020.