COVID-19 Makes a Strong Business Case for
Enterprise Risk Management
November 18, 2020
Contributor: Rob van der Meulen
Many companies pay lip service to ERM, but the COVID-19 pandemic shows the clear business
benefits of managing risk from an enterprisewide perspective.
As the coronavirus spread beyond China, some organizations responded swiftly to news of even
one or two cases among employees, suppliers or clients; others took a more wait-and-see
approach. The disparity likely stems, at least in part, from different approaches to enterprise risk
management (ERM) — and reaffirms the business case for methods, processes, response
thresholds and actions to protect enterprise goals, earnings and capital.
For many companies, ERM has become a check-the-box activity during the decade-long period
of economic growth, but the coronavirus pandemic clearly shows the need for attention and
rigor.
“ Gartner research shows that an agile response occurred far more often when
clear processes already existed”
“The biggest problems with a pared-down, formulaic approach to ERM often don’t emerge until
it’s too late,” says Matt Shinkman, Practice Vice President, Gartner. “Complicated flowcharts
and in-depth policy manuals intended to guide escalation decisions during a crisis are often
difficult and time-consuming to follow; they aren’t a substitute for an effective ERM function.”
Effective ERM
Gartner research shows that the most effective ERM programs require:
An agile “impacts-based” approach to create crisis escalation procedures.
A business leader responsible for monitoring for a specific type of risk who gives clear,
simple guidance about when it is appropriate to escalate risk information to the crisis
management team.
Coronavirus is exactly the type of fast-emerging risk with uncertain consequences that can be
ignored until it's too late for traditional escalation procedures to be effective. When reports of
lockdown came from China, most organizations in the West had weeks to act on this information
but chose to wait and see.
“ Coronavirus may have drawn executive attention on ERM, but it’s crucial they
understand that the business benefits extend far beyond”
�In this scenario, the threshold for escalation is too high because it relies on a trigger where
operations have already been badly affected. Better-prepared companies responded to news of
minimal spread and rapidly drafted contingencies before the situation deteriorated much further.
Gartner research shows that an agile response occurred far more often when clear processes
already existed to report and escalate absences or issues due to infectious diseases. In other
words, a proactive ERM team had already set the threshold for escalation quite low to account
for the potentially extensive consequences of the risk if no action occurred. Line management
also felt empowered to raise the issue and this led to swift and effective mitigation.
Read more: Stress-Test Your Business Continuity Management
Aligned risk management
The key to delivering effective ERM is to ensure that business executives contribute to
evaluating and defining the enterprise risk appetite. This also ensures that ERM can assign risk
ownership at the highest level of organizational decision making.
This view clarifies and formalizes the enterprise position that certain risks, such as a pandemic,
are threats to strategic objectives like business growth. Leaders can then agree in advance that
however remote a risk might seem, its emergence will trigger decisive and quick action to
mitigate the effects — driven by a predetermined team of owners and actions.
“ Initiatives with timely risk management are more than twice as likely to
completely satisfy senior stakeholders”
Aligning ERM with strategy also positions an organization to take certain risks to seize
opportunities that might otherwise be missed.
“Risk is like cholesterol, there are good and bad kinds,” says Shinkman. “The bad kind manifests
in wrongdoing or poor decisions, but the good kind helps an organization to take bigger, riskier
growth bets — which is the single biggest differentiator of profitable growth.”
Opportunity costs
More than simply avoiding downside risk such as coronavirus, an agile and effective ERM
function empowers an organization to take the right risks to grow. A 2019 Gartner review of
strategic initiatives in 388 organizations showed a significant opportunity cost where risks are
not surfaced and mitigated in a timely fashion.
In fact, strategic initiatives were delayed 1.26 months on average in a year by untimely risk
management. For a product launch at an average $5B market-cap company, this amounts to $99
million in opportunity cost.
Effective risk management is also closely correlated with several other important business
outcomes. For example, initiatives with timely risk management are more than twice as likely to
�completely satisfy senior stakeholders or be completed ahead of schedule. Moreover, they are
almost twice as likely to come in 5% or more under budget.
“Coronavirus may have drawn executive attention on ERM, but it’s crucial they understand that
the business benefits extend far beyond avoiding a crisis,” says Shinkman.
