Business risk is defined as the exposure a company or organisation has to factor(s) that will lower its profits or lead it to fail. Essentially any circumstances that inhibit a company from meeting its financial goals and business targets qualify as a business risk. Traditionally, business risks emerge from internal or external sources and affect businesses directly or indirectly. Some risks are quantitative (such as financial risks); the rest are qualitative risks (those related to operations, compliance, technology, strategy and reputation).

Businesses make money because they take risks. However, the risks undertaken by an organisation must be proportionate to its complexity and type. Having said that, it is misleading to think that we know and understand all risks around us. To believe that we can manage all of them is an illusion. In the current scenario, the best example is the outbreak of the COVID-19 pandemic.

COVID-19: A new business risk category

COVID-19 has emerged as an unusual business risk. Nobody had imagined the scale and intensity of its impact. It is affecting organisations directly and indirectly, qualitatively and quantitatively. The outfalls of the pandemic, such as lock-downs, remote working and misinformation, have qualitative implications and quantitative implications on businesses and industries. For instance, the lock-down period resulted in furloughs and lay-offs. The sudden call for remote working led to a large number of employees to operate in unsecured environments. This, in turn, has led to an unprecedented spike in cyber attacks

. Even as businesses reopen, they will be working in the new-normal where social distancing is the norm. The factor will affect their efficiencies and productivity.

Further, the fear of contagion will persist until a vaccine is developed and reaches the masses. Simply put, the pandemic has compelled organisations to deploy their best wartime leadership strategies. It has hunkered down businesses, forced them to operate with the bare minimum resources and led to retrenchments.

It has compelled businesses to rework their solutions to suit the new world order. It has provided an impetus towards digital transformation. At the individual level, there is an increased focus on well-being and psychological welfare. The quarantine period has provided opportunities for knowledge management and up-skilling. Once COVID-19 is behind us, and we are finally peaceful, many organisations will redefine their vision to suit the new world order. They will build teams with new calibers, conduct themselves with a renewed sense of responsibilities and embrace new risks that they face in the new environment.

Organisations will find the risk management framework encapsulated in this article to be a useful tool to mitigate COVID-19 related risks and quickly return to the path of recovery.

The nuances of risk management

Risk management is a structured manner in which organisations can protect themselves from downside risks. The discipline of enterprise risk management (ERM) refers to an integrated and joined-up approach of managing risks across an organisation and its extended network. It involves identifying hazards, assessing potential implications, developing and implementing responses for mitigation and establishing a risk monitoring process (refer Image).

An effective risk management framework involves four stages viz. risk avoidance, risk reduction, risk transfer and risk acceptance. The likelihood of contagion impact could be reduced by removing the risk at source, i.e. by washing hands for 20 seconds regularly. The risk of loss could be shared or transferred between stakeholders through strategies such as insurance. Finally, organisations need to accept the risk because the cost of mitigating or managing the risk is more than the perceived impact or loss. The risk of waiting for a COVID-19 vaccine can be far more expensive than the cost of road transit insurance of finished goods or individual coverage. It is hence, wiser for organisations to invest in insurance than await the vaccine.

Stakeholders in an organisation’s risk management strategy implementation

An organisation’s board of director is primarily responsible for its risk management strategy. The board is responsible for:

· Development of the organisation’s business strategy and its approach to risk management

· Risk appetite articulation through the approval of risk tolerance levels

· Deciding the risk governance structure and mitigation framework

· Approval of risk policies at all levels

· Review of risks highlighted by the delegated authorities

· Risk reporting to stakeholders and compliance disclosures

In executing these responsibilities, they are supported by the entire leadership ecosystem, which includes all the organisation’s CXOs. Besides, they have dedicated monitoring committees to oversee the potential business risks, including the risk management committee, audit committee and risk units at individual levels.

A prudent risk management strategy can prove to be advantageous for an organisation in multiple ways. It can protect financial and reputational losses, ensure effective utilisation of resources, protect the organisation against disruption as well as avoid threats such as e-frauds. By achieving these objectives, a well-thought-through risk management strategy promotes business sustainability and boosts stakeholder confidence levels.

COVID-19 has brought to the fore the significance of a well-established and comprehensive risk management strategy. Organisations should learn lessons from this crisis to build resilience for the future.