When it came to predicting the coronavirus pandemic, which has spread worldwide since the first case was detected in China on 17 November 2019, few businesses have covered themselves in glory. Somehow, the disease went unnoticed by even the most sophisticated risk management frameworks and outside sectors like healthcare and pharmaceuticals, few firms can honestly claim to having seen the Covid-19 pandemic coming.
Fiona Salzen, a former Deloitte partner who is a trustee of the British Council, said: “I very much doubt that a global pandemic was on anyone’s risk list. A pandemic is the ultimate ‘black swan’ — a once-in-a-generation event — which is why we ended up being so unprepared.”
Charles Bellringer, former chief financial officer of Equitable Life and Friends Provident, says: “Many CFOs thought the disruption was going to come from digitization, but they were solely worried about additional competition. Very few saw the disruption coming through a pandemic.”
The pandemic has now spread to more than 180 countries and caused at least half a million deaths worldwide, of which some ten per cent have been in the UK, which prime minister Boris Johnson put into lockdown on 23 March.
As with all the other lockdowns and social distancing measures worldwide, this has caused a collapse in demand, an economy which is for the time being on life support, as well as predictions of significant recession, high unemployment, and rising inflation.
American businesses appear to have been marginally more alert to the possibility of a pandemic than their peers in the UK and Europe. According to research by Jordan Schoenfield, associate professor of accounting at Tuck School of Business, Dartmouth College, 46 per cent of S&P 500 companies had pandemics (or related risks such as diseases or health crises) among their risk factors as of January 2020.
Yet Schoenfield still noted that American “managers systematically underestimated their true exposure to pandemics.”
One British company that appears to have got things wrong from a risk management perspective is the Associated British Foods subsidiary, Primark. The fast-fashion retailer has long eschewed having any e-commerce presence, though it does have a website for online browsing only.
During normal times, the model worked well, and may have increased footfall in its stores. However, once lockdowns kicked in, and the company was forced to close all 373 of its stores in the UK, Europe and the US, the lack of a secondary sales channel caused monthly revenues to collapse from £650 million to zero, causing thousands of Bangladeshi workers in its supply chain to lose their jobs. When Primark reopened its continental European stores in May and June, like-for-like sales were down.
Ready for an earthquake?
Bryan Foss, a former IBM executive who is visiting professor at Bristol Business School and an adviser to boards, believes that businesses which had planned for other dramatic events such as earthquakes are likely to have been better prepared. He said firms based in active earthquake zones such as Jakarta had mitigation plans in place – including plans for letting staff work from home and online selling. “They would at least have drawn up responses to cope with something of this magnitude.”
Likewise, boards that included directors with direct experience of recent Asian epidemics like SARS and MERs are likely to have had pandemics on the radar than homogeneous European boards.
Chris Burt, principal of Halex Consulting, co-founder of the Risk Coalition, and an ICAEW fellow, said: “More diverse boards, for example with some people from an Asian business background, would have been more likely to have recognised the risk.”
Around the time Britain went into lockdown on 23 March, the immediate priorities for most businesses included cash preservation, switching staff to home-working, ensuring the resilience and robustness of their IT systems, and evaluating and applying for various government support and job retention schemes introduced by chancellor Rishi Sunak.
Ironically there’s even risk in applying for these. For example firms that ‘furloughed’ thousands of staff might be storing up negative press coverage if planning to sack those workers once the furlough scheme ends.
Foss says a good test here is to apply the “Daily Mail test” – imagining how their use of the government scheme might look on the front page of the British tabloid newspaper.
Firms also needed to check members of the board risk committees were up-to-speed with remote working and high-tech communications methods. He also says board risk committees may need to be spruced up with additional diversity of skills, experience or thought, from the wider board and external sources.
To navigate their way through the next stages of the crisis, which may after all linger for longer for some time, especially if there is a “second wave” of infections, firms are going to have to further reconsider their risk management function.
Most experts agree it needs to be fully plugged into the operational side of the business and not just discussed in a perfunctory manner at board meetings. Salzen says “You need to avoid it becoming another back-office, bureaucratic, compliance-type function.”
Foss said the risk appetite should be set for the long term, tied in with the corporate purpose and viability, widely communicated throughout the business, and used as an active decision-making tool. If the risk appetite statement ends up as “shelfware” – a governance requirement that is left to gather dust, only updated annually, and only pulled down occasionally to satisfy auditors or regulators – that would be a waste of everyone’s time.
Burt says a better approach is to treat the risk-appetite statement as “a living, breathing, working document that’s consulted and challenged in every board meeting and is part and parcel of decision-making”.
Dodging a risk management Exocet
For Foss, who is also on the board of the Financial Reporting Council, the Covid-19 crisis is a wake up for risk management.
“A practical assessment of whether your firm’s risk governance from board to front-line remains fit for purpose might include: whether the key risks were foreseen, whether they were effectively mitigated, minimised or avoided – and whether other preparations including crisis management worked well,” says Foss.
“Instead of spending 80 to 90 per cent of their time looking at current risks, and only 10 per cent assessing emerging risks with external stakeholders, I predict that corporate boards and board risk committees will in future spend 50 per cent of their time on emerging risks and 50 per cent on current risks. That reduces the likelihood of an Exocet missile that you couldn’t anticipate coming over the horizon.”
Citing the example of a manufacturer of aero-engine parts which has decided to shrink to 40 per cent of its former size and repurpose its business after demand for its products evaporate in March, Foss says many businesses are switching to structures that are leaner and more digital – turbocharging digitization and other trends that were already underway.
But as firms rapidly metamorphose, he warns they also need to reprioritize where risks sit. “If your business is moving very rapidly online, the issue of cybersecurity goes straight to the top of the risk agenda.”
The last four decades have seen many businesses take on excess debt, rely on globalised supply chains, and offshore IT to developed countries such as India – in the pursuit of shareholder value they have prioritized efficiency over resilience. But in the process they also mae themselves more vulnerable, especially to global systemic risks they hadn’t planned for.
Halex Consulting’s Burt expects most of these trends to go into reverse post-Covid. “If you take a step back and ask, and look at what could happen in a pandemic situation, offshoring IT, for example, doesn’t look like such a good idea.”
There is a danger that firms are now so preoccupied with Covid-related they take their eyes off the ball and ignore looming threats such as Brexit and climate change.
Bellringer, now a member of the audit and risk management committee of NHS Resolution, said: “There has been some chatter that businesses will start to wind back their ESG because of the costs they incurring on the pandemic. That’s worrying.”
Salzen predicts the pandemic will make businesses more risk-averse and change attitudes to debt. “We’ll definitely see a drawing in of horns and a rush to safety but, ultimately, if you want to stay in business you’ll have to take risks. It’s going to be extremely difficult and extremely challenging.”
What CAs should do
Burt says the first thing any chartered accountant wishing to help their organisation navigate the scylla and charybdis of post-Covid risk should do is to read the Risk Coalition’s “principles-based, readable and implementable” ‘Raising The Bar’ guidance.
Secondly, he urges all chartered accountants to ensure clients’ and colleagues’ risk management strategies and appetites genuinely permeate their organisations, providing forward-looking information that aids management decision-making. He also recommends researching financial and business history in order to get a better grip of the potential pitfalls.
Foss urges chartered accountants not to become so bogged down in financial risk they miss the wood for the trees. “A narrow focus on financial risk is one of the biggest problems facing British business today. At Carillion and Patisserie Valerie, was it financial risk issues that drove them into the ground? Or were their boards particularly bad at risk management?”
A version of this article was published under the headline ‘Why and how to revise your risk management‘in the July 2020 edition of ICAEW Quarterly