When it came to predicting the COVID-19 pandemic, few businesses displayed Nostradamus-like levels of foresight. Somehow the risk went unnoticed by even the most sophisticated risk-management frameworks and few, if any, British companies or organisations outside sectors such as healthcare and pharmaceuticals can honestly claim they saw it coming.

Fiona Salzen, a former Deloitte partner who is a trustee of the British Council, says: “I very much doubt that a global pandemic was on anyone’s risk list. A pandemic is the ultimate ‘black swan’ – a once-in-a-generation event – which is why we ended up being so unprepared.”

Charles Bellringer, former Chief Financial Officer of Equitable Life and Friends Provident, adds: “Many CFOs thought the disruption would come from digitisation, but they were solely worried about competition.”

American businesses appear to have been marginally more alert to the possibility of a pandemic than their peers in the UK and Europe. According to research by Jordan Schoenfield, Associate Professor of Accounting at Tuck School of Business, Dartmouth College, 46% of S&P 500 companies had pandemics (or related risks such as diseases or health crises) among their risk factors as of January 2020. 

Yet Schoenfield still noted that American managers “systematically underestimated their true exposure to pandemics”.

Bryan Foss, a former IBM executive who is visiting professor at Bristol Business School and an adviser to boards, says businesses that had planned for other dramatic events such as earthquakes are likely to have been better prepared. Firms based in active earthquake zones had mitigation plans in place – including plans for home-working and online selling. “They would at least have drawn up responses to cope with something of this magnitude.”

Likewise, boards that included directors with direct experience of recent Asian epidemics like SARS and MERS, are more likely to have had pandemics on their radar than homogeneous European boards.

Chris Burt, Principal of Halex Consulting, co-founder of The Risk Coalition and an ICAEW Fellow, says: “More diverse boards, for example with some people from an Asian business background, would have been more likely to have recognised the risk.”

Around the time Britain went into lockdown, the immediate priorities for most businesses included cash preservation, switching staff to home-working, ensuring the resilience and robustness of their IT systems, and evaluating and applying for various government support and job retention schemes. 

Ironically there’s even risk in applying for these. For example, some companies that furloughed thousands of staff might be storing up negative press coverage if they are planning to sack workers once the furlough scheme ends. Foss says it’s worth applying the ‘Daily Mail test’ – imagining how their use of the scheme might look on the front page of the British newspaper.

Companies also had to check that members of the board risk committee were up to speed with remote-working and high-tech communications methods. Membership of the board risk committee might now need to be supplemented with additional diversity of skills, experience or thought from the wider board and external sources, Foss adds.

To navigate their way through the next stages of the crisis, which may, after all, linger for some time, especially if there is a second wave of infections as feared, companies are going to have to further reconsider their risk-management function. 

Most experts agree it has to be fully plugged into the operational side of the business and not just discussed in a perfunctory manner at board meetings. Salzen says: “You need to avoid it becoming another back-office, bureaucratic, compliance-type function.”

Foss says the risk appetite should be set for the long term, tied in with the corporate purpose and viability, widely communicated throughout the business, and used as an active decision-making tool. If the risk appetite statement ends up as “shelfware” – a governance requirement left to gather dust, only pulled down occasionally to satisfy auditors or regulators – that would be a waste of everyone’s time. 

Burt says a better approach is to treat the risk-appetite statement as “a living, breathing, working document that’s consulted and challenged in every board meeting and is part and parcel of decision-making”.

For Foss, who is also on the Financial Reporting Council's audit and assurance council, the COVID-19 crisis is a wake-up call for risk management. “A practical assessment of whether your firm’s risk governance from board to frontline remains fit for purpose might include whether the key risks were foreseen, whether they were effectively mitigated, minimised or avoided, and whether other preparations including crisis management worked well.

“Instead of spending 80% to 90% of their time looking at current risks and only 10% assessing emerging risks with external stakeholders, I predict corporate boards and board risk committees will in future spend 50% of their time on emerging risks and 50% on current risks. That reduces the likelihood of an Exocet missile that you couldn’t anticipate coming over the horizon.”

Citing the example of an aero-engine parts manufacturer, which has decided to shrink to 40% of its former size and repurpose its business after demand for its products evaporated in March, Foss says many businesses are switching to structures that are leaner and more digital – turbocharging digitisation and other trends that were happening anyway. 

But as companies rapidly metamorphose, he warns they also need to reprioritise where risks sit. “If your business is moving rapidly online, the issue of cybersecurity goes straight to the top of the risk agenda.”

The last four decades have seen many businesses take on excess debt, rely on globalised supply chains, and offshore their IT to countries such as India in the pursuit of shareholder value, prioritising efficiency over resilience. In the process they also make themselves more vulnerable, especially to global systemic risks they hadn’t planned for.

Burt expects most of these trends to reverse post-COVID-19. “If you take a step back and look at what could happen in a pandemic situation, offshoring IT, for example, doesn’t look like such a good idea.”

There is also a danger that firms are now so preoccupied with COVID-19 related issues they take their eyes off the ball and ignore looming threats such as trade agreements after Brexit and climate change. Bellringer, now a member of the audit and risk committee of NHS Resolution, says: “There has been chatter that businesses will start to wind back their environmental, social and governance policies because of the costs they’re incurring on the pandemic. That’s worrying.”

Salzen predicts the pandemic will make businesses more risk-averse and change attitudes to debt. “We’ll see a drawing in of horns and a rush to safety but, ultimately, if you want to stay in business you’ll have to take risks. It’s going to be extremely difficult and extremely challenging.”

1. Make risk a standing agenda item at every board meeting.

2. Prioritise where risk sits in the organisation. Risk management has to be tied in to the operational side, rather than be a back-office function.

3. Set risk appetite for the long term and bind it to the corporate purpose and viability. Communicate it widely and use it as an active decision-making tool.

4. Review the make-up of your board but specifically risk committees to ensure diversity of skills and experience.

5. Read The Risk Coalition’s Raising The Bar (riskcoalition.org.uk), which is “principles-based and implementable,” says Burt.

6. Ensure clients’ risk strategies permeate their organisations, providing forward-looking information that aids decision-making. 

7. Research financial and business history for a better grip of the potential pitfalls.

8. Don’t become so bogged down in financial risk that you miss the wood for the trees. “A narrow focus on financial risk is one of the biggest problems facing British business today,” says Foss.