Drive a Connected GRC Program for Improved Agility, Performance, and Resilience
Power Business Performance and Resilience
Discover ConnectedGRC Solutions for Enterprise and Operational Resilience
Explore What Makes MetricStream the Right Choice for Our Customers
Find Everything You Need to Build Your GRC Journey and Thrive on Risk
Learn about our mission, vision, and core values
Remember the Y2K or the Millennium bug that had the entire globe on tenterhooks 20 years ago? Businesses were in combat gear, all prepped to take on the calamitous technical glitch that were to make the world fall apart on the midnight of December 31, 1999. However, except for a few blips on the radar, nothing really happened. Back then, it was the case of “known unknowns,” where the world was aware of an impending risk. Fast forward to Year 2020 - an absolute bolt from the blue and a case of the “unknown unknowns” that sent businesses in every corner of the world scrambling for cover. Forget about preparation, no one could even fathom what had hit us. Risk-taking capabilities and business sensibilities were put to their ultimate test. We all know how crippling the past several months have been for the air travel industry in particular as a result of the pandemic. However, while the rest of the industry struggles to keep its head above the water, Southwest Airlines has gone on an expansion drive.1 While this may be seen as a huge gamble by many, few see this as an “opportunistic” mindset that could turn the tide for them. It is a classic example of how risks can be perceived and how one could be opportunistic in a positive way to deal with it.
Decision making at the top and the risk-taking prowess of organizations have been the cynosure of all eyes in the post-pandemic world. The one thing that the COVID-19 crisis has taught us is, it is not the “imagined risks” but the unimagined and unprecedented ones that put our mental and organizational strengths to acid tests. The psychology of the organization, that is brought to life by the psychology of those at the helm, is what defines how prepared we are to not just face crisis but to take it on. The better part of the “best practices” playbooks were thrown out of the window after the pandemic brought the world down to its knees, exposing how big a role psychology plays in risk-management behavior. We always knew misplaced perceptions of risks can land organizations in deep trouble, but little did we think of the value of foresight and the skill in this respect that risk managers need to master. In the past nine months, we have also learnt that accuracy of risk assessments does not hinge merely on past crises experiences. A nuanced understanding of what could be the likely risks tells organizations how well scaffolded their risk perceptions are. There is a pressing need to change risk perceptions – both individual and collective – in this new normal.
After the pandemic the world has changed and, with it, the way risk management programs need to be designed. The mindset of risk professionals, their attitude toward risks and their ability to craft forward-looking risk management programs will redefine the role of psychology in comprehending and managing risks.
Let us understand how each of these actions will help risk managers of the post-pandemic world change their risk perceptions. And, let us also understand what needs to be done to get there.
Remember the safety warning on side view mirrors of vehicles that says, “objects in the mirror are closer than they appear?” That’s exactly what happened in the year 2020. When Ebola, SARS and H1N1 flu came knocking, we ignored the caution on the side view mirror. But then the COVID-19 crisis has shown us all that risks can’t get any closer than this. So, for starters, we need to unlearn and undo our understanding of what could comprise organizational risks and what could be the new face of operational, cyber, credit or fraud risks. Present and imminent dangers take up way more mind space, no doubt. However, while we look at the side view mirror, we also need to peruse what lies on the road ahead.
So, what are the psychological hurdles we need to cross to be prepared with future-ready risk management programs? What are the things we need to undo and unlearn as organizations and as risk managers? We can steer clear of psychological pitfalls and ace a robust risk management strategy in a post-pandemic era by:
With this in mind, risk managers today need to define an integrated risk management strategy that provides a holistic view of an organization’s traditional and emerging risks. It requires significant changes in people, skills, processes and technology. It is almost impossible to breathe life into such an integrated risk management strategy without leveraging on new age technologies. To better consolidate risk-related data, usher in changes in risk accountability, redesign and rethink risk management programs, adoption of Artificial Intelligence (AI), Machine Learning (ML) and data analytics is imperative. Intuitive dashboards and cognitive technologies help track risk patterns. These, if used in tandem with advanced analytics and Robotic Process Automation (RPA), can help simulate possible risk scenarios and prepare a roadmap to deal with future crises. Organizations can also unlock the value of predictive analytics to stay a step ahead of the evolving risk landscapes. AI-enabled chat interfaces can help businesses capture data automatically. To bring all of this under one umbrella, an Integrated Risk Management (IRM) program creates room for faster decision making. A unified IRM system can help identify, assess, manage and mitigate multiple risks at the same time.
In a world that needs to be prepared for all kind of eventualities, diverse and innovative thought processes are more the need of the hour. Biases too can skew the perception of risk managers. Be it information bias, confirmation bias (by looking for validation of our views), status quo bias, anchoring bias (by making decisions basis the first thing we see) or the hindsight bias, risk managers need to rise above these to adopt a more dynamic view of likely risks. Biases can provoke missteps and wrong responses to risks. The time relevance of a risk is also an important factor in designing risk management strategies. Often something that has occurred more recently assumes a larger significance and risk managers may overlook what other crises could follow. For instance, at this time all attention is on fighting the pandemic and bringing a well-tested vaccine to the market so that it can be business as earlier, but there is also a looming risk of cyberattacks on the supply chain of pharma companies as the buzz around the vaccine grows. Risk managers of pharma companies, therefore, need to sense forward and build possible risk scenarios that their organizations may have to counter and control in the days ahead.
Exposure to certain usual kind of risks that we had seen up until now (known unknowns) can tilt the cognitive behavior in a certain predisposed direction. However, one of the key lessons from this pandemic has been that organizations may not have the luxury of going down the familiar path. The new operational risks could be completely unknown and unfamiliar territory to tread on. And, risk professionals must, therefore, realign their psyche to the new reality. The “first-hand knowledge” of risks from here on may be very different from the prior first-hand knowledge of risks. In an evolving crisis like this one, the winning behavior will be one that can build innovative resilience, deal with competing priorities, adopt an experimental approach and train the mind for real-time risk management.
As organizations now gear up to face new cyber storms amid growing use of cloud systems and remote working systems as well as digitization of business operations/processes, new security cultures and customized controls will have to be created for all lines of businesses. The instinct of the risk professionals here will be key, especially with respect to weighing the consequences of the risk.
The pandemic, greater reliance on technology and growing business complexities make it necessary for organizations to imbibe a culture of risk awareness by looking at the gaps that exist. Technology, of course, has its play at both ends – while it makes the organization vulnerable to increased risks, it also helps control risk escalation. Risk identification, reporting and mitigation become a reality when an organization has the buy-in of the top management and the employees. How well we manage risks is a function of the perception we have of it. As risk professionals adapt to the new landscape, they need to work at the intersection of data and new techniques of risk assessment. Use of more data not just to arrive at accurate assessments, but also to weed out cognitive biases will be the skill to master. One other thing that risk managers must take in their stride now is that the channels of information may either be different or may not be there at all as future risks may be novel in nature. They may have to choose short-sprinted solutions over well thought out responses. Risk levels will have to be recalibrated as would the mindsets to circumvent them. Greater reliance on technology and higher degree of automation will rationalize risk perceptions.
A forward-looking risk management strategy depends not just on how well tamed the psychological responses are, but how well tuned in they are to suit the risk assessment needs of the post-pandemic world. The art is in embracing the chaos.