The new age of risk

Risk managers are among the P&C insurance industry’s “winners” during the pandemic, based in part on the industry’s rapid response to the early stages of COVID-19.

A question about “industry winners and losers emerging from the pandemic” was put to Canadian P&C industry executives during a webinar panel discussion hosted by Canadian Underwriter early in the summer.

“One group that are real winners are risk professionals,” said webinar panellist Alister Campbell, president and CEO of the Canadian Property and Casualty Insurance Compensation Corporation (PACICC). “These are the risk officers in our insurance companies, the risk managers in our brokerages, who insisted that senior management spend valuable time, which they grudgingly conceded to do, [to prepare] a disaster recovery plan and a business continuity plan and keep it refreshed and updated.”

Indeed, the pandemic has reinforced what many in the risk profession have known all along — risk professionals play a crucial role in ensuring that their businesses are prepared for the unexpected. The pandemic has reinforced the need to have a proper business continuity plan in place, something that risk managers regularly ensured senior executives kept up to date just for situations like this.

“The business continuity [plan] has to be very quickly and rapidly adaptive to respond to pandemics. That is an important piece to take away from the pandemic,” says Ginette Demers, Montreal-based chairwoman of the RIMS Canada Council.

Throughout the pandemic, in the midst of a highly uncertain and fluid environment, risk managers have been updating their organizations’ business continuity plans. They are predicting emerging risks, and they are planning responses to new twists on existing exposures. They are identifying ways to transfer these risks, including a look at how insurance capacity and coverages are responding. And they are advising on how to protect their businesses going forward.

“Risk management has always been a critical part of any business,” Demers explains in an interview. “All businesses must manage risk to some degree, and now there’s a lot of risk associated with this pandemic.”

Not to mention risks that have increased thanks to the pandemic. One example is an escalating number of cyberattack incidents, as criminals try to take advantage of employees who are working remotely from home to avoid the spread of the novel coronavirus. A second example is the health and safety risk associated with businesses re-opening while the pandemic is ongoing.

“These risks, they’re not new risks,” Demers says. “But they can’t be managed ‘as usual.’ Playing the role of an advisor, and having a discussion with senior management, we now demonstrate the value of risk management.”

Risk professionals have always been valued, although some may question whether they were valued enough by those outside the P&C industry. In the corporate world, a risk manager might get called in to advise senior executives when something has gone awry, only to be dismissed back to their office until the next problem arises. Pre-pandemic, they have been characterized as ‘Debbie Downers’ who tell executives why they can’t do all the exciting things they want to do, or who spend all their time fretting about bad stuff that might happen.

“There’s this lingering notion out there that the risk professional will see and only focus on the threats — the bad things — as opposed to the good things that organizations need to be doing to grow value and impact in markets and communities they are serving,” says Monica Merrifield, strategic risk and innovation advisor to YMCA and NFP Leaders, and former chairwoman of the RIMS Strategic and Enterprise Risk Council.

For years, risk professionals have been pushing for an opportunity to sit at the executive table and directly advise senior leaders about what might happen, as opposed to responding to something after it has already happened. “Risk managers have long been known for our skills and significant contributions in protecting organizational value and helping leadership teams understand major threats to realizing their objectives, or what can stand in the way of achieving the kind of results that organizations desire,” Merrifield said.

In a sense, the pandemic has highlighted the risk manager’s skill at forward thinking. Nonetheless, the speed at which the pandemic hit caught even some of the most well-prepared businesses off-guard.

“The risk of pandemic was a risk that many companies had on their risk register,” says Jamie Gahunia, product marketing manager at Resolver, which provides cloud-based software for risk-related issues. “But COVID-19 emerged so rapidly that many companies hadn’t reviewed or tested their contingencies and business continuity plans recently. We weren’t completely unprepared for a business disruption of this magnitude, but it’s probably safe to say that most companies did not have it top of mind.”

As risk managers point out, in too many instances, once a business continuity plan is developed, it will be set aside and pulled out of the drawer only when needed. In a pre-COVID world, it might have been tested out just once a year. The world has changed now. “Once-a-year assessments are not going to be enough anymore,” Gahunia said while moderating a RIMS-hosted webinar, How to Stay Ahead of Emerging Risks.

Going forward, there will be other changes as well, although it’s not clear yet what those changes might be. It’s too early to tell, said RIMS webinar panellist Brian Link, CEO at Mobius One, a software company that helps non-profits with their enterprise risk management.

Businesses will likely feel long-term ripple effects on their operations as a result of the pandemic, including a shift in buying patterns.  The sooner organizations get a sense of those changes, the sooner they will get a handle on their emerging risks.

“That will be critically important,” Link says. “Capturing the lessons learned and then saying, ‘You know what? Thank goodness we’ve gotten past this largely. Now let’s taker another look at risk.’ And [corporate] boards, I think, will be demanding this. They’ll say, ‘We don’t want to get caught flat-footed again. So let’s take risk assessment really seriously now and use that to help ensure our strategy and associated risks have been identified.”

Link is hopeful that if companies start taking pandemic risk management seriously, it could lead to other areas getting some much-needed attention, like climate change. That makes for an exciting future for those working in the risk field.

“This is a great time to be a risk manager, absolutely,” Link says. “Right now, we’re in the heart of it. We’re in the eye of the storm. I think board members will start to demand better insights around risk. And so it is part of their fiduciary responsibility for risk management oversight.”

Facing a demand from their executives for better insights, risk professionals will need to be creative problem-solvers, Demers observes. They are already having discussions among themselves, sharing stories and strategies with each other.

“The risk management community is working together, sharing a lot of information about what they’re working on,” Demers said. The pandemic “has taught us to … push ourselves in [the corporate boardrooms] and show that we can provide the right advice.”