Risk Management Has No Finish Line
Life is full of risk management lessons. It’s a topic we broached earlier this year in my post, COVID-19 One Year Later: We Are All Risk Managers Now. From risk tolerance to risk assessments, monitoring, and mitigation, I talked about how the past year had been a masterclass in risk management with the terms of the trade going mainstream.
Months later, the COVID-19 pandemic is still teaching us about risk management. Earlier this summer, as we optimistically thought the pandemic was finally under control and we began opening up, many of us drew breaths of relief, removing masks to gather with friends and family, taking long-deferred trips, and returning to a life that was much closer to normal.
Now many people are rethinking their decisions. The arrival of the Delta variant, a more contagious strain of the virus, concerns over breakthrough infections, and increasing cases and hospitalizations all represent a change in circumstances—and these changes may cause individuals to adjust how they choose to respond to the pandemic in their everyday lives.
Risk assessments must be ongoing
It’s an important reminder that risk management doesn’t have a finish line. Risk management is an ongoing effort to understand and adapt to the threats and opportunities in the world around us.
First, we identify the risks. These risks have remained relatively constant throughout the pandemic. There is risk related to illness, the economy, and other socio-economic issues.
What has changed is the likelihood and impact of the risk (aka the inherent risk). For example:
- The likelihood of an unvaccinated individual contracting COVID-19 is greater as a result of the Delta variant.
- The impact of contracting COVID-19 for unvaccinated individuals seems unchanged.
- The likelihood of a vaccinated individual contracting COVID-19 seems greater than originally thought, but is less than it was before that individual could be vaccinated.
- The impact of contracting COVID-19 for vaccinated individuals is reduced as they are far less likely to be hospitalized or die.
What does this mean for risk? Different people will interpret this information in different ways, but the one thing they should all have in common is using new information to continually reassess risk. As new (and sometimes contradictory) information has become available throughout the pandemic, it’s been necessary to regularly assess risk. Relying on old assessments (based on old information) means failing to make decisions based on current circumstances. That may cause a person to expose themselves to far more or less risk than they ordinarily would.
Risk mitigation during COVID-19
It’s also important to consider residual risk, or the risk that remains after controls are considered.
Once inherent risk is reassessed, if risk has significantly increased or decreased, a person should adjust their mitigation controls accordingly. Some people might choose to change their masking habits or stance on socializing indoors after they reassess the risk environment. Others might be comfortable with the status quo. That’s okay—as long as it tracks with their latest risk assessment.
Without updating the risk assessment, a person may be relying on controls that are too strong, too weak, or that have been found to be ineffective.
Risk appetites and risk tolerances for COVID-19
Given the same information, not everyone will respond to risk the same way. Each person has their own risk appetite, or the amount of risk an entity is willing to take on. They also have their own risk tolerance, or how far from their risk appetite they are willing to stray.
While risk appetite helps guide decision-making, that doesn’t mean risk appetite can’t change. As circumstances change and new information becomes available, a person may become more or less comfortable with risk.
For example, with the pandemic stretching on longer than many thought it would, pandemic fatigue can start to set in. What seemed like reasonable accommodations for the short term (such as not seeing beloved family members or staying home from work), may not be tenable for the long term. As a result, a person or entity might decide to take on more risk. This increase in risk appetite is a result of assessing new information and adapting.
They also might choose to keep their risk appetite unchanged. That’s also okay if they’ve considered new information that might make it beneficial to adjust their risk management strategy going forward.
The never-ending risk management cycle
Risk assessments are not a one-and-done exercise. They are an ongoing project—one that requires attention not just on a regular basis, but also when there are significant changes to the operating environment (whether internal or external).
Relying on old, outdated risk assessments is like not having a risk assessment at all. Or even worse, it’s like building your institution’s strategy on assumptions that are no longer true. You wouldn’t forecast financials based on inflation data from two years ago, and you shouldn’t make strategic decisions based on old risk assessments either.
Risk management is a cycle that doesn’t end. Even if you stop assessing risk, the world will keep changing. Your risk assessments need to change along with it.
Topics: Risk & Compliance