I agree We use cookies on this website to enhance your user experience. By clicking any link on this page you are giving your consent for us to set cookies. More info
Amanda Aponte, FCAS, MAAA, Vice President & Chief Risk Officer, SFM Mutual Insurance Company
Your company just survived a full[1]scale, rapid implementation of your Business Continuation Plan (BCP), so what’s next? It’s time for your Enterprise Risk Management (ERM) team to jump back into action with interim interviews of leaders focused on how COVID-19 has changed the business.
A risk interview is a process by which a facilitator, often from the risk team, meets with leaders individually to talk about threats to their business area. In the case of COVID-19, many companies were shut down or forced to quickly move employees to home offices while at the same time adjusting to extraordinary economic pressures. This has forced high-velocity changes to the risk landscape. Your risk team can start these conversations with a review of the business area’s risk register, providing the following questions in advance.
• What new risks have emerged in your area?
• What are you doing about it (risk speak: what new controls have been implemented to mitigate)?
• Is this new risk or control temporary or permanent?
• Have any existing controls been compromised due to disruptions or changes in the business process?
If you are an insurance entity, consider asking about specific areas of disruption that are known.
• Underwriting has standard coverage been challenged or broadened by regulators or legal decisions?
• Claims haveCOVID-19’s health, economic, or social impacts introduced new kinds of claims or changed the frequency or severity of standard claims?
• Investments are you getting timely information on other-than-temporary impairment concerns?
• Communications is the readership of your publications receiving their physical mail, or would they be better served by pivoting to digital distribution?
• Human Resources how has employment leave been affected by the Families First Act (FFA) and the Coronavirus Aid, Relief and Economic Security (CARES) Act? Has this caused staffing shortages?
• Information Technology what challenges occurred when providing equipment and remote working technical support during the quick transition to home office?
“A risk interview is a process by which a facilitator, often from the risk team, meets with leaders individually to talk about threats to their business area”
Once risk interviews are complete, the findings should be communicated to internal audit and the executive team. Significant changes should be reported to the Board of Directors. New risks identified may have entity-wide impacts and strategies may need to shift. The risk team should work with leaders to identify mitigation strategies. The overall goal of this process is to bring awareness and action to emerging risks caused by COVID-19.
[Call-out box]
If you haven’t implemented risk registers at your organization, here are the basic building blocks to get you started.
• Identify and rate risk, usually on a five-point scale for each rating item.
• Impact cost of event if it occurs.
• Likelihood probability event will occur over a one-year time horizon, which can be translated into expected occurrence every one-in-xyears (Ex. 10% probability = 1/10 = 1-in-10 year event).
• Identify and rate controls, which is the effectiveness of mitigation efforts.
• Calculate metrics.
• Inherent risk level of risk to entity before actions are taken to mitigate. This is calculated as impact x likelihood.
• Residual risk remaining level of risk after controls. This is calculated as impact x likelihood x (1 – percentage mitigated).
• Identify top residual risks and allocate resources accordingly.