Risk management during the COVID-19 pandemic: Checklist to recovery

23 avril 2020

All organizations can use the basic principles of risk management to shape a path through the COVID-19 pandemic and minimize the lasting negative impacts. Whether you have a robust Enterprise Risk Management (ERM) program in place or have not yet turned your corporate mind to risk management, the principles outlined below can help you move through this crisis and beyond:

1. Identify your risks

Organizations use risk management to "predict the unpredictable." To navigate the risks (and opportunities) associated with the pandemic, it is critical to first identify what those risks are. Indeed, the exceptional circumstances surrounding COVID-19 may have brought to light risks you had not yet considered - or may have imbued previously identified risks with a new sense of urgency. Whatever the case may be, before moving in any one direction take a moment to catalogue the risks your company may face over the next month, three months, six months, nine months and year.

In order to accomplish this most effectively, you should:

  • Consider all kinds of risks - including operational, strategic, financial and reputational;
  • Gather information from all employee levels and from a large cross-section of stakeholders (clients, vendors, etc.) - they might be in a position to identify risks that you would not think of;
  • Look at other organizations, in Canada and abroad, and consider what they are facing; their risks might be the same as yours or perhaps their risks will create risks for you down the line (think supply chains).

Dig deep into this exercise before you move on, and return to it often over the next year, two years and five years so that you can update your risk profile as the world progresses through these unprecedented times.

2. Be agile

Albert Einstein said "learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning." The world is collectively questioning everything as we navigate a new normal. The plans that you had two months ago are no longer appropriate, feasible or realistic for today.

Do not throw your entire play-book out but instead return to your values and redefine how you will realize them. Be ready to be uncomfortable. Navigate this period with flexibility and understanding. Be creative in your approach to moving forward, listen to what your stakeholders want and need and consider how you can pivot to fill a void.

3. Think people

The backbone of every organization lies in its people. Today people are stressed, tired, taxed, scared and pre-occupied. The organizational risks associated with mismanaging your employees in this time can be significant (health and safety, financial, reputational, legal, operational, to name a few).

Where then do we start? People generally need to feel heard, they need to be able to trust and they need to have information. Let your employees know that you have a risk plan, a business continuity plan, and a crisis plan - and take the time to communicate what each plan entails and how it will evolve, while also seeking their engagement and input.

ERM works because it fosters and relies upon a holistic approach to identifying, analyzing, evaluating and treating risk. While it has to be fully endorsed and supported by top management, it must involve the entire organization in order to succeed. ERM also encourages frequent communication between all levels of the organization, which in turn leads to greater transparency and trust.

As we move through this pandemic, we see that the heroes come in all uniforms - from the delivery drivers, to the cleaners, to the grocery store clerks, to the health professionals. The heroes within your organizations will also come in all roles. Consider how you can make their days easier in order for them to be more physically and mentally able to help you. Whether it is implementing flexible work hours or ensuring that they have a computer at their home, it starts with asking them what they need to do their job during these times.

4. Consider business continuity

The purpose of business continuity is to ensure that your business is able to survive a critical incident. It consists of a series of plans implemented over phases to shorten recovery time and mitigate impact. For more information regarding business continuity, please see Gowling WLG's article "Business Continuity Planning in COVID-19."

Now is a reasonable time to evaluate the impact of COVID-19 on your organization, looking both internally and externally:

  • Internally: This involves identifying business critical functions, equipment and employees, and determining how, where and by whom critical services are provided. You may consider suspending non-essential work to reduce risk of exposure, to support social distancing and to reduce unnecessary cash expenditures.

    Ensure you carefully monitor employee availability, health and safety. As all people are at risk of being personally impacted by COVID-19, a continuity plan must be developed for all business critical employees that can be easily triggered should they become indisposed. The chain of command must be clearly identified and alternates and designates put in place for all critical functions.
  • Externally: This requires a supply chain analysis and assessment of the possible risks faced by vendors, manufacturers, suppliers, distributors, purchasers and all organizations and stakeholders that you interact with and rely upon.

Amid government restrictions and instructions to "stay home," the use of technology is exceptionally important for many organizations. Most have already mobilized an infrastructure to support remote working. To increase productivity and reduce interruption, ensure that employees have the necessary hardware, software, equipment and internet connectivity to work safely and efficiently from home. Also ensure that your IT infrastructure can support the increased pressure from a significant portion of your team working from home.

The new normal has created the need for new policies and procedures. On the technology side, the remote working world has greatly increased the risk for cyber attacks and phishing. Employees must be aware of these risks and trained on the new policies pertaining to the use of technology and the transfer of information and funds. If employees remain onsite to work, organizations will need to address health and safety concerns through new and evolving policies.

Consider your internal and external communication plan. Updates need to be communicated to stakeholders in real time. The situation is constantly evolving and appropriate measures need to be implemented such that communication can be disseminated immediately.

5. Consult with advisers

This is the time for everyone to work together. Consider reaching out to:

  • An outside risk management consultant: We can assist you in identifying, analyzing, evaluating and treating your risks. If you do not have a business continuity, incident management, risk management or crisis plan, or if the ones you do have are not working, it is not too late to seek advice to review, improve, create or implement.
  • Legal counsel: We can help you navigate new and rapidly changing legislation, assist you with managing health & safety, employee, regulatory, essential service, insurance, travel, and contractual issues, to name a few, that present themselves.
  • Insurance broker: Can help you understand your current insurance policies and advise whether you have coverage that can assist you and how.
  • Financial advisers: Can discuss which financial incentives, loans, government programs, deferrals, etc. are available to you and how can you access them.
  • Mental health professionals: Your staff may need support during these times. Finding a way to get that support to them may prove invaluable.

6. Consider your reputation

Last, consider your reputation. The success stories of COVID-19 will be the people and organizations whose reputation was improved with their response to the pandemic.

When the dust settles, we will remember the Marriott CEO relinquishing his salary for 2020, his executive team taking a 50 per cent pay cut and the Lyft cofounders donating their salaries to help their drivers. We will also remember the many companies that re-deployed their entire workforce and production capabilities to create and produce personal protective equipment for frontline workers, hand sanitizers for health professionals and technology to help track the spread of the disease.

For those organizations that take a short-sighted view of the pandemic, by price gouging or supply hoarding, the long-term negative reputational impact may far outweigh the short term benefits experienced.

Stay true your organization's values and take the higher ground. It will pay dividends in the long-run.


CECI NE CONSTITUE PAS UN AVIS JURIDIQUE. L'information qui est présentée dans le site Web sous quelque forme que ce soit est fournie à titre informatif uniquement. Elle ne constitue pas un avis juridique et ne devrait pas être interprétée comme tel. Aucun utilisateur ne devrait prendre ou négliger de prendre des décisions en se fiant uniquement à ces renseignements, ni ignorer les conseils juridiques d'un professionnel ou tarder à consulter un professionnel sur la base de ce qu'il a lu dans ce site Web. Les professionnels de Gowling WLG seront heureux de discuter avec l'utilisateur des différentes options possibles concernant certaines questions juridiques précises.