No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Governance

After COVID-19, It’s Not a Question of ‘If’ Another Disruption Will Occur. It’s ‘When.’

Lessons Learned from the Pandemic Need to Inform Strategy Going Forward

by Jim DeLoach
July 14, 2021
in Governance
A discarded face mask lies on the ground.

Most business leaders recognize the futility in predicting the future. As markets transition out of the pandemic, it makes sense to improve the organization’s agility in responding and adapting to the unexpected.      

The business model is akin to a finely tuned machine requiring the coordination of multiple components to deliver value to customers according to the company’s brand promise. Business models vary by industry. For example:

  • A manufacturer’s model combines a robust supply chain, an accessible labor pool, cutting-edge innovative processes, efficient facilities and equipment and access to power, water and other necessary resources to produce quality products at competitive prices.
  • A bank’s business model might emphasize critical third-party providers, differentiating skills and competencies and proprietary systems to enable superior customer experiences.
  • An e-commerce retailer’s model leverages supplier partnerships, efficient omnichannels or multichannels, world-class logistics and distinctive branding to offer a compelling value proposition and experience to consumers.

Unless the organization has an effective response plan, the absence or ineffective functioning of any of these components compromises the business model’s viability. A loss of one or more components can take away the advantages of the model’s underlying cost structure, ability to produce or deliver product, capacity to provide essential services and/or accessibility to customers. Herein lies the crux of operational risk, or the risk that one or more scenarios impair the effectiveness of the business model in fulfilling customer expectations and realizing acceptable returns.

The COVID-19 pandemic has proven to be an object lesson on how severe this risk can be. Many were unprepared for an event that literally shut down major segments of the economy – and even whole industries dependent on the gathering and concentration of people. Widespread failures of supply chains and third-party providers, and almost complete cessation of demand for products and services in some industries, are unforgettable experiences that many might have regarded as implausible prior to the onset of the pandemic.

The pandemic experience has served as a reminder that, in today’s interconnected global marketplace, most companies are boundaryless due to their tight coupling with upstream suppliers and providers and downstream channels to reach ultimate end users. The concept of an extreme but plausible event becomes more pervasive when these dependencies extend, for example, as far upstream as third- and fourth-tier suppliers. Furthermore, the determination of “plausibility” when assessing extreme events continues to evolve over time as their frequency, severity, velocity and persistence increase.

COVID-19 is just one example of a resilience event that stops the show. Others, such as cyberattacks – for example, the recent ransomware attack on the Colonial Pipeline in the United States – or catastrophic natural disasters also can grind companies, sectors or industries to a halt. The velocity of such events varies. Whereas companies could see pandemic risk charging on the horizon toward them like a gray rhino, cyberattacks can occur suddenly and without warning.

As this evolution gravitates scenarios previously considered “implausible” into the “plausible” category – in effect, shifting probabilities assigned to tail-risk events closer to the mean – the question arises as to executive management’s and the board’s role in overseeing operational resilience. To that end, we offer several considerations for senior leaders and directors as their organizations enter into and learn to operate successfully a post-COVID-19 world:

Learn from the COVID-19 Experience

Much has been said about the importance of continuous learning during the COVID-19 experience to understand what went well and what did not go well. The extremity of the pandemic offers powerful lessons for companies to consider and apply in formulating an effective response plan should another pandemic or equally severe catastrophic scenario occur. Not only should this review be encouraged, but a summary of actions to be taken because of it should be requested as well.

Pay Close Attention to Concentration Risk

The term concentration risk is most often used in financial services to refer to exposures within a bank’s asset portfolio or an insurer’s underwriting portfolio arising from concentration to a single counterparty or insured category, sector, country or region. It also applies to other industries. Geographic concentrations of critical assets, significant operational exposure to a geographically specific event (including sovereignty risk and regional conflicts), concentration of information assets with outsourced functions, reliance on sole suppliers of critical raw materials and components, dependence on major customers for business and other factors peculiar to a company’s business model create concentration risk. For example, what if major customers were to fail, major customer contracts were not renewed or major customers were to consolidate? Senior management and boards should be aware of these risks and, when they exist, inquire of management as to whether the specific concentration risk has been weighed against the cost and the ability to recover within an appropriate time frame from an extreme but plausible event.

Enhance Resilience Through a Reimagined Work Environment

The pandemic has accelerated workplace redesign in most organizations. Companies able to virtualize their processes have been more successful during the pandemic lockdown than those that did not or were unable to do so. Going forward, an opportunity exists to reimagine work processes to ensure the highest form of resilience possible. This focus can lead to distributing the workforce, continuing remote-work arrangements, reducing dependence on business travel and supporting a hybrid model combining remote work with work physically performed in an office environment. The objective is twofold: Accommodate the “new normal” workplace, however it evolves, and contribute to increased operational resilience in facing catastrophic events that restrict workforce mobility. And the byproduct is as attractive: Enhance employee retention by giving employees a voice and choice about where and when to work.

Leverage Technology to Increase Resilience

As noted above, companies able to operate their business virtually have provided an object lesson on the power of technology to facilitate resilience. In addition, while most companies use the cloud, quite a few still do not fully exploit its unique benefits. The cloud offers a scalable ecosystem where damage to, or the loss of operation of, any single component of that ecosystem would not have a significant effect on the company’s overall operations. It can contribute to the efficient deployment of the technologies enabling a virtual environment and improved operational resilience.

Facilitate Response Readiness Assessments by Using the Right Factors

Management should ensure the right questions are being asked when assessing exposure to extreme but plausible scenarios. The first is: Which critical business model functions, services and ecosystem components are most affected by the scenario? With respect to each scenario, what is:

  • the velocity or speed to impact (i.e., can the loss of key functions, services and ecosystem components occur without warning (e.g., a power outage))?
  • the persistence of the impact (i.e., the duration of time before the loss of the functions, services and ecosystem components can be addressed and the “headline effect” regarding the organization’s attempts to recover)?
  • the extent of the company’s agility and readiness in responding to the event?
  • the magnitude of uncompensated risks the company faces as a result of the loss of the component (e.g., loss of revenue due to downtime of services, permanent loss of customers and emergence of health and safety issues)?

Likelihood of occurrence is not a prime consideration in a resiliency assessment. The focus is not on if the event occurs, but on what management will do when the event occurs.

Manage the Intersection Between Risk Management and Crisis Management

Every director and CEO faces the specter that no matter what they do, an unforeseen disruptive crisis event may occur for which there is no playbook available. But this reality should not stifle efforts to plan and prepare for disruptions. As a crisis is a severe manifestation of risk, crisis management is the natural follow-on to risk management. Rapid response to sudden, unexpected events depends on the enterprise’s preparedness and response plans. Building an agile crisis management capability is a management imperative for scenarios with a high reputation impact and velocity. A world-class response to a persistent crisis is vital to a company’s ultimate recovery and preservation of its brand image. Operational resilience assessments focused on the aforementioned factors can help identify areas where preparedness is more critical, prompting action to develop robust response plans.

Be More Engaged at the Top with Resilience

Now that the world has experienced the worst pandemic in a century, executive management and directors should pay more attention to operational resilience going forward. Senior leaders and the board should understand and offer input to the operational resilience strategy, including the identification of functions, services and ecosystem partners identified as critical to the execution of the business model. They should also request a prompt notification when an event occurs that either is likely to require public and/or regulatory disclosure or meets specified criteria – such as a “close call” involving a business function or service that has been deemed “critical.” Such notifications should address the strategy for disclosure (if warranted) and the plan for recovery and, if necessary, improving resilience. While views about the granularity of senior management’s and the board’s focus on operational matters may differ, there should be general agreement as to the organization’s targeted recovery time for an important business service or process that guides the assessment of its resilience plan. Company leaders and directors should also be comfortable with the company’s operational resilience team and their line of sight into the team’s activities.

Position Operational Resilience as a Strategic Imperative

The scope of resilience planning should encompass an end-to-end extended enterprise view of the value chain that looks upstream to suppliers and third-party providers, as well as downstream to channels and customer relationships. These business ecosystem partneurial relationships are just as important to the execution of the business model as the organization’s internal processes, personnel and systems. An evaluation of operational threats, therefore, should be directed to understanding the company’s resilience in addressing any of these key links in the chain and whether the time frame to recover is acceptable in terms of sustaining the operation of the business model.

This comprehensive view is important. According to Gartner, business continuity management and organizational resilience programs are not keeping up with digital transformation initiatives and emerging, more complex threats. These programs should be a business-as-usual activity inextricably tied to the achievement of corporate objectives, customer fulfillment commitments and expressed or implied brand promises. A comprehensive view of all key components of the business model is needed to create that linkage. The operative question is: what would happen to the organization’s ability to execute its business model when any of these components are taken away through an unexpected catastrophic event or altered in a significant way to place it at a strategic disadvantage?

Asked another way: At every stage of the value creation process, what would be the implications of a shortage, disruption or quality problem in a particular input or output? In such scenarios, how long would the company be able to operate? This pervasive question applies to such inputs as the available labor force and talent pool, the availability of power at a reasonable price, lines of credit and working capital, among other factors. This kind of thinking is needed in a disruptive world.

In considering the above points, senior leaders and their boards should be mindful of business continuity regulatory requirements and standards specific to the sector(s) in which the company operates, as well as the organization’s processes for complying with them. These regulations and standards often provide guidance on required or suggested areas of focus and approaches. The most comprehensive guidelines and standards are geared toward financial services. Using these more rigorous guidelines, it is not uncommon for other industries to apply the strategies and controls that are most relevant as they offer a model of best practices.

Questions for Executive Management and Boards

Following are some suggested questions boards of directors may consider based on the risks inherent in the company’s operations:

  • Do we have sufficient transparency into our organization’s:
    • Definition of the business functions, services and ecosystem partners that are critical to the execution of its business model?
    • Determination of the impact tolerances for these functions, services and ecosystem partners (i.e., how long can our company operate without them)?
    • Consideration of extreme but plausible events that could result in an impact on the business that exceeds the established tolerances?
    • Events that have occurred that either require disclosure or meet our specified criteria for timely notification?
  • How prepared is our organization for operational resilience? Have we implemented reliable processes, systems, metrics and response plans to ensure organizational preparedness? Is our organization conducting periodic tabletop exercises that are effective in testing its ability to recover against extreme but plausible scenarios? How do we know?

Tags: Business Continuity PlanningCOVID-19Crisis Management
Previous Post

Big Data Anomalies Can’t Be Used to Prosecute. But Identifying Them Can Help Avoid Potential Lawsuits or Enforcements.

Next Post

Involvement Is Key to Commitment

Jim DeLoach

Jim DeLoach

Jim DeLoach, a founding Protiviti managing director, has over 35 years of experience in advising boards and C-suite executives on a variety of matters, including the evaluation of responses to government mandates, shareholder demands and changing markets in a cost-effective and sustainable manner. He assists companies in integrating risk and risk management with strategy setting and performance management. Jim has been appointed to the NACD Directorship 100 list from 2012 to 2018.

Related Posts

new yorkers in covid masks on street

Covid Fraud Enforcement (Yes, This Is Still a Thing)

by Denise M. Barnes and Brian Irving
February 7, 2025

With $2B recovered and $36B in estimated fraud, DOJ signals years of continued pandemic relief investigations ahead

crowdstrike

Risk Lessons From CrowdStrike’s Blunder

by Staff and Wire Reports
July 24, 2024

Organizations continue to grapple with faulty update fallout

Mayer Brown Business Transformation

Seven Dimensions of Successful Business Transformation

by Corporate Compliance Insights
July 10, 2024

Business leaders increasingly thinking about how to keep pace with AI Survey Seven Dimensions of Successful Business Transformation What’s in...

theater marquee showing covid shutdown

Was Covid Pandemic an Act of God? Depends on the Contract.

by Gretchen L. Jankowski and Jacqueline M. Weyand
September 4, 2023

Force majeure provisions in contracts haven’t garnered much attention over the years. But the Covid-19 pandemic appears to have changed...

Next Post
Skydivers symbolizing teamwork

Involvement Is Key to Commitment

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights