Risk management can no longer be a once-a-year assessment for companies, with the COVID-19 pandemic driving rapid changes to business models, sourcing and distribution and so to the risk environment, says Greg Duncan, client service manager at FM Global Australia.

The world has been dealing with the global pandemic for the past 12 months, but there could be another emerging as-yet unknown risk around the corner and the once-a-year risk assessment isn’t sufficiently responsive, he says.

“What Covid has shown generally is a little bit of immaturity when it comes to risk management in some organisations. Those that are going to manage it the best in the future are the ones that are going to set themselves up to be as agile and responsive as possible,” Duncan says.

While many of the risks faced by organisations remain the same – such as supply chain risk, cyber risk and disaster and natural disaster risk – the way they manifest themselves and the way organisations respond has changed since Covid.

For instance, the way that businesses operate and transact as a result of the coronavirus lockdowns has changed the cyber risk profiles of many businesses. The increased reliance on technology and new systems and processes which haven’t been fully embedded have increased their vulnerability to cyber attacks and cyber outages.

“Businesses have been forced to respond from a technological point of view, and in doing so, exposing themselves to increased cyber risk,” Duncan says. “A lot of our clients’ businesses have undergone more technology change in the last 12 months as compared to what they’ve done in the last five years or even longer.”

Risks facing businesses such as floods can be assessed and appropriate management strategies adopted with the help of FM Global Resilience Index. 

When organisations introduce a new system or process, they would typically conduct full testing and risk assessments, but with the rapid and necessary adoption of new technology during pandemic lockdowns this didn’t always happen, increasing their vulnerability.

The Covid pandemic has also changed the companies’ response to disasters. For instance, if a company based in NSW suffers a flood, its old risk management plan might have been to import replacement products from India, but with the global coronavirus, these sorts of solutions have become more difficult.

In fact, the ability to recover quickly from loss, particularly during the pandemic, may be hampered through a lack of easy access to expertise and spare parts. Businesses need to consider the steps they can take to work around this problem.

Fortunately, with Covid risks abating in Australia, risk managers and business continuity planners can travel domestically and resume site visits to make updated assessments.

“When we look at risk management generally it was a relatively stable thing. Our emerging risks that we were considering and we see our clients consider, it was a relatively stable list. You could review it once a year and something might have changed and then you address, adjust your approach to risk management based on whatever hot topic was that year,” Duncan says.

“The whole way that everybody was having to respond to Covid was so disruptive that I think attention was changed away from the usual risk prioritisation – just trying to continue with business as opposed to having a stable and robust approach to risk management.”

The changed risk profile comes against the background of a hardening insurance market, which means insurance companies are charging more for risk. Businesses which fail to address these risks are being charged higher premiums, or in some cases are unable to get insurance at all.

FM Global employs a data-centric approach to risk management, with the help of the FM Global Resilience Index, which compares risk factors in 130 different countries.

A global company can draw on the data to identify which of their locations around the world are most susceptible to loss, then for a particular location, which parts of that location are most susceptible to loss and which pieces of equipment are going to have the highest likelihood of there being an exposure.

“It’s using the data that’s at their disposal to better understand where those exposures lie, whether it’s natural catastrophe-type data, like where a flood is going to occur, how big is the flood going to be, where these earthquakes are going occur?” Duncan explains.

“If it’s a fire, for example, what are the factors that are going to give a chance of ignition and then a spurt of fire throughout a location?”

Once the risks have been identified, companies can invest in risk planning and mitigation strategies.

“Companies can choose to be resilient,” Duncan says. “Any company anywhere in the world has the choice on how they’re going to respond to these kinds of things. And those that choose to understand and invest in the process are always the ones that will have the lower loss if something happens or indeed no loss at all if they’re decreasing the likelihood of something going wrong.”

This article first appeared in The Australian Financial Review