Re-evaluating risk after Covid-19

For most, if not all, organisations the last couple of weeks will not have afforded much time for reflection.

The unthinkable finally happened and with the impact of Covid-19, your priority was to dust off those business continuity plans and put them in to practice in short order.

The sudden shut-down of offices and other workplaces and the corresponding surge in homeworking driving the need for more remote access capability has been one of the greatest challenges faced.

For many a workable solution to the changed circumstances is now in place and some would suggest the immediate panic is over. On the other hand, many are indeed still scrambling around for an immediate answer with their businesses operating on very temporary foundations.

So getting to that steady state of business as usual feels like a long way off for most, but as you take a moment to reflect on your actions over the last few weeks and the approaches you took to get you to your current state of operations, it’s likely you may find that there is more to reflect on than you realised.

To begin with you may not be entirely assured that the solutions you’ve put or are putting in place are the right ones for the medium to long term. Compromises must often be made to scale up capacity rapidly and old policies may have been stretched or even ignored completely, so anxiety about the risk of new security vulnerabilities that may have been opened up are common place.

Don’t beat yourself up!

If that is the case - give yourself a break. You had to act. Not acting would almost certainly have been worse than doing the wrong thing. You simply decided that the risk embodied in doing nothing vastly outweighed any risk embodied by potentially adopting the wrong type of solution, and in that, you were probably right. It may not have been a formal risk assessment, but it was still a risk-based decision.

But just because you didn’t do a formal risk assessment then, it doesn’t mean you shouldn’t consider one now. Risk assessment gets a bad press as being an enemy to action – one more bureaucratic hoop to jump through to get something done. But proper, business-oriented risk assessment understands that risk is an ever-present reality that can never be eliminated. It simply seeks to understand and quantify what risk there is, and whether it is line with your overall appetite for risk as an organisation. In other words, take risks by all means, just make sure you understand the risks you are taking as well as you can.

Maybe a risk assessment was done a while back by you or your predecessor! If so, the recent crisis may have shone a light on some of the assumptions that were made back then. You may have found that in some areas the business was better able to cope than you thought, and in other ways perhaps less able to cope. These are valuable learnings that should be fed back into the process of understanding business risk and developing plans and strategies around it. To view these things as contrary to action in the here and now is dangerous: it may be essential to act quickly and decisively, but if you don’t evaluate risks and assets effectively, how do you know you are solving the right problem.

Running very fast in the wrong direction can sometimes be as disastrous as standing still.

Similarly, if you shy away from proactively grappling with these abstract issues in the here and now, you may be tempted to try to fall back on orthodoxy to find a way forward. The snag with this approach, however, is that even before Covid-19 struck we were already living in an era where old orthodoxies were being vigorously challenged. One way or another most organisations were already on a journey towards operating as a more distributed enterprise with a greater level of remote- and home- working, and a lot of the differences from one organisation to another simply revolved around the pace and extent of that change. So, for many the recent crisis has merely accelerated a process that was happening anyway, rather than forcing a complete change of direction per se.

There would of course, have been reasons why you didn’t move faster before Covid-19, and some of those reasons would have been related to risk. Now you’ve been forced to take many of those risks anyway: were they not as great as feared? Or maybe they were, and you are now blindly stumbling towards disaster, blissfully unaware? How can you be sure if you don’t take time to step back and assess?

You have to decide what you go back to, when it is finally time to go ‘back to business as usual’ (whatever that may be).

There may be a number of technical questions to answer, but your concept of risk, and your appetite for risk, should also be a crucial part of determining what that new reality should look like, and if you don’t answer the more fundamental questions first, you may be building the castle of the future on shaky foundations.