Enterprise risk management to support crisis response – a process, not a project

The COVID-19 pandemic has forced businesses of all sizes to navigate new ways of doing business on top of dealing with immediately pressing cash flow concerns. This rapid shift in priorities has left many organizations more vulnerable to certain risks. In Baker Tilly’s webinar, Crisis, continuity and recovery: a real-time enterprise risk workshop, our specialists discuss how organizations can identify and mitigate risks in real time with special attention to cybersecurity and fraud risks.

While the immediate fallout from COVID-19 is beginning to level out as organizations and employees settle into the new normal and aid is being made available by the U.S. government, the risks associated with the situation are still very much ongoing. The first step to mitigating any risk is identifying it, which is where enterprise risk management (ERM) can help.

ERM is concerned with how you manage your business’s risk every day – not just during a downturn – and making that process more transparent to your leaders by formalizing it. During a downturn, it can certainly be difficult to focus on more than the negatives of the situation, but some organizations are discovering opportunity (the upside of risk). ERM can help you identify both.

While each organization’s ERM program is going to be different, the basic structure should consider the following process:

• Identify and assess: Identify your key risks and assess the likelihood and impact level of each risk; consider 10-15 risks to focus on proactively with your board and leadership; and identify who will be responsible for managing each risk
• Respond: What action will be taken? Will you mitigate risks via internal controls, share risk with a third party (e.g. insurance), or exit that risk all together?
• Monitor: Monitor your organization, industry and environment to determine how the risk landscape is changing and whether your responses are effective
• Improve: Identify if the mitigation process is still in place and working, and if the people in charge of mitigating each risk are still the right ones to be doing so.