Risk management and the COVID-19 pandemic

 
Apr 28, 2020
How do you mitigate the risks associated with a pandemic, and what do business and governmental risk leaders need to think about today to prepare for an uncertain future?

Risk management is used primarily to identify the steps we can take to avoid loss or lessen the impact of threats such as hurricanes, floods, tornadoes, and terrorism. But what about pandemics? What do risk leaders in business and government need to bear in mind as they respond to the current COVID-19 crisis—and prepare for a future that may very likely include additional waves of infection?

To effectively evaluate risk in a pandemic, leaders need to focus on the right metrics and consider all dimensions of risk: severity, likelihood, and velocity. How quickly might the effects manifest themselves inside your organization, supply chain, and balance sheet? As we navigate through the COVID-19 crisis, there are lessons we can apply from previous pandemics, and actions we can take today to set the stage for a more resilient future.

In this podcast, hosted by Marko Bourne, Senior Vice President of Disaster Management for ICF, two risk management experts discuss risk management and resilience issues facing business and governmental organizations in the pandemic. The conversation with Reid Sawyer, Head, Emerging Risks Group and U.S. Cyber Risk Consulting Practice Leader, Marsh; and Susan West, Vice President of Risk Management for ICF, covers topics such as:

  • The importance of developing a pandemic preparedness plan, and key elements to include.
  • What organizations can do to evaluate their risk under conditions of deep uncertainty.
  • How insurance coverage fits into pandemic risk management.
  • How risk leaders should think about preparing for the upcoming natural disaster season during COVID-19.
  • Where do you go from here? What risk leaders should be thinking about today to build organizational resilience.

Full transcript below: 

Marko: Welcome. Thank you for joining ICF's latest podcast on the COVID-19 pandemic efforts. Today we're going to be talking about risk management and the pandemic. My name is Marko Bourne. I'm the senior vice president for strategic initiatives for ICF. And I’m happy to have with me today two experts who have been dealing with risk management for their entire careers, both inside government and outside of government. Risk and risk management is something that we all face and all deal with every day, whether we own a business, whether we are part of government, or whether or not we even think about it in our daily lives. Risk management, to most, conjures up images of risks from hurricanes, floods, tornadoes, terrorism. But certainly, risk is an ongoing challenge when it comes to other natural hazards, or man-made hazards such as pandemics, and other types of threats.

Today, we have two experts who have been dealing with risk across the spectrum, and how that not only affects insurance, but affects the way our business leaders, our government leaders, and even ourselves as individuals think about it. Joining us today, we're pleased to have one of our great friends and teaming partners Reid Sawyer, Managing Director of Emerging Risks at Marsh and a retired lieutenant colonel with the United States Army. Reid is a nationally recognized expert on managing risk, and a former senior vice president of JLT. He was a senior member of the New York City Fire Department's Terrorism Task Force, and also helped inform New York City on cyber and risk issues from 2003 to 2017.

A former senior intelligence strategist while serving in the United States Army with both U.S. Central Command, South Asia, he did a fellowship with the FBI, and--looking at intellectual property theft through cybercrimes-- has been the founder of a premier counterterrorism research institute, the Combating Terrorism Center, at West Point. He's the editor of a number of books on transnational threats and the author of numerous articles, and we welcome Reid to today's podcast. Also, we have Susan West who joins us again on the podcast. She's a vice president of risk management for ICF, who brings more than 30 years of risk management and insurance expertise to ICF's disaster management team. She's currently serving as the insurance lead for the disaster recovery initiatives in Puerto Rico, and navigating the insurance complexities associated with liquidated insurance companies and volatile assurance markets.

She provides strategy recommendations for the application of insurance proceeds to maximize FEMA funding, and has previously worked for the state of Louisiana as the state risk administrator, and was instrumental in the state's recovery from multiple disasters. Her knowledge of disaster regulations, insurance, and risk--and her expert guidance on risk financing, continuity of operations, risk analysis, and coverage matters--related to both FEMA and other insurance, including the federal requirements to obtain and maintain insurance provisions. She's a leader, having served as the vice president of an insurance agency and Chief Executive Officer of a large insurance program, and has a Master of Business Administration. And is a certified insurance counselor and certified risk manager, and author of "Insurance and FEMA: How to Get (And Keep) Federal Funding." Susan, again, thank you, and welcome to you as well. First question, really, Susan, is for you. And as we take a look at pandemic, especially in terms of how we might normally think of risk for other perils, how do you mitigate the risks associated with a pandemic?

The risks pandemics present to a business’s value chain 

Susan: Good morning, Marko. And good morning, Reid. Risk management is usually used primarily to describe the steps that we would take to avoid loss or lessen the impact of a potential risk. So, as we sit here today in the midst of a pandemic, we can all play the Monday morning quarterback and assess what we could have done differently--and even better. So, in assessing risk, you need to first assess what can happen, the "What is a pandemic?" But don't forget, obviously that there's some fall-out from a pandemic in your assessment, such as your loss of revenue, your inability to retain employees, supply chain impacts, employment lawsuits, and more. So, once you've identified your specific risk, you should determine the probability for its occurrence. Keep in mind that pandemics, they're not new. If history is a good predictor of the future, more pandemics are likely, including a resurgence of COVID-19. So, we can no longer say that the probability is unlikely. As such, we need to look at the consequences of such a risk and begin that process of mitigating against the possible outcomes.

Marko: Reid, I certainly want to welcome you and bring you in as well. You know, we've had a history, certainly, of pandemics in the world, and unfortunately, most folks think back to the flu epidemics and pandemics of the early 1900s. But there's more out there. There are other pandemics and other issues that have provided us with information and metrics that we can really take a look at when it comes to evaluating the risk. How and what metrics are out there? And what metrics really matter when evaluating the risk of a pandemic crisis?

Reid: Yes, it's a great question. And thank you very much for having me join your podcast. The challenge in many of this is first detecting sort of the weak signals of what a potential evolving pandemic, or even prior to that--before it's declared a pandemic--an epidemic. How that can matter to a company's, to a firm's value chain? And so, from that perspective, it's critical that we believe that companies have to establish measures of risk aggregation. They've really got to redefine what enterprise risk means to the company itself, and understand how these instances of a pandemic--or similarly catastrophic and systemic risks--can impact that organization or different parts of their supply chain, or indeed their business partners. So, parts of this means that we have to develop different resiliency metrics, right?

We all collect enormous amounts of data relating to our productivity, our capacity, our delivery across our different systems in our organizations. But the question becomes, are we actually leveraging that data in a way that we can determine how much stress my organization can stand at a given time--and for how long can it stand at a time, right? Similarly, it's really critical, I think, in these days--and certainly what the COVID-19 crisis has showed us--is that we reevaluate our counterparty risks. Those that we either rely on to provide us critical IT services, business out-processing services, critical members of our supply chain--whatever that case might be--that we look at our counterparties through a different lens and say, "How much stress can that organization sustain?" And in doing so, I think that requires us to start to build some intelligence layers from a risk management perspective that we're just not used to doing in the past.

The makings of a pandemic preparedness plan

Marko: As we take a look at metrics and why they're important, not only are they important to gather and analyze and understand, but what we do with those metrics becomes incredibly important as well. Because the action does need to be taken based on those. A lot of that goes into pre-planning. And when it comes to planning, Susan, what can governments and businesses do to better plan for another pandemic, knowing that perhaps they didn't do as much planning prior to this. But there’s a lot of wonderful, helpful information--albeit tough--what can they use to better plan for what is inevitably going to be the next time?

Susan:
That's a great question Marko. And to analyze your total enterprise risk management situation now that we're living through a pandemic, it may be easier to determine what you, as a business or a government, need to do. The first suggestion is to develop a pandemic preparedness plan. There are some companies that are now being required to provide their pandemic plan when bidding on jobs. So, it's going to be critical as we move forward. The plan that you develop should clearly define the essential roles, the protocols for remote work, measures required of infected employees before they return to work, training, obviously, that's going to be needed for those employees, and any emergency communication plan that you develop. Also, as Reid alluded to, financial impact is going to be great, and already has proven to be great. And it's not just you, but it's also that supply chain and those partners that you deal with in this process, so you need to review your organization's sustainability. Does your business have enough capital to sustain itself during an extended shutdown, and for how long? Would it be feasible to consider remote work as a permanent solution perhaps, to lower cost? And then again, are there other business solutions that could help you decrease expenditures?

Some industries are able to capitalize on this moment, as the pandemic has opened the door for new business opportunities, so each business will need to determine what makes the most sense for remaining viable. Another important factor that you need to consider is to document your unplanned expenditures. In the event of a federally declared disaster, the federal government will provide funding for eligible expenses to states, local governments, and private nonprofits who are impacted by the event. To take advantage of this funding, you will need to document your unplanned expenditures and hold on to all invoices and receipts for payment. And once the disaster is declared, the federal government will release details on what types of costs may be considered for reimbursement. Also, Reid mentioned earlier the technology. So, you have to assess your technological systems. Does your business have the appropriate technology to continue its operations during an extended shutdown? And do your employees have laptops? That's a simple thing that we now know, but a lot of folks did not plan for that. And do you have access to an internet with adequate bandwidth and appropriate protection from computer viruses?

So, you might want to consider investing in software to allow for collaborative meetings and remote file access. One thing we have found is that training of these technological softwares is important. There are a lot of folks that don't know how to operate necessarily in a virtual environment, and are having to become familiar with Microsoft Teams, for example, or other software. So training is obviously going to be important. Then I think you need to examine your contracts that you have in place. Does your business have contracts that may include a force majeure clause? This is a type of clause that's in a contractual--usually in a lot of contracts--that provides for temporarily or permanently suspends contractual obligations when the completion of the work is not feasible due to circumstances beyond your control. This clause typically contains language that specifies which type of events are considered unforeseeable. So, when you're looking at your contract and then look at the clauses that are contained in there, you want to make certain that a pandemic is listed as a specific clause. The contract should not be enforceable if it contains a force majeure clause for that specific peril and work is not able to be completed.

Some states, just so you're aware--New York, Florida, California, Texas, Illinois, that's not an exhaustive list--mandate the inclusion of force majeure language in contracts. So, it's likely that other states will now join in this requirement. And then, last but not least, consult with a risk advisor. You know, buying insurance is a pretty important step in the risk management process. And I think that every business and government should have a risk advisor to guide them through this process. Because as we are now seeing, businesses are finding out that the coverage they thought they had, they actually did not have.

Resiliency redefined in the COVID-19 era 

Marko: In recent years, certainly we've had a tremendous amount of emphasis placed on resiliency. And one step in resiliency is to understand the risks that Susan, you just outlined. But we mainly been looking at resiliency from both a natural hazard perspective as well as a terrorism perspective. But resiliency certainly is being stretched, the capabilities are being exceeded. And Reid, when COVID-19 came about, this crisis has certainly both exceeded resilience capabilities of most organizations. And as the crisis continues to unfold, what can organizations do to really evaluate the risk under these conditions of really deep uncertainty?

Reid: You know, it's a challenge for all of us. It's hard to have imagined that, eight weeks ago when we had less than 10 cases of COVID-19 in the U.S., and given the number of where we sit just barely two months later--or the number of tests we face--that anybody could have truly forecasted how bad and how extreme this crisis could have been. But that aside, I think that it's highlighted a couple things in terms of resilience that we need to be thinking about. The first is, as much as organizations tend to view risks through the lens of severity, and frequency or likelihood-- how bad can an event be, and how likely is that event to happen in my organization--there's a third dimension to risk that we need to be thinking about in terms of resiliency, which is velocity of risk. And how fast can those effects manifest themselves inside of my organization? How fast can they hit my supply chain? And indeed, how fast can they hit my balance sheet? I think once you start to evaluate through these different types of lenses--whether it's velocity of risk, or understanding the degrees of risk aggregation, and how, the degrees to which a company has excessive reliance or interconnectivity with other parts of other businesses, other parts, again, across its value chain. Until you're able to establish those measures and understand where those pockets of risk aggregation sit, it's really difficult to get your arms around this question of resiliency, and to be able to understand how much stress, again, that an organization can withstand.

Because again, it's at this point as we think about resiliency, it's pretty similar to a stress curve that we use in engineering, which is simply that how much stress can an entity withstand over a period of time before it breaks. But the problem is, it's not just my organization, it's all the organizations I'm connected to, and--unfortunately, as I think we have all learned through this crisis,--that the trade-off we've seen between efficiency and resiliency that has been made over the last decade, decade-and-a-half, has really, really challenged our ability to plan under those conditions of deep uncertainty that you're talking about.

Marko: Certainly, when we look at risk--and we look at pandemics specifically--like in any type of hazard, it's natural for folks to think in terms of insurance, and insurance helping to mitigate the risk. And Susan, in this particular case, insurance coverage is part of the equation, may not be the entire equation, or even most of it. So how does insurance coverage really fit into risk management in a pandemic?

Susan: That's a great question, Marko, and insurance is just one primary way that you can mitigate against loss. It's important to know what coverage you have and whether or not it will respond to a pandemic. I want to talk just a moment about group health insurance, because it's sometimes the forgotten piece in terms of risk mitigation. I think it's important to protect obviously the health and well-being of those who are on your company's group health plan. So you should talk with a risk advisor to just establish some basic protocols that may be considered when a disaster strikes--such as lifting out-of-network restrictions for members who have only in-network coverage, lifting daily limits for prescription refills, or lifting copay requirements for maintenance medication. Maybe even extending premium payments or filing claim deadlines, or adding newborn babies or marriages, and extend call hours for added support. And last but not least, perhaps adding free counseling for a limited time for members. As we have seen, there's a lot of potentially mental issues associated with this isolation that many are feeling, and also dealing with the fear of COVID-19.

So, when we talk about property coverages, most businesses have commercial property policies. But most of the traditional policies do not cover pandemics, and in fact, include standard exclusion language for loss due to virus or bacteria. And this exclusion means that the insurance company will not pay for loss or damage caused by or resulting from a virus, bacterium, or any microorganism that induces--or is capable of causing--illness or disease. Good news of sorts, the insurance service office responded in February of 2020 with two new forms for business interruption losses and civil authority orders for closure of businesses, and both specifically related to COVID 19.

These forms grant some limited coverage for COVID-19 when there is no direct physical damage to covered property. Unfortunately, insurance companies really don't want to add these new forms to policies during an ongoing pandemic. So, the importance of reviewing your insurance policy to determine the coverage that you may or may not have can't be overemphasized.

Preparations for a second wave

Marko: That's a great point. And certainly, as we wind through what is probably initially phase one of COVID-19, a lot of the models out there are showing that there's going to be a second wave at some point, whether it's this fall or this winter. In some cases, some states are further ahead than other states when it comes to where they are in the curve of infection and treatment. If those models are really correct--and there's not a lot of doubt that at some point, in the absence of a viable, really, a viable vaccine, which is going to be a little ways down the road, assuming they can get there. If those models are correct, Reid, how can and should risk leaders evaluate the future risk, especially of a second wave of COVID-19?

Reid: Yeah, it's the unfortunate reality that we're facing now is that we need to acknowledge these black swans that were probably somewhere on most companies' risk register at some point of a pandemic, just brought into stark relief with everything that's been happening over the last 12 weeks. And so, this ability to think forward--really the need to think forward--to create risk forecasts about the impacts. So if we don't have that magic Eight Ball that we can shake and look into the window to tell us how bad that second spike might be in November, or whether or not we're going to face a more of a lower level but rolling type of arc of this pathogen, then I think it's incumbent on us as risk leaders and decision makers, boards, and c-suites, to be thinking about this forecast, right? It's really a question of creating alternative futures analysis, and asking the question “if the spike in November happens at the height of flu season, as some have suggested that it might, what does that mean for my workforce? What if the spike in November is as severe as it was during this recent episode of which we're still undergoing? What if it's only half as bad?” And as you can start to imagine and parameterize those future outcomes, it allows the organizations to not only test the resiliency plans against those, but to start to think through then, “what decisions would I make at the time, and how would I respond in those different circumstances to accelerate speed to decision through those different instances?”

And again, I can't stress this enough. As we think about those different alternative futures, it's imperative to do so across the entirety of our organization's value chains. “What does it mean to my partners? To my joint ventures? To my suppliers? And equally, to my customers? Whether I'm in the B2B or the B2C place,” because as we go through this, again, we've all learned through this hyper interconnectivity that this world that we live in today, that understanding and the ability to communicate across those can allow us to plan for these different types of events, without having that certainty of the future. So, I think it's incumbent on us to parameterize that future uncertainty in a way that allows organizations to act and plan.

The art of managing concurrent risks

Marko: Well, certainly your organization at Marsh & McLennan, ours at ICF, others, are taking a hard look at not only evaluating the risk and evaluating the measures we're offering and providing our clients, but also how this plays out over the course of the next several months as we get through this first wave. And really try to address the second wave includes understanding how that modeling work, how that data is informing us. Because obviously, in the next wave, maybe we don't make quite the same decisions we made this time with regards to what stays open, what doesn't. What is that level of severity, that velocity of risk, because obviously, we can't continue to constantly swing back and forth between being completely open like before, or completely closed off in many respects, like we are now, and all of the intendant issues that go along with that. Susan, just to give you a final word here, from your perspective, as we look at the risk modeling and the risk management moving forward, how do you think that's ultimately going to change your crystal ball? How we're going to be thinking in terms of risk management moving forward, not just from the pandemic perspective, but how that fits into the other risks which we know we face, and are about to enter into hurricane season, and other storm seas and other natural hazards.

Susan: I was just going to mention that's a great point, Marko, because there's always a concern that there's a natural disaster that's going to occur during an ongoing pandemic, which is going to create a whole new set of risks to consider, such as, how do you shelter people with an ongoing pandemic? How do you manage evacuations? Normally, there are buses brought in to evacuate large groups of individuals, and that may not be part of the future in managing a natural disaster. So, we have to take a look at that. And I can see the whole spectrum of managing risk associated with the interjection of a pandemic totally changing how we manage our businesses and governments moving forward. So, as Reid mentioned, there's really no better time than now to prepare for another potential wave of COVID, or even another pandemic, and then considering the overlap of that with a natural disaster, such as a hurricane.

Marko:
Thanks, Susan. I appreciate it. And thank you for joining us today. Reid, I wanted to give you an opportunity for a last word and your thoughts about moving forward. Where do we go from here? And what are the steps? Or what are the things that we really need to be thinking about today that are going to influence what we do seven months from now?

Reid: Just to build from Susan's comments, which really are our spot on, it's, I think there are three things. One, at a national level, we need to be really conscious of things, and kind of circling back to the insurance question for a minute, like the proposal for a pandemic reinsurance act to provide that backstopping to the private sector, into the insurance sector, that's needed, much like what we developed after 9/11 with the Terrorism Reinsurance Act. And so, I think that at the national level, we need some public policy reforms to provide for the financial viability for these types of sectors and for the businesses to be able to respond from a commercial sense.

Two, I think that it's really going to be incumbent on organizations to be thinking about these emerging risks in a different light. So, for so long, we've thought about evolving, or the enduring risks and then if we really pressed ourselves, organizations would think about sort of how are those enduring risks evolving? But now, it's a question of what are those shocks to the system that we might experience and how do they matter? And we've got to provide better tools, and leverage the knowledge, so that the boards can make better informed risk decisions as they're going forward. That risk nine-box--the heat map that most boards look at--just feels incredibly inadequate in today's crisis. And so how we think through these interconnections, the dependencies, the risk aggregation, and then to be able to do so from a stress testing perspective, is just going to be absolutely critical as we move forward.

Marko:
Reid, thank you, very much, and really appreciate you joining us on the podcast today. For everybody who has listened to this podcast and the podcast series, we certainly appreciate the insights of some tremendous experts, both within the ICF family and our partners from additional companies like Reid Sawyer's group at Marsh, as well as others. The podcast series continues. We are pleased to have had an opportunity today to talk to you about risk management in the pandemic. We do have other podcasts planned. And we do have some more extensive webinars that are in the work, around things like duplication of benefits with multiple federal funding sources. We're also going to be looking very closely at how do we get to a new normal--really building on today's dialogue about what happens after the next wave and during the next wave and on? And how do we evolve our thinking in terms of how we operate, both from a governmental perspective and a corporate perspective--private sector--when it comes to dealing with the ever-changing risk platform and risk profile that we face, worldwide and in the United States.

Again, thank you very much for joining us today. icf.com is your place to go for information about this podcast, under our "Insights" section. We will be posting this podcast with the others, along with a transcript, and with some additional materials that should help link you to Reid's work at Marsh, as well as fact sheets that we have developed here at ICF, and federal agency information, state and local information, that you need in order to help make decisions and move forward. Thank you again for joining us, and we appreciate your listening, and look forward to your thoughts and insights.

Subscribe to get our latest insights