The COVID-19 pandemic has ripped a tornado-sized hole in most companies’ risk and crisis management systems. CSj talks to governance professionals about the lessons companies have learned, and need to learn, about worst case scenario planning.

Since the start of 2020, the outbreak of COVID-19 has brought unprecedented challenges to businesses in Hong Kong and globally. Increased workplace and travel restrictions, reduced consumer spending, delayed investments, disrupted supply chains caused by lockdowns, business closures and social distancing have all forced companies to rethink how they can survive in the uncertain business environment.

Moreover, the economic downturn resulting from COVID-19 is unlikely to be over any time soon. According to ‘Impact of the COVID-19 pandemic on Trade and Development: transitioning to a new normal’, a report published by the United Nations Conference on Trade and Development, the COVID-19 outbreak will push down the global economy by a staggering 4.3% in 2020 and could send an additional 130 million people into extreme poverty.

Governance professionals interviewed for this article agree that these challenges are a harsh reminder of the importance of being prepared for unexpected crises. ‘COVID-19 has highlighted how fundamental governance and crisis management is to boards and companies,’ says Andrew Weir, Regional Senior Partner of KPMG Hong Kong.

He adds that events like COVID-19 are rare ‘black swans’, and in the risk management universe, organisations tend to dismiss risks that feel remote. ‘The pandemic has reminded us that the unthinkable can happen and that risks that seem remote but which can have huge impact need to be assessed much more regularly. We need to challenge existing views and be prepared to think the unthinkable,’ he says.

What to do when the unthinkable happens

To navigate through a global crisis of COVID-19 proportions, Mr Weir points out that it helps have a working crisis management system and business continuity plan (BCP) in place. One of the first lessons of the current crisis, therefore, is the value of companies preparing ahead of time by ensuring that they have a functional BCP in place even when they do not foresee a crisis showing up in the near future. An effective crisis management system and BCP should address issues such as ensuring the well-being of employees, managing brand reputation, keeping resources and assets protected, and addressing any legal issues that may be triggered by the crisis. It should also ensure that stakeholders are informed of the policies and actions relevant to the crisis at hand.

Mr Weir believes that agile companies and boards in Hong Kong have generally adjusted themselves very quickly to the COVID-19 crisis, but he warns of excessive optimism while dealing with such crises. ‘In my experience today, when people are doing forecasts, there seems to be a tendency for forecasts to turn out much more optimistic than people expected. I think we always have to be on guard against excessive optimism. Always do very regular scenario training, and be prepared to look at extreme downsides and worst-case scenarios,’ he says.

Mr Weir also points out that BCPs need to be constantly updated, revisited and regularly tested.

Dominic Wu ACG ACS, Chairman of Asia Financial Risk Think Tank, echoes Mr Weir’s thoughts. He adds that when a crisis occurs, businesses tend to fall into reactive crisis mode and become too focused on immediate issues, but it is essential to review current crisis management and business continuity planning and to look ahead and consider new scenarios.

‘From the risk management perspective, businesses should do more scenario analysis, think outside the box, look at what happens in the market and the industrial players, think of every possible scenario and prepare for the worst case,’ he says.

Mr Wu explains that scenario analysis is a crucial exercise by the board, senior management and governance professionals. Organisations should think of a range of crisis scenarios that could negatively impact their business and then map out the company’s response strategy from stakeholder communication, operational contingencies and expense control to board involvement.

‘I would suggest companies come up with a “what if” analysis – asking “if this happens, how do we respond?” You then go through a decision tree to discover the likely final position and the impact on you. It is advisable to do these kinds of “what if” exercises once a quarter,’ Mr Wu says.

Preparing for and responding to a crisis

Respondents to this article also emphasise that internal cohesion among operational teams is a crucial component of an effective crisis management system and BCP. This is not always easy because communication, human resources, legal and operational teams are often used to working separately.

Mr Wu suggests businesses create a small, core crisis management committee drawn from relevant departments to make tactical decisions, communicate with staff and escalate important issues to the board level. ‘The most important thing is the communication right from the start, so there should be more online meetings and a portal for staff to communicate information. The crisis management committee should meet every day, collect all the relevant intelligence, respond to it and also communicate to staff in a timely and effective fashion,’ he says.

Mike Chan FCG FCS, FCPA, MBCI, Fraud Control Officer and Head of Operational Risk Management at a top Mainland banking group, handling the bank’s operational risk and resilience, believes that adopting a structured risk-based approach to managing risks is a key to surviving crises of the magnitude of COVID-19.

‘In determining the organisation’s policies in response to a black swan event like COVID-19, one of the factors that the board should take into consideration is the nature and extent of the risks facing the organisation, including cultivating the organisation’s risk culture. This is a way to describe the values, beliefs, knowledge, attitudes and understanding about risk shared by the organisation as a common goal. This applies to all kinds of organisations, including private companies, public bodies, governments and not-for-profits,’ says Mr Chan.

The ‘three lines of defence’ is a fundamental principle in a group risk management mechanism that should be discussed, regularly reviewed, documented and approved by the board. ‘When severe exposures are identified, we should immediately sort out what mitigation controls the organisation will implement and escalate the subject matter to senior management and board committees,’ he explains.

In addition, Mr Chan emphasises that agility in responding to a fast-moving crisis is essential. Using a top-down approach might involve calling in top management, advisers and subject-matter experts to hold crisis management committee meetings when urgent decisions and actions are needed. After decisions are made, responsible departments or units lay down their action plans with different milestones in accordance with their roles and responsibilities during the implementation of the business continuity plan. In a nutshell, organisational engagement, executive support, adequate resources, team dedication and a crisis management programme are core components for a business continuity program to succeed, he says.

The crucial role of communication

During a crisis, regular communication with stakeholders helps ensure business continuity. Thus it is now a good time to refresh any existing stakeholder mapping to identify priorities and tailor messages to each audience.

With the coronavirus outbreak, many international corporations have allowed flexible work arrangements and remote working to minimise the risk of transmission. Mr Wu points out that companies need to properly and transparently communicate the steps they are taking to give employees reassurance in a time of crisis.

‘Employee safety is a very important concern. Also given that people are now working for long hours at home, their mental well-being should also be cared for. Companies should provide resources and support, for example an adviser to speak to, and make sure that employees take enough rest during their work days,’ Mr Wu says.

In addition to ensuring the safety of employees and customers, companies also need to manage and communicate the operational and financial risks the crisis brings – in particular the risks associated with the disruption of supply chains. Companies have to focus on ensuring financial resiliency, in particular ensuring a level of liquidity that enables them to meet both short-term and long-term requirements, Mr Wu says.

‘Companies need to look at how COVID-19 has impacted their clients, those clients’ clients and third-party vendors to ensure that they can survive and still provide their services. Companies should remain in very close contact with them, understand their situation and resolve any issues relating to production commitments. When required, they should also consider alternative supply chain options,’ Mr Wu says.

Be vigilant against fraud and malpractice

Mr Chan points out that tough times often create opportunities for misconduct to thrive. He warns that companies need to stay extra vigilant to any red flags indicating fraud and malpractice. They should also maintain regular communication with police and regulators to get the most updated information or intelligence on fraud tactics, such as fake domain and phishing scams, impersonation frauds, and product and financial statement frauds. Moreover, sufficient staff training is also effective to prevent internal loopholes from being exploited.

‘The past behaviour of fraudsters shows that they are opportunists, or adaptable in their attempts to cheat both people and companies with new fraud schemes. Nowadays, the behaviour of fraudsters or opportunistic criminals has evolved. They are using the pandemic to quickly find new ways to exploit the vulnerability of unwary members of the public with various kinds of scams,’ he says.

Rejecting red-flagged business opportunities and reporting suspicious transactions are basic components of combating fraud. Fraud risk management teams are encouraged to deliver regular forums to share the latest news and guidance with staff members on the importance of fraud control management. This is an effective way to ensure that staff stay vigilant to the risks during COVID-19, and identify red flags and potential fraud in their daily business and operations.

‘I think the key success factor is to have a sophisticated risk management model embedded within a robust risk culture, which the board of directors should review at least annually. Keeping up good connections with regulators and market counterparts is also a golden parachute. Last but not least, having a clear idea of your objectives, what you have to do and what you need to protect – including employees, customers, property and assets – is highly beneficial in the current situation.’

The lessons for governance

Governance professionals have an essential role to play in ensuring business continuity during the current and future potential crises. Company secretaries in particular play a key role in ensuring directors have the information and knowledge they need to effectively oversee risk.

‘Governance professionals might not be the ones who directly deal with a crisis, but they need to be good advisers. They need to advise the board and senior management on how to provide oversight and manage the crisis,’ Mr Wu explains.

This means governance professionals need to understand regulatory guidelines and requirements that are always changing and evolving. They also need to be familiar with the external threats the organisation is facing. ‘Governance professionals have to do regular external environment scanning – identifying potential issues, and ensuring good and timely communication within the board and with staff members. Even during the disruption caused by COVID-19, regulators expect you to continue operations and clients have a high expectation of the services you provide them,’ Mr Wu says.

He adds that it is important for governance professionals to learn from each other. ‘Attend industry forums to get an update of what’s happening in the market, learn about best practices, follow regulatory developments, and really have an open heart and think outside the box. Think about what can go wrong and not just in terms of what you can see – a year ago no one would have foreseen COVID-19 and the current Sino-US tensions.’

While it is still too early to fully understand the long-term implications of COVID-19 for businesses, Mr Weir believes that the challenges brought by the crisis will accelerate positive developments in governance. ‘I think the world of governance will be very different in a couple of year’s time,’ he says.

Investors, regulators and stakeholders are increasingly concerned about governance and risk management and are asking for more disclosures from businesses. ‘Companies should consider additional voluntary disclosure on governance matters not required and requested by regulators; it helps stakeholders better understand the company and what it is doing,’ Mr Weir explains.

He adds that organisations often have a broader stakeholder network than they realise and that the board has a clear responsibility for all stakeholders. ‘So board effectiveness is a very important question,’ Mr Weir says. This in turn raises a number of important governance questions. ‘Is it enough for the board to meet once a month? Should there be more online communication at the board level? What is the board’s agenda? Does the agenda need to be revisited? Are the company’s governance policies and practices strong enough? These are very important questions to ask,’ he adds.

Mr Weir also predicts that the COVID-19 crisis will accelerate the existing trend towards purposeful and stakeholder-responsive governance. ‘Recognising what a company stands for and what its purposes and values are is more important than ever, because in three years time when people look back, people will not remember the crisis, they will remember how companies and boards behaved,’ he says.

The competitive advantages for businesses with positive environmental and societal impacts will also be more significant. ‘I think one of the outcomes of the crisis will be a massive acceleration of considerations of sustainability. Sustainability will become a boardroom level, governance and strategy issue, rather than a niche issue that it has been before,’ Mr Weir says.

He concludes that we are on a ‘one-way journey’ in governance, and the demand for governance expertise and good governance practices will grow exponentially, especially in Hong Kong with many new IPOs resulting in more listed companies.

Hsiuwen Liu

Writer and journalist