In a preview of her session at the Aug. 11 PICPA CFOs and Controllers Conference, Melissa Bradley Musser, principal, risk and advisory services, for GRF CPAs & Advisors, discusses how the coronavirus pandemic has affected the exercise of enterprise risk management. She explores best practices during times of great difficulty, current top threats, and more.
By: Bill Hayes, Pennsylvania CPA Journal Managing Editor
If you could take a before-and-after photo of the accounting profession, you would find so many aspects have changed due to the coronavirus pandemic. Enterprise risk management is no exception. Today, in a preview of her session at the 2020 PICPA CFOs and Controllers Conference, presented via webcast on August 11th, Melissa Bradley Musser, principal, risk and advisory services for GRF CPAs & Advisors, explores the ways that COVID-19 has affected risk management, lessons learned during the pandemic, risk mitigation strategies, and more.
As we take a look at this, we'll start with a general question: how has COVID-19 changed the way that you approach your work?
[Musser] Well, when engaging with clients, typically we're helping them with risk management, particularly we're talking prospectively, about the future, what can they do to prevent things from happening? But right now we're really talking about, okay, putting out some fires right now. We're in a worldwide crisis in the here and now. We're really looking at, currently, what can they do? But then also, what is your future like? Your strategy may have changed overnight. We like to try to focus on what are the top risks to your strategy, and never really before have I seen a strategy shift so quickly. Obviously, your risks then shift as well, not just the risks that are going on, but risk to your long-term strategy. That's really the biggest change that we've seen right now.
Could you give us an overview of what some of the current top threats are in the area of enterprise risk management?
[Musser] Obviously, depending on the organizational context, these can change greatly. But human safety is number one. Organizations really should be coming up with a detailed COVID plan. We talk about risk appetite in the enterprise risk management world. The thresholds for human safety should be zero tolerance, right? That's the number one thing to be concerned with: documenting those COVID plans that you have in place to make sure you're complying with them.
Then, also business continuity, cashflow issues, key individuals, succession plans, and really understanding key vendors and suppliers as organizations outsource more, which is a good thing. But now, we have to think about, okay, well, what's going on with those vendors or maybe even the vendors' vendors. That's going to be a really big deal right now, to be looking at as this continues to play out.
Cybersecurity continues to be top of the list of top concerns. But now strategy more than ever, really talking about, okay, how has your strategy changed? Digital transformation was a big talking point for me last year, I would say. If you don't digitally transform, you're going to end up … for example, we like to throw Blockbuster out there. You have to think about, okay, maybe they were doing risk management, but they missed what was right in front of them if they were really to look at their strategy. Digital transformation is big, but really I was thinking organizations may have had more time and then COVID hit and those organizations that were already digitally transformed or able to more nimbly, digitally transform have been slightly more successful in looking to recover from it.
Are there best practices out there for how organizations can reduce risk during times that are a little more difficult?
[Musser] As far as best practices go, enterprise risk management is a really good tool as far as the best practice goes, in a way that it keeps one individual or the loudest person in the room from dominating the conversation. It's a formal methodology for coming up with, “Here are our top risks through the lens of strategy.” If you have a methodology based on likelihood and impact of certain events happening, you have a team that's meeting and looking at this, and then you're able to say, based on this formula, and through looking at this benchmark against strategy, "These are the top, let's say, three things that we need to focus on right now." Then you can report that up through to your leadership and then look to get funding or the okay to move forward with these certain risk mitigation procedures, because everybody has got limited bandwidth and you can be running all over the place, putting out fires. It really helps to have some direction like, "Okay, this is what we need to do."
I've seen a lot of organizations, obviously, stop expenses right now, but then there's others that I've seen have said, "Let's move forward with this website revamp. Let's move forward with this digital transformation because this is going to be the new way we reach people." I believe they've taken that look at strategy and said, "This is what makes sense."
Another best practice, and this is where I think the ball gets dropped, is holding individuals accountable. I think that's incredibly important. For example, we'll hear people say, "Oh, well, risk mitigation is not part of my job. I've got too many other things going on." We're suggesting to organizations to really put risk management responsibilities into the job description. Not only that, but a part of the annual evaluation process, what was that person's role in identifying risks and also mitigating risks and helping them understand that this is the responsibility of the entire organization, not just the risk officer or the CFO. It's everyone's responsibility. Really getting everyone to buy in and understand that is really what ERM does. It becomes part of the culture of the organization.
Could you give us one way that you think organizations can best improve their approach to risk management?
[Musser] Focus on strategy. There's two frameworks out there. There's COSO and then there's ISO. These are ERM frameworks. I believe it was 2017, 2018, they revamped the frameworks and there was this big emphasis on strategy. So I have been spending the last couple of years really talking about that, but now it is just more than ever clear as day that your strategy may has changed overnight, so your risks may have changed. I think that's the number one thing.
Cyber security may be a big risk. You hear about a lot of times, maybe a big risk for somebody, but it may not be your number one risk. Have you looked at strategy, maybe it's identifying key individuals or making strategic hires. Maybe that's your number one risk. Maybe that's the number one thing you need to be focusing on. I know you don't have a lot of money to spend right now, so where really should that be, and it's not going to be the same for every organization's context. It's so important to really look at your strategy and where you're going before you make any kind of risk mitigation decisions, because obviously money is of limited supply these days.
In your opinion, I wonder, has ERM expanded because of COVID-19 or is this what enterprise risk management has been preparing organizations for?
[Musser] It's been preparing organizations for this. For example, typically when organizations may think of risk management, they're like, "Oh yeah, we're doing it." And they are. Typically, it may be more in silos. Your IT team does their risks assessment, finance has their risk assessment, HR, and that's all great, but it really needs to be an enterprise-wide approach. And I think with COVID, we've seen more than ever entire organizations coming together and meeting, which is what we suggest in ERM, having a committee that meets maybe monthly or quarterly, depending on what's going on. That team needs to be made up of IT, HR, marketing, finance, operations, everyone coming together and discussing what the risks are and what's going on with the organization and with COVID. That's what we're really seeing, we're seeing everyone come together to try to really overcome what's going on right now.
I think that's really expanded ERM, because now that these groups are already meeting, they might as well just keep going. Don't stop meeting. The next risk is just down ... as we've seen, risks are so rapid these days that, really, ERM isn't just about finding out the risks you have right now. It's being able to more nimbly and quickly respond when the risk that's going to happen tomorrow is inevitably going to happen. You're going to be able to respond a lot more quickly because you have these connections throughout the organization.
What we found is, for example, if you come up with a mitigation … so before when it was in silos, let's see, IT comes up with a mitigation or finance comes up with a mitigation, but when you're looking at enterprise risk management holistically, that one mitigation might actually resolve several risks. You're actually saving money and time and thoughtfulness through coming up with risk mitigation plans that actually tackle a lot of different risks when you've got everybody in the room, discussing the plans for the future.
What would you say is your favorite thing about working in ERM? What is it that draws you to it?
[Musser] I love being of service and I kind of love that it's really an art, not a science, but I love to link the strategies. So it's like an inverse relationship. Let's say you have a risk, that risk is likely going to affect your strategy and your change in strategy is going to affect your risk. Ultimately, what I would like to see is when an organization is redoing its strategic plan, I think risk ERM should be running concurrently with that. I think that should be part of the conversation and I'm really hoping to see that change over the years. But I love that synergy between strategy and risk. I think that's really where it's at, and that's what I'm really passionate about.
What would you say is the biggest takeaway from the pandemic and the relation to enterprise risk management that you'd like to share with our audience?
[Musser] I mean, you can do this. That's the big takeaway. Get started, don't be frozen, and change can actually be good. You're already in a state of flux. Why not keep the change coming? Maybe do that strategic transformation that you've been needing to do that maybe you've kind of always seen coming at you in the future, but you've just kind of got your head in the sand and you're working really hard. We're seeing organizations do this. A lot of them are making changes that honestly should have been done a long time ago. They're taking this opportunity now to make those changes because they have to. It's gotten to that point.
Take advantage of being in flux. Your employees, a lot of times they're resistant to change. They're in a total state of change right now. A lot of them are actually liking working from home, at least some. Not everybody is working remotely, but you can see people are adapting to change. Maybe try to take advantage of that right now and make some really good progress to the future because the world has changed. Your organization should change with that and take advantage of this time to do so.