2020 has presented historic new challenges. But the scale and scope of the pandemic has also provided companies with some important new insights into security and risk management lesson they can use and apply going forward.
In this, the second in a series of posts covering the lessons that businesses can and should learn from a tragic and tumultuous 2020, we’ll review what the COVID crisis has taught us about risk mitigation.
Structural and variable
The first and perhaps most important 2020 risk mitigation takeaway is that it’s more important than ever to understand the difference between structural risk and variable risk. A global pandemic is a structural risk: the kind of crisis that is entirely out of your hands and impacts everyone. But understanding the nature of your variable risks, those created by the unique choices that individual companies make, is also critically important to understanding how to mitigate the full spectrum of risk that applies to your business.
For example, rioting and looting caused by social unrest is an example of structural risk. But a retailer’s decision to locate stores in vulnerable areas prone to damage or disruption in the event of a protest is an example of variable risk. Appreciating both sides of the risk mitigation coin is essential, because, ultimately, risk mitigation is the preliminary work that needs to be done to make sure your crisis management planning is effective. You need to know both your structural and variable risk factors and exposures before you can design that program.
Consolidation > fragmentation
2020 has also highlighted the dangers of one of the most common risk mitigation mistakes that businesses make: separating all the different security operations into different groups or programs. The result is a fragmented structure with what can feel like competing interests, a lack of coordination, and often competition for dollars and attention. The reality is that all for effective and efficient risk mitigation, all of the pieces of the security puzzle should be in on coordinated group: operations, risk management, security, environmental health and safety, product safety, auditing, etc.—all under one umbrella, ideally with one leader. The goal is to ensure a cohesive, coherent, connected and coordinated risk mitigation approach, where emergency planning and crisis management are informed by a comprehensive and clear-eyed view of a company’s risk landscape. That kind of unified structure also helps avoid situations where people are afraid to speak truth to power. Not wanting to be the one to tell the boss bad news is a common and frustrating impediment to effective risk mitigation measures, and getting essential information to the right decision-makers—without wishful thinking or watered down versions of reality—needs to be a priority.
Among the hardest lessons that 2020 has taught us is that an easy-to-overlook risk mitigation blind spot can have serious and even tragic consequences. Even companies and institutions that feel relatively well-prepared and have worked hard to introduce an appropriate level of risk mitigation into their emergency planning are vulnerable to not fully appreciating the ways in which a crisis could translate to real-world business, financial and health and safety outcomes. Even if you have a process in place designed to identify and address risk for your specific professional circumstances, taking the next all-important step and drawing risk mitigation conclusions isn’t always easy.
Finally, 2020 has shown us all how important it is for risk mitigation efforts to look ahead. To keep our collective heads and eyes up, constantly examining the environment and scanning the horizon for new and emerging risks. Clear-eyed risk recognition is a prerequisite for effective risk mitigation. It helps avoid unwelcome surprises, helps us to frame risks in a business context, and avoids the stale sameness that can lead to a dangerous risk mitigation rut and lack of vision.
While the current crisis has yet to abate, savvy security professionals and decision-makers at companies large and small are already starting to apply these invaluable risk mitigation lessons to their operations—working hard to make sure that the next crisis, while inevitable, is less impactful to lives and livelihoods.