Risky Business: Risk Management Lessons from COVID-19
Back in January, I volunteered to write this article on risk management. In March, the very definition of risk management changed for all of us when COVID-19 hit the state. Quarantine has given me more time to do one of my favorite things: listening to audiobooks on the topics of economics and finance. As I listened, I realized that there is a lot we can learn from these disciplines on how to assess and manage risk.
During the pandemic, the risk management decisions CPAs have faced both personally and in business have been complex, time sensitive and based on very limited and rapidly changing information. When decisions have to be made under these constraints, the field of behavioral economics calls it bounded rationality. Simply put, one can’t possibly know every potential outcome of the choices one makes and doesn’t make. Therefore, decisions are made based on the information on hand using, among other things, rules of thumb from one’s prior experiences and the experiences of others.
Extensive research studies will likely be conducted on why toilet paper became such a hot commodity. Was stockpiling toilet paper a rational response to the pandemic? Retrospect will tell us “probably not,” but no one knew that at the time — and no one wanted to be left without toilet paper! Often risk, by its very nature, is dealing in the unknown. How then does one manage risk?
Heuristics are experiences that are used to inform future decision making and behavior. For example, young children learn not to touch the stove because it is hot and can burn them. One touch of the stove when it is on and one most certainly knows never to intentionally touch it again. By extension, people learn not to touch other things that are hot, because they too can burn. One knows this without having to touch everything that is hot.
Experiences during COVID-19 have provided a heuristic on responding to pandemics, and this will certainly inform society’s response to future pandemics. However, some important generalizable risk management practices have also been learned and have formed a new heuristic on responding to any number of crises. When it comes to general liability, business continuity and financial management, there are some best-practice processes that should be considered for future incidents.
General Liability Risk
When reviewing guidance handed down from the state or other health authorities, read the word “recommended” as “required.” Think of the worst-case scenario where a claim is made against a company that has to defend itself at a trial. Would the company be able to justify all the steps to reduce risk that it took or didn’t take? Note that this shouldn’t be construed as legal advice, but it would seem that by taking all the steps that are recommended by an authoritative source, it would be hard to find negligence.
This is not just limited to a pandemic. Negligence is often legally judged by what an objectively reasonable, prudent person would do in that situation. Pointing to authoritative guidance will help to prove that a company’s decisions were not arbitrary and the company acted prudently and in a manner in which similarly situated professionals would act. When thinking about ways to reduce liability, some questions to ask are:
- Does your business have up-to-date standard operating procedures? Have all employees been trained on them?
- Are all of the business’s practices congruent with industry standards?
- What type of legal claims are being filed against similar businesses?
- Are you regularly reviewing business practices with legal and insurance advisors to minimize risk?
- Is the entity in compliance with all the covenants of your insurance policy to obtain coverage under the policy in the event a claim is filed?
Business continuity had previously been focused on how to continue operating a business when it is faced with a catastrophic event such as a fire or flood. In those disaster scenarios, the damage and effect is often localized to an individual business or region. Not many business continuity plans considered how to run a business when the whole world has to shut down. Technology clearly plays a critical role in helping to operate businesses remotely. During the pandemic, some or all business functions had to be performed remotely for extended periods of time. Beyond that, the fragility of supply chains was exposed. Materials that used to take a day or two to receive were taking weeks or months to come in. To evaluate continuity of operations, consider the following:
- Does your technology infrastructure support a majority of operations being performed remotely?
- What redundancies are in place from the perspective of both human and technology functions?
- What critical jobs must be performed onsite? How will you perform them if only a fraction of the staff can come in?
- Are all back-office functions able to be performed remotely, such as payroll, benefits and audit?
- Where do all of your supplies and materials come from? Are there alternate suppliers that can provide the necessary goods if the supply chain is disrupted?
What happens when a company’s revenue unexpectedly takes a significant hit? Small and midsize businesses throughout the state were likely shocked to find out that their business interruption insurance might not cover the loss of revenue from a closure due to a pandemic. While insurance can be a hedge against loss of income, even under the best circumstances, payments are not immediate. To protect against a sudden loss in income, it is important to have an emergency reserve fund. In calculating a reasonable emergency reserve, include the following:
- Fixed costs that will occur irrespective of operations, i.e. rental expense.
- Payroll and benefits — how long can you pay employees if money stopped coming into the business? If layoffs are inevitable, how much runway is needed to pay those associated costs?
- Recurring debt and lease payment obligations.
Dealing in the unknown is the essence of risk management. Savvy professionals will use the experiences during the pandemic to improve upon the management of future risk. Before too much time goes by, reflect upon lessons learned and determine how they could be applicable to the entire organization. Reflection and after-action reviews are critical steps great leaders take to enhance risk management.
This article appeared in the September/October 2020 issue of New Jersey CPA magazine. Read the full issue.