Open in app

Sign in

Write

Sign in

Part 2: Coronavirus: Lessons in Enterprise Risk Assessment

Sri Narasimhan
9 min readApr 7, 2020

In Part 1: Coronavirus: A Risk Manager’s toolkit we saw how testing for active cases, instrumentation and data collection is fundamentally critical to the management of COVID-19.

Part 2: Coronavirus: Lessons in Enterprise Risk Assessment prompts a serious look into Risk preparedness. How do we know we are improving our ability to manage Risk? Meanwhile, COVID-19 has moved onto Stage 2 of virulence. It is entrenching within the denser pockets of population clusters here in the US. It has the potency to dig in for the long haul.

Here is my take on Enterprise Risk Assessment in four distinct areas. In addition to a tour of the fascinating world of Risk, you will learn about key factors to assess Enterprise Risk. A key step before we take a deeper look into the actual Risk management Controls in Part 3.

Enterprise Risk Assessment — A comparison of viral behavior Q1 2020.

At the end of Part 2, you will understand why I arrived at the above color-codes (your mileage may vary). You will also learn :

  • What is the Enterprise Risk Readiness?
  • How does one assess Risk Preparedness?
  • What are the known and unknown Risks? Do we know them all?
  • What is at stake?
  • How can we measure progress? What is a North Star metric?
  • What is the maximum damage they can cause (the threat intensity)?
  • Who are the affected segments in the population?
  • What characteristics define them?
  • Can Policy Strategy be administered to affected populations?
  • What are our Expectations for Risk Management ?
  • What is Risk Management Policy maturity?
  • What does Risk Management Agility look like?

I will focus on key Risk Assessment takeaways from the running toll — loss of lives, livelihood and living… but not before an open, honest and direct conversation.

We failed.

The onslaught of news has numbed our minds into submission. 100, 1000, 10000, these numbers seem to blur our senses. Thus desensitized, we are resigned to accepting larger orders of magnitude 100,000 and a million, then 10’s of millions? We are trying to grasp exponential growth with our linear minds and many of us fail here.

The virus makes us look like Growth PMs at Facebook, just before the Fake News scandal hit us. Which followed a ‘Nothing to see here, except a lil potential election subversion’.

The past couple of weeks have demonstrated a significant weakness in Federal Crisis Management. Without a clear articulated policy direction, variations in mid-level management of the crisis has compounded the crisis. While some departments have excelled, others have lagged. And all the virus needs is exploit this gift of time, grow exponentially and compromise the Public Health system.

To give you an idea of this exposure of a quarter million lives, consider an invisible enemy incinerates 6 large NFL stadiums filled to their maximum with spectators in some macabre coordinated bombing on a Fall Sunday afternoon. I don’t quite know how else to put it.

But thankfully, this imaginary incident would not have happened since we have detection, policy response and deterrence like fighter jets and other missiles that can be scrambles within seconds to neutralize any threat. The military forces, no doubt, role-play this scenario.

Yet, these are the numbers we are talking about when it comes to COVID-19. And to think we were given a 90-day head start to prepare for this. How are we going to get our head wrapped around the final total of lives, livelihood and living lost when all this is done?

Policy, Scope and Segmentation

Usually any treatment response is based on segmenting the population, and then picking the specific policy to address current and predicted trends. Management of such crisis can be simply broken down into — What is the Policy and what is the scope addressed by that Policy? We can cut the population across multiple dimensions. The key is to figure out the right combination of attributes that make a certain segment. I will argue segmentation is so critical that over a bulk of Risk Management is won or lost right in this step.

A quick and dirty way to learn a language is to speak it conversationally. Similarly, a quick and dirty way to learn Risk Management is to investigate different areas and compare and contrast Risk.

Lets us consider the following four areas of Risk management where there is an element of virality.

1. Pandemic Risk — Is a unique Risk to mortality of entire living populations. A disease is often transmitted by close contact or proximity. Typically anyone affected by a diseases starts showing symptoms immediate. This is a clear indication of their potential capacity to infect other. But what if the disease incubates for a while and the symptoms are not clear. Meanwhile, the victim is infectious? This and other factors lead to an inadvertent transmission of the disease.

2. Fintech & Financial Risk — a successful heist typically is followed by a runaway loss. When instrumentation is weak, massive financial losses can occur, as you don’t quite realize until it is too late. This can also happen when the Risk controls are non-existent. That is, you realize there are leaks, but you cannot do anything about it, without shutting down the entire systems. I have lumped together an entire swath of the industry. I am excluding the legacy banking & financial services firms partly because they have elaborate systems to manage Risk which are backed by the lender of last resort in that country, e.g the US Federal Reserve.

3. Social networks/Fake News Risk — When you spot a news feed on any social networks and respond to it by liking, sharing, re-posting or commenting, you have just unleashed virality. When a lie gets passed around multiple times, it becomes the perceived truth. When the fourth estate is subverted by a fifth, what is at stake is democracy.

4. Social networks/viral growth — What makes you share a tik-tok video ? When a firm or a product has mastered the art of evoking a strong emotion such that it compels you to share it with a friend, i.e using your trust capital on behalf of this firm to draw the opportunity cost of your friend’s attention, then it has succeeded in viral growth. It is a good thing — for the firm. Hold on — a virus of the good kind?

I picked the last one as a tongue-in-cheek reference to the time-tested Silicon Valley credo of viral growth. The contra risk factor is the negative word of mouth resulting in lower conversion. Maybe now that we understand what viral growth really is… do we need a different term to describe the erstwhile ‘viral growth’ (R.I.P.). Ideas anyone?

I am not a medical expert. So this article is not geared towards recommendations on solving this medical crisis. This article seeks to draw learnings from this public health crisis into managing Risks that may not receive as much press. It gives a window into Risk Management and levers to control risk, especially to an aspiring Risk professional in the industry.

What is at Stake ?

What is at stake? What is the liability? This is the first and some say the only dimension a Risk manager needs to understand and control. I beg to differ since in my experience the Risk exposure always has a constraint factor to balance with — time, money, user experience, effort, complexity, regulations and finally agency (err, politics, if u will).

So what is primarily at Stake? Is it money, life, reputation (Net Promoter score, Goodwill, Relationships) or Engagement? If you examine these four vectors, you realize the last one may not actually a Risk vector. But it is.. the risk here is not meeting the growth projections and at stake is User Engagement. Turn’s out, the user’s attention is currency.

Who says ‘Time is NOT Money’?

North Star metric captures what is at stake

We need a North Star metric to track the efficacy of Risk Management reflected in a single measure. Any movement up or down indicates system behavior at any instant. Here are key North Star metrics for the four areas of Risk management we have selected:

1. Pandemic — active cases per 1000 (count)

2. Fintech Fraud Risk — loss in basis points (bps)

3. Social Network/ Fake News — prevalence (bps)

4. Social Network/ Neg. Growth — decrease in engagement, conversion (%)

Expectations, Policy Maturity and Agility.

Expectations

- System Integrity Expectations is a measure of how the Risk, Trust and Safety platform protects the various Stakeholders. And what are their individual expectations. For instance, citizens in a liberal democracy expects the government institutions they pay into can be ‘called’ on time to protect then from specific threats. Federal Emergency Management Agency (FEMA) in a natural disaster. Center for Disease Control (CDC) in a pandemic. Security and Exchange Commission (SEC) to run a fair and efficient stock market etc. There are areas where the Expectation has not been defined. It is unclear whether users of Social Networks or their Governments value privacy. But it is perfectly ok, to pursue profit margins and grow your company by the rules defined by the Federal Trade Commission (FTC).

Policy maturity

- Policy making Authority draws a direct line of control on who makes the final call on the Policy strategy. If it is a known Risk and the goals are clear, then the Chief Risk Officer (CRO) need not be involved. But if this is an unexpected and unknown Risk and there is a possibility of a Runaway loss, then the CRO has to be looped in, and notified about the progress all the way until the mitigation strategy. Before Strategy execution, the CRO signs off to set the strategy in motion.

- Policy making apparatus is a measure of the skills, depth, ability and proficiency to read the Risk as close to the truth as possible and be able to draw insights, array various options to address the Risk and be able to execute on the strategy. It is a quotient that combines -> Data visibility + Platform agility + Personnel ability.

Agility

- Overall System Maturity is a measure of the entire system as it responds to a threat. The entirety of detection, identification and isolation of the threat, segmentation of the affected instances to as granular level as possible, the availability of various means to control the threat, the proper analysis of differentiated policy ‘what if’ tradeoffs, formulate a response aka the mitigation strategy, execute the mitigation strategy with the precise application of mitigation controls to the different segments, an ability to monitor the efficacy of the mitigation strategy — i.e test and control. And finally, the resources to mobilize system attention in the near term without compromising mid to long-term risks.

- Regulatory Complexity evaluates the level of scrutiny and compliance regulations in a given country/ jurisdiction. Typically, an elected or nominated body creates Regulations (The Fed). There are also intermediaries that can create rules to maintain the integrity of a network (VISA, MasterCard, AMEX). Alternately, standards are created by private industry consortiums (e.g PCI-DSS, EMV) that members adhere to. Government Regulations are levied to protect the interests of the weakest actor in the system, usually consumers and small businesses (FTC, etc.) mandated by Law that got passed by the legislative body. Contravening these laws, rules etc. can result in fines, fees and in the worst case, jail time.

- Black Swan Readiness is something I made up. Yet it is not new. The Fed regularly subjects its Banks to a battery of Stress Tests. These are mock tests to evaluate the readiness of vital players in the market and evaluate their response.

Which brings us back to the Enterprise Assessment Readiness table.

Do you agree with my assessment ?

Here is how I arrived at these color code. As I said before, your mileage may wary.

  1. System Integrity expectations: The citizens of a country expect Pandemic management to be effective in controlling a disease. However, it is unclear what users of a Social Network expect. Are they resigned to the fact that their Privacy is the product ?
  2. Policy making Authority: The ongoing drama highlights that the current COVID-19 Task Force’s Policy making Authority is severely compromised. Whereas the three other areas seem to have a clear command and control structure to effect any policy decision.
  3. Policy making Apparatus: The Federal policy making apparatus, the capability to detect a disease cluster, the ability to have early data, the ability to draw insights, the ability to administer vaccines, the ability to treat patients etc. is satisfactory. However, it is unclear that a social network has the capability to draw the right conclusions based on as best a visibility they have to make the right decisions and execute on them.
  4. Overall System Maturity: Fintech fraud control seems to have a lead on the other areas simply because they have been in business for a long time without runaway loss. All factors that are examined here are green, indicating a strong maturity. Whereas, it is unclear whether social networks have a handle on controlling yet another 2016 phenomenon.
  5. Black Swan Readiness: While all four areas are challenged by a potential Risk they fail to spot on time, fintech seems to be the most equipped to have a sense of control over an unpredictable event.

— -

Part 3: Coronavirus: Lessons in Risk Management examines how to assess Risk Management Maturity ?

Please add your comments below.

--

--

Sri Narasimhan

Written by Sri Narasimhan

40 Followers

Making money move quickly, safely and cheaply. The book is 'Priceless' (pun intended). Views are my own.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams