Findings

The survey also found that just over one-quarter (26 per cent) believe that the virus will have little to no impact on their business.

Most respondents (56 per cent) rate themselves somewhat prepared, and 11 per cent said they were either relatively or very unprepared. Just 2 per cent of respondents believe their business can continue as normal, highlighting the huge range of businesses that could be affected by the outbreak. 

Elsewhere, 24 per cent of respondents expect little disruption, while the majority expect business to continue at a reduced pace (57 per cent), to be severely restricted (16 per cent) or to be discontinued altogether (1 per cent).

“This lack of confidence shows that many organisations approach risk management in an outdated and ineffective manner,” said Gartner vice-president (risk and audit) Matt Shinkman.

“The best-prepared organisations will manage the disruption caused by the coronavirus far better than their less prepared peers.”

The challenge lies partly in the ambiguity inherent to managing an emerging risk such as coronavirus, Gartner said in a statement.

VIEW ALL

“Organisations often have policies in place to deal with most risks, but they don’t activate them until it’s too late because no one is owning the risk or taking it seriously until it is fully manifested. The threshold for a risk to generate executive action is often too high to enable an effective response,” it wrote.

“Board members tend to deal with emerging risks by just assuming they will go away and instead focus their attention on what is most important today,” said Mr Shinkman.

“In good times this methodology is reinforced because sometimes emerging risks really do just go away. It’s when they don’t that problems inevitably emerge.”

Enterprise risk management

Having an enterprise risk management function in place means that an organisation is more likely to see risks coming and then mitigate the impact of those emerging risks more swiftly and effectively, Gartner submitted, saying that a focus on impacts rather than specific scenarios is best practice for ERM.

“It’s nearly impossible to predict exactly if or how a particular scenario will unfold or even when,” said Mr Shinkman.

“That’s what creates the ambiguity and often inaction around emerging risks. It’s much more effective to focus on potential impacts and how to mitigate them.”

The current pandemic provides a perfect example of how this approach works, Gartner continued, saying that “companies that wait until the emerging risk is already impacting operations and/or many employees will likely find themselves playing catch up and losing ground to companies that were better prepared”.

Companies can get better prepared, it argued, by considering what interim events could occur that would suggest that a pandemic, or similar emerging risk, is about to sharply increase in terms of its impact or likelihood.

“By using an ERM approach to identify and prepare for those specific events – and setting up mechanisms to monitor for them – the best companies are better positioned to avoid major disruption.”

Using an impacts-based method makes it very clear when to trigger a response plan and to start mitigating the effect of specific impacts on an organisation, it noted.

“Avoid constructing elaborate ‘what if?’ scenarios and focus on what is known,” said Mr Shinkman.

“Many organisations likely already have plans in place to deal with the types of disruption they are facing because of the coronavirus. The job of risk management is to ensure the right plans exists and make sure they get used at the appropriate moment.”