The COVID-19 crisis has clearly highlighted the fragility of start-ups. Unfortunately, they generally neither have the financial nor human resources to devote to preventive risk management. And a posteriori, they are neither equipped nor ready to implement crisis communication. According to Bertrand Mohr, Chief Risk Officer (CRO) for an American commercial insurance company, young companies should integrate risk management into their processes, even if this means additional expenses. We spoke to Bertrand to understand what risk management means for businesses after COVID-19 and how companies can prepare for when a crisis strikes.
by: Marc Auxenfants
featured: Bertrand Mohr
Listen to article (Part I)
Bertrand Mohr, what advice would you give to start-ups when it comes to risk management and crisis communication?
Risk management is above all 50% common sense. So I would say to them, “Keep it simple; ask yourself what you would do personally in the event of a crisis, and prepare yourself accordingly as if it were your family! ».
For crisis communication, I would advise them to adopt a transparent and honest approach. They need to admit their difficulties to their investors, suppliers, staff and customers. They must also be able to respond to their customers’ questions. If necessary, they must also accept that they will have to seek outside help. Being transparent and humble always pays off in terms of communication.
Do you think the COVID-19 episode will push start-ups to reconsider their approach to these subjects?
This episode will be a tremendous boost. I think that this crisis will indeed change mentalities, and push some of them to integrate risk management into their processes and budgets. The services of a risk manager are expensive. But they should be seen as an investment. It’s about having an expert who considers the worst for your business and company and is there to help you when problems arise.
Currently, a non-financial start-up can use external risk management consultants. Unlike regulated entities such as Fintech and Insuretech, which are required to have an internal risk manager. They often postpone this recruitment as long as possible because of the costs involved.
In the medium term, the crisis could lead to changes in the regulation around allowing financial start-ups to use outsourced risk managers.
“Even with mathematical formulas, we could never have predicted what has happened.”
What types of risks are start-ups most exposed to?
The biggest threat currently is the risk of cyber attacks, especially those caused by denial of services (DoS). Since the beginning of the crisis, phishing campaigns have multiplied.
Start-ups are forced to equip themselves with reliable security infrastructures. And, this comes with a cost.
Another basic consequence of a disruption is if the incubator closes during the crisis, the start-ups in which they are hosted must be able to continue to access all their data remotely and securely. This is also a situation that needs to be taken into account in their own IT architecture.
For its part, the incubator can also provide solutions, which the risk manager would normally provide: such as backup and fallback sites.
Generally, how does the CRO intervene in the company’s communication chain?
Risk managers are often perceived by management as ominous birds, who are paid to assume the worst. First of all, he does his usual job of forecasting and imagining all the risks that could threaten the smooth running of the business. With a view to continuing activities, he considers all the possible scenarios and works on solutions for each one.
He is also responsible for monitoring the health, safety and working conditions of the company’s employees. We can imagine what could happen to the company if, in the event of an epidemic, staff were unable to work. Once the risks have been identified, he assesses the possible responses and the resources available to date.
If he realizes that the company is unable to maintain business activity at 100%, he must able to reassure customers, partners, suppliers, bankers, and communicate that the intellectual exercise had been carried out before the event and that the company is currently doing everything to maintain continuation of its activities.
It is this preparatory work of the ROC, which will then be included in any crisis communication. It therefore provides the material for the communication managers.
The crisis emerges and evolves rapidly: how does the CRO intervene?
Risk management is not a static process; it is dynamic and highly reactive. The risk manager will be involved as soon as crisis communication unfolds. He is obliged to review his analyses and solutions on a daily basis. As the crisis unfolds, he may be led to give a new or different message.
Being reactive and adapting one’s crisis communication is important for a company’s reputation. Those who do not communicate expose themselves to an enormous reputational risk.
Listen to article (Part II)
Faced with the virus, companies are implementing solutions: containment, telecommuting, videoconferencing… These solutions also generate new risks. How does the risk manager intervene here?
Meetings are organised several times a week with the HR department, because situations of confinement or isolation can have an impact on staff morale and the work of employees.
The risk manager, who is in charge of the health and safety of employees in the workplace, is also involved in assessing risks and participating in crisis communication. He or she establishes risk indicators such as demotivation, depression, or non-productivity, etc and monitors progress.
Crisis communication is not only outward-looking. It must also be directed at the staff. The risk manager also works with human resources department in this respect. He or she participates in the development of communication content for employees – newsletters, Intranet, etc. – which will be published regularly.
The risk manager supports the morale of the troops and reassures them. There is also a willingness to communicate on all the financial and operational impacts that the crisis may have. We need to be transparent in order to reassure people. Some companies are also setting up a hotline to provide psychological assistance.
What lessons and insights have you drawn from the current crisis, in terms of risk management?
Confined employees are not always able to work during normal office hours. We could consider staggered hours for certain functions, which would make it possible to maintain activity, while making life easier for people in the future.
It will also be a question of identifying anything that has not worked at the level of processes or IT systems, for example.
“There will be a change in the frequency of a risk manager’s work. This will make the job much more visible, and his or her work much more recurring.”
Is there a before and after in a risk manager’s job?
To exercise this function, you have to have a preaching side and know how to handle defensive reactions from management and/or other departments. Very often, the risk manager sees evil everywhere, while management sees it nowhere. And in the end, people don’t take you seriously until the worst happens.
From now on, we will appreciate risk managers, who were once considered Cassandras, actually rack their brains, to consider the worst, in order to appreciate the best.
We’ve also realized that the role of the risk manager, which was previously obscure, is more important than we think. He or she is there to advise management, prevent and react to potential problems.
Do you also see changes in the processes and procedures themselves?
I think there will be a change in the frequency of a risk manager’s work. If we take the case of a small structure of ten people, the risk manager will continue to issue one report per quarter, and that will be sufficient.
In the case of larger groups, the reporting will become monthly. And we may even move to on-demand reporting: it will be as simple as pressing a button for all the indicators to be updated in real time. This will make the job of risk manager much more visible, and his or her work much more recurring.
Can technologies such as artificial intelligence help in forecasts?
This is a rather contentious topic. Our competence is our nose, experiences and sensitivity.
When I work on a risk theme, I open up all my senses and call on everything I have read, heard, or seen… I mobilize my personal judgment and free will: currently, robots do not have this.
What does the future of a risk manager’s job look like?
In risk management, we often resort to modelling, which is very practical because it allows us to envisage the worst on paper. Even with mathematical formulas, one could never have predicted what happened. Essentially, we could throw our formulas in the trash because the reality has gone beyond what we’ve predicted.
This situation, in particular, will change the profession because from now on we will have to consider even more catastrophic scenarios.
A think tank dedicated to risk management issues
In June 2019, Bertrand Mohr and a partner launched CLIRE, the Club of Luxembourg Insurers and Risk Experts. The think tank aims at fostering the insurance and risk management community in Luxembourg. The club is open to all risk managers, experts, individuals and companies interested. The group counts around 20 CROs. “We are already working on the lessons that can be derived from it so we can provide concrete risk management solutions for the future”, Bertrand Mohr explains.
