COVID-19: What risk functions can do right now

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.

How risk professionals can help develop a response strategy to prepare for the weeks and months of coronavirus ahead

Risk professionals try to prepare for everything, but few imagined that they’d have to prepare models for a global pandemic that strikes swiftly and broadly and has no clear endpoint. Yet, even in an unprecedented situation like COVID-19, risk management, compliance and internal audit specialists can still help their organizations manage risk, while also preparing for the day when normalcy returns.

In this fast-evolving situation with many moving parts, the key is to take an agile approach to business continuity and broader risk management. Here are a few questions that risk executives should answer to support that approach. 

Six key risk management considerations

  1. Where did pandemic risk fall within the latest risk assessment results, and has a risk interconnectivity analysis been completed to understand other key business risks triggered by the pandemic risk?
  2. Are technology tools being leveraged for consolidated risk reporting, including the rapid development of key risk indicators that are specific to pandemic risk?
  3. In light of the pandemic risk event, is there a need to review the current risk appetite framework with the board and senior management in order to understand the impact on the company’s current risk profile?
  4. Are current internal audit and second-line risk function testing plans being reevaluated to ensure they adequately cover pandemic risk elements?
  5. What risks have emerged (such as heightened cyber risks due to a remote workforce or a third-party response to the pandemic) that need to be addressed, and are there protocols in place to report, aggregate and analyze emerging risks as this situation evolves?
  6. How will COVID-19 impact your controls reporting to stakeholders and your service organization’s controls reporting to you?

Crisis management and response

  • What is your company’s readiness to react and respond to COVID-19 … and the next pandemic risk event?
  • Where are the repositories of data (such as inventories of third-party vendors) across the company that will need to be managed throughout the crisis?
  • Given the reliance placed on third parties, what is the state of your top third parties’ crisis management and business continuity plans?
  • Is your company prepared with plans to deal with longer-term disruptions based on a pandemic risk event?
  • How is the company monitoring and acting on guidance and requirements from outside authorities, such as the World Health Organization (WHO) and Centers for Disease Control (CDC)?
  • How are you communicating internally and externally:
    • How is your company adapting its crisis management communication plan specifically for a pandemic risk event?
    • Has the board been kept apprised of the pandemic’s impact on key business risks and strategy?
    • How is the company monitoring external news and escalating appropriate information to decision-makers?
    • Is management aware of regional offices, vendor partners or other relevant third parties that are appearing in the news related to the pandemic risk event?
    • How are inquiries from the press and other third parties being managed and monitored?

Learn more


View more


  • Does your company have a geographic-based mobility strategy and plan to move to a fully remote workforce, and does it support a long-term mobility situation for employees?
  • Have employees been adequately trained on how to work remotely?
  • Is there a mobility playbook that employees can reference to stay aligned with company guidance?
  • Is the IT, video and telecom infrastructure adequate to support the remote workforce for a sustained period of time?
  • Are there processes that can monitor employee productivity while remote?

Learn more


View more

Operations and supply chain

  • How is scenario planning being leveraged to help management understand the operational impact of pandemic risk?
  • Which alternative suppliers can you turn to in case there’s significant disruption to the supply chain, and are there substitution plans for parts and raw materials?
  • What readiness plans do priority suppliers and other third parties have in place to protect themselves and maintain creditworthiness?
  • Has an impact assessment been completed for significant projects (e.g., M&A activity, system implementations, reorganizations) to understand the pandemic impact on their success?
  • How are project managers and teams prepared to work remotely? Do they have the right guidelines and tools to keep projects moving forward?

Learn more


View more

Risk leaders should also consider discussing with the CEO or CFO risk issues related to finance and liquidity, tax and trade, and strategy and the brand.

The bottom line

To foster an agile approach to COVID-19 — and the new normal that will emerge — risk executives should increase collaboration across risk functions and leverage new technologies and tools. By increasing the speed and accuracy of data collection and analysis, these tools can help swiftly provide risk insights to the business to support informed decisions.

COVID-19 has reminded everyone that pandemic risk is real and capable of changing a company’s risk profile quickly. It has also made clear that organizations must have a plan to manage and monitor all serious risks, and be prepared for those risks to escalate in the future — regardless of how unlikely that may seem at the present time.

Risk executives need to help manage the threat from COVID-19, while having a seat at the table with other members of senior management. They must also ask the right questions today to support a recovery later … and prepare for the next major risk event.

Contact us

Brian Schwartz

Partner and Primary Author of the Global Risk Study, Risk Assurance, PwC US

Seth Rosensweig

Integrated Digital GRC Leader, PwC US

Mike Maali

Internal Audit, Compliance & Risk Management Solutions Leader, PwC US

John Sabatini

Risk Assurance Leader, PwC US

Todd Bialick

Deputy Risk Assurance Leader, PwC US

Tom Snyder

Risk Assurance Clients & Sectors Leader, PwC US

Scott Greenfield

Digital Risk Solutions Leader, PwC US