Why did risk assessments fail to prepare most organizations for the COVID-19 pandemic?

During the eruption of the Taal Volcano early this year, I talked to some organizations who commented
on how their risk management processes now included volcanic eruption as a significant risk. For most
organizations in the Calabarzon region, the risks posed by Taal were considered minimal since the
volcano’s eruptions in recent memory had not been very destructive. Lessons from the cataclysmic
Pinatubo eruption two decades ago had not been heeded since the areas most affected then were in the
provinces of Pampanga, Tarlac, and Zambales. Only after the January 2020 Taal Volcano eruption which
caused companies in the Southern Tagalog region to suspend operations and for the government to
declare a state of calamity did organizations in the area start to rethink of such environmental events as
a significant threat.

Like the Taal Volcano eruption, the current COVID-19 pandemic also had a precursor almost two
decades ago with the SARS coronavirus epidemic that infected more than 8,000 people from 29
different countries worldwide. The effects may be considered limited compared to our current situation,
but the death toll of close to 800 people is still grim. Unfortunately, the fact that the world survived the
epidemic without greater economic impact might have made many organizations complacent to the
catastrophic effects of future outbreaks. For others, preventive strategies had whittled down to almost
nothing in the two decades that followed as the world was beset with other events which had greater
direct impact to their operations and financial statements. The self-assured hubris that we can handle
future outbreaks or the resolute denial that it can happen to us had made us deaf to the many warnings
that experts had been issuing through the years.

When conducting workshops on threat identification, I have my clients determine all the threats that
they think can possibly prevent them from attaining their organization’s goals. Invariably, the first to
appear on the list are fire, earthquake, and typhoons. Fires are usually top of mind because companies
are required to conduct fire drills at least once a year and most, if not all, my trainees have already
participated in them. With twenty typhoons visiting the Philippines annually and six to nine of them
making landfall, it would be hard to ignore this threat as well. Earthquakes also appear on top as the
occasional news of destructive tremors here and abroad reach the news outlets. Pandemics are rarely
mentioned, except when I conduct the workshops in healthcare institutions. When they do appear,
pandemics are usually given a much lower priority and placed at the bottom of the list.

I often mention to clients that the most important part of the whole risk assessment process is the
identification of threats since controls and action plans would not be created for threats that remain
invisible to the organization. The method by which organizations arrive with their list of potential threats
likewise have a bearing on how comprehensive their list of significant threats would be.
For many, brainstorming is the tool of choice in identifying threats and with good reason. It is easy to
conduct and oftentimes requires only a small group of select people and an expert facilitator. According
to ISO 310101, brainstorming is strongly applicable during the identification step of the risk assessment
process. However, brainstorming is only as strong as its participants are knowledgeable and how well
the facilitator can stimulate ideas from each participant. In strongly hierarchical cultures, brainstorming
may be limited even with large groups because participants tend to shy away from expressing their own
ideas for fear of contradicting their superiors, among other reasons.

Risks are commonly expressed as a combination of consequence and probability 2. Many risk assessment
methodologies use this definition in order to analyze and eventually evaluate the significance of risks.
Risk assessment teams would look at each identified risk and analyze how often it can occur (or
probability of it occurring) and what would be the potential impact of that risk to the organization’s
objectives. In the case of business continuity management systems, assessors are interested in threats
to the continuity of operations (i.e. operational risk) as well as other risks that can affect business
continuity (e.g. financial risk, legal risk, reputational risk). For pandemics, (fortunately) occurrences are
far apart with the Spanish flu which killed 40-50 million people in 1918-19 as the worst killer in the past
century. HIV/AIDS, which has killed more than 35 million, is still classified by WHO as a global epidemic
and still a cause for concern. However, better understanding of the virus has led to reduction of new
infections by 40% since its peak in 1997 and less than 0.5% prevalence among adults aged 15-49 in all
regions of the world except Africa3. All the other epidemics in the past century had a lower number of
infections compared to the COVID-19 pandemic. The 2002-2004 SARS epidemic saw more than 8,000
infections with 810 deaths. In other words, most members of risk assessment teams are only familiar
with epidemics that had limited scope and effect, not fully realizing the catastrophic effects of a global
pandemic such as what we are experiencing now. Risk ratings therefore remained low and the threat
evaluated as insignificant. Priorities were given to other threats that were seen as more likely to occur or
had had serious impact to the organization in the past. Threats classified as ‘insignificant’ are only given
proper attention if resources are readily available or if action plans can be easily implemented. More
often than not, organizations are careful in how to spend limited resources and prudence dictates that
these are used in addressing threats that have a higher certainty to materialize.

The past several months have been quite a painful learning experience for all of us. I hope that in the
spirit of continual improvement, we will be able to use the experience in preparing for the next
pandemic which according to experts is going to happen as well as take a second look at how we identify
and assess other threats that may be lurking just around the corner.

Visit courses.eddams.com for elearning courses on ISO management system standards.

Get in touch with the author at info@eddams.com.

Notes
1
ISO 31010: 2019 Risk management – Risk assessment techniques
2
ISO 31000: 2018 Risk management - Guidelines
3
https://www.who.int/gho/hiv/epidemic_status/prevalence/en/
4
In this blog entry, I am using the definitions of the CDC for epidemic and pandemic.
https://www.cdc.gov/csels/dsepd/ss1978/lesson1/section11.html