One of the risks of the COVID-19 pandemic is that we will neglect other risks. They have not gone away! Indeed, the likelihood of their occurrence may have increased. Cybercrime is the most obvious current example. Whilst I have not seen any data, my perception is of more increasingly sophisticated phishing attacks^[1].

For those of us in risk-related work, COVID-19 has greatly increased our workload. Rightly, it demands our attention. But should we push the other operational risks to the bottom of the “to do” list? We cannot do everything. So, how can we prioritise our actions – now we are so time poor? My suggestion is to focus on how effectively risk controls are implemented for the most important risks.

Here is a suggested method:

First, identify the top risks that concern you most – no more than 10.

• “What keeps you awake at night” is often a way we conceive of these risks. We can call this risk prioritisation if we need to use some longer words!

Second, when you have made this choice, consider:

• which risk controls have the greatest room for human error, what activities, if performed less than adequately pose the greatest risks
• how often these activities are performed– the greater the frequency the greater the risk of error^[2].

Third, for the risks and risk controls identified:

• Do those who implement the risk controls (or treatments) have new responsibilities under COVID-19?
• Are there now fewer people available as a result of redeployment to other functions?
• Has the overall experience level reduced?

Having identified both the risks and more importantly the risk controls, what are we going to do about them?

We suggest that the risk discussion is built into other routine meeting agendas and events. Talk to your line managers who have responsibility for risk control activities. Do they and their staff understand their criticality? Do first line supervisors know how well these activities are being conducted.?

Finally, we cannot switch off the messaging about risk management for the (unknown) duration of the COVID-19 pandemic. If we do, it will be difficult to switch it back on. Nor can we do everything we would like to do – hence the need for prioritising our risk management actions.

[1] http://theconversation.com/coronavirus-pandemic-has-unleashed-a-wave-of-cyber-attacks-heres-how-to-protect-yourself-135057

[2] Adapted from James Reason, Managing the Risks of Organizational Accidents, Ashgate, ISBN 13: 978 1 84014 105 4, p91