Blindsided by how COVID-19 quickly dominated the planet? You're not alone. Fourteen months ago, the World Economic Forum's 2020 Global Risks Report neglected to include a pandemic among its major warnings for the year ahead.

The crisis has exposed not only the lack of foresight but the lack of effectiveness in mainstream business risk management policies.

Fewer than six out of 400 companies surveyed in 2020 legal filings said there was a potential pandemic problem, Rodney Irwin, managing director of redefining value at the World Business Council for Sustainable Development, said during GreenBiz 21. That's despite this being the second pandemic in 10 years, the fourth respiratory illness in 18 years, and numerous warnings from the World Health Organization, he added at the February virtual event.

"Let's stop predicting the future because we've proven we're incapable of doing it," Irwin said. "Instead of asking, as part of our risk determination process, how likely something is to happen, we ask a more cerebral question, which is, if it did happen, could we manage it? That's a very different question."

Reframe as vulnerability

Irwin looks back on 2020 with "somewhat rose-tinted glasses" because it has proven the need to take the relationship between nature and society seriously. And that leaves a tremendous opportunity to address ESG-related issues. The process of handling disrupted supply chains, shifts in demands and business models and modes of communication; governance and decision-making changes during leadership under lockdown.

"It's also made us realize that the consulting world's obsession with reducing everything down to the bare minimum, agility and removing all slack from our systems, doesn't give you any wiggle room when the chips are down," Irwin added. "So it's allowed us to reintroduce to the world of the business community this notion of what it means to be resilient, and not just to be agile."

If risk management is the responsibility of corporate boards of directors, they have plenty of reckoning to do in the coming months and years about the effectiveness of existing risk management procedures and policies. Gloria Santona, Of Counsel at Baker McKenzie in Chicago, detailed three related legal issues that businesses should note: disclosure; compliance; and litigation.

Consider disclosure

As for disclosure, investors expect more of it and at a more robust level, but they are also demanding goal-setting, with metrics and accountability. The U.S. government may mandate for more companies to open up, as signaled in February when Satyam Khanna became the first policy adviser for climate and ESG within the U.S. Securities and Exchange Commission. Diversity and human capital management are also likely to come under more scrutiny legally and by stakeholders, Santona added.

"The pandemic has raised a number of issues with respect to the way that people work, or the way that they're treated when they're ill," she said. "Boards of directors are going to spend more time thinking about corporate culture than they have in the past and, as well, probably there'll be more disclosure around that either in sustainability reporting or mandatory disclosure."

Consider compliance

COVID-19 illuminated problems with complex supply chains, and Santona said she expects a rise in demand for transparency particularly around human rights, labor conditions and corruption, as well as biodiversity loss and water risks.

Santona foresees the need for companies to talk with suppliers, even out to the third and fourth tiers, and to collaborate about climate change, identifying ways to harness renewable energy, reduce waste and streamline manufacturing and logistics.

"At the end of the day, it's really incumbent upon companies to scrutinize their compliance of their suppliers and align your suppliers with their own compliance practices," she said, adding that mergers and acquisitions will force more companies into due diligence as their supply chain networks balloon. Balancing efficiency with resilience, as well as considering operational risk, are likely to become more of a focus, too.

Consider litigation

Santona brought up an ongoing debate to watch in the United States in cases involving ESG. The question is whether states can regulate and try cases having to do with climate change. "As lawyers, we're concerned, because if there is no federal preemption, then there will be a multitude of litigation against the companies with respect to activities that they take that may be considered to be negative due to the climate change," she said.

The risks of not sharing

Santona described the "siloing" of information within a corporation as the biggest impediment to risk management. "One of the things that we think about from a legal perspective is whether boards are properly organized in order to think about these risks, and whether there is a mechanism or a method to ensure that the board is actually hearing about all the risks it needs to hear about," she said. 

Santona noted the importance of auditing and the promise of emerging technologies, such as distributed ledgers and the blockchain, which can trace the material origins and points of contact within supply chains.

Yet the most important factor is a senior management team that's open to discussion across functions and geographies, especially for vast international operations. Without that, progress in one country or practice may not be matched by another elsewhere. "It's a very much an 'all hands on deck' to get the best thinking together about how to manage these really complex problems," Santona added.

Bayer, for one, shows signs of moving toward such a direction. Its governance, risk management and ESG teams work together, and compensation for the board of management is tied directly to meeting sustainability goals.

When bracing for future disruptions such as a pandemic, it's important for companies to foster resilience within the communities it touches, said Gabriela Burian, global partnerships and multi-stakeholder platform lead at Bayer. "We were able to act fast because we have a plan for our resilience and engagement within our communities. But that being said, we really need to have a better plan for bigger impacts, and we are working on these."

In addition to its benchmark for 2030 to become carbon neutral, Bayer in January shared a goal to advance public health globally by boosting contraception access for 100 million women.

The power of metaphor

Bracing for big impacts organizationally may start with intimate conversations. Risk management is a human thing, Irwin noted. For example, you check the water temperature before you step into a shower, and click a seatbelt before you drive.

But what happens when risk management comes into the workplace, and how does it translate to an organizational process?

More than a decade ago, Irwin used a vulnerability management exercise called voyage mapping at courier company TNT (now part of FedEx). When the risk management team used metaphors to chart their journey, removing the barrier of language led to an outpouring of things people needed to say, he said.

"But then you change the conversation and say, well, that's the journey you've had, what is the one you want to have?" he said. "You've often heard the quote, 'If you always do what you've always done, you'll always get what you've always got.' So look at 2020 at the gifts that it brought us — it has given us a vision of 20/20 to know that we have to change, so that risk management can be an area that you go back and have a rethink of. Bring it to the attention of the board because ultimately they are responsible for this."