Corporate risk management and COVID-19
In this article, Mariya Ivanova reviews the accounting literature on risk management and pandemics. She finds that companies that have an explicit corporate risk management policy and experience of previous pandemics (e.g. SARS or swine flue) are more positive and perform better compared to peers. As such, companies should not only deal with COVID-19 short-term but should also carefully implement more long-term risk management practices (e.g. routines, Chief Risk Manager, specific risk committee on the board etc) to improve shareholder value.
The World Health Organization declared COVID-19 a pandemic on March 11, 2020. This novel coronavirus disease has since become the greatest threat to business continuity for many companies around the world. Amidst the uncertainty and volatility caused by the pandemic, many companies are experiencing a severe drop in consumer demand, disrupted supply chains, employee absenteeism, and impending financial distress. However, a looming question many are asking is whether companies should have been better prepared to cope with the business impact of the pandemic. While few could have predicted the unparallel impact of COVID-19, evidence suggests that some companies recognized the risk of infectious diseases on their operations long before any mention of the disease and were better prepared than others to respond swiftly to an imminent crisis.
The threat of pandemics is not new. In fact, the list of deadly viruses that have affected the modern world is already alarmingly long. For example, in 1918-1919, at least 50 million people died from the Spanish flu. In 1957, the Asian flu resulted in around 1.1 million deaths. In 2009, the swine flu caused more than 150,000 deaths and the 2014-2016 Ebola outbreak resulted in more than 10,000 deaths. Naturally, prior outbreaks, especially the more recent ones, should have served as a wake-up call and motivated companies around the globe to be better prepared for an outbreak. In 2005, the Centers for Disease Control and Prevention in the US and the Civil Contingencies Secretariat in the UK published guidelines to help companies better prepare for a potential pandemic by establishing policies for protecting employees’ health and well-being and limiting the impact on shareholders, consumers, suppliers, and business partners. Similar guidelines were posted by agencies in other countries around the globe. Nevertheless, the number of companies explicitly recognizing the risk of pandemics and having policies to respond to it before the COVID-19 outbreak is surprisingly low. In a research note, Tim Loughan and Bill McDonald, both at the University of Notre Dame, report that in 2018 less than 21 percent of the US listed companies in their sample recognized the risk of infectious disease outbreak as an important factor that could affect their operations. Moreover, according to Nordic Compass, a research database, only three Swedish listed companies had pandemic policies in place in 2018 –Atlas Copco AB, Sandvik AB, and Probi AB.
An important question is whether the preparedness of the companies, that is, the presence of existing corporate policies related to pandemics, mitigated the negative effects of the pandemic on their performance. A recent working paper by Tarek Alexander Hassan at Boston University and colleagues suggests that indeed this might be the case. In particular, the authors find that firms that have been exposed to an infectious disease (such as SARS or swine flu) before, and hence were more likely to recognize and be prepared for the risk of disease outbreaks, expressed a more positive (less negative) outlook during the conference calls amidst the COVID-19 outbreak about their future operating performance than firms without previous exposure. Anecdotal evidence also indicates that companies with existing risk management policies related to pandemics responded swiftly to the COVID-19 crisis. Nike Inc., a sports apparel and footwear company, for example, has significant operations in China and has acknowledged in its financial reports the risk of infectious diseases as an important factor that could affect its operations long before the spread of COVID-19. While the pandemic necessitated the closing of more than 5,000 Nike retail stores in China as well as most of Nike’s physical locations in Europe and North America to comply with lock-down requirements, Nike swiftly launched a digital marketing campaign and leveraged its existing activity apps and e-commerce network. Thus, Nike was able to deliver a healthy 5% revenue growth during the quarter that ended on February 29th, 2020, albeit at a lower profit margin. In contrast, many of Nike’s rivals struggled. For example, Under Armour Inc. recorded a 23% decrease in revenues during its first quarter in 2020. Under Armour had allocated around 13 pages to disclosures of risk factors in its 2018 10-K filing with the US Securities and Exchange Commission, yet without any reference to risks of infectious diseases, pandemics, or similar.
How can risk management contribute to a company’s performance? Effective risk management encompasses identifying, evaluating, managing, and disclosing risks that could have significant financial, operating, or reputational impact on the company. Theoretically, timely identification of potential risks should improve decision-making and organization-wide preparedness to respond to a crisis, should it occur, thus resulting in lower earnings volatility and fewer earnings surprises. Additionally, disclosure of identified risks should create value by enhancing transparency and reassuring investors that the company is adequately prepared to respond swiftly to potential adverse events. Critics of mandated risk factor disclosures argue that such disclosures are boilerplate and hence do not provide useful information to stakeholders. Moreover, companies are not required to assess the probability that a disclosed risk will be realized and the impact that it may have on their operations. Yet, academic studies suggest that such disclosures are value relevant and that firms’ existing risk management practices contribute to better performance. For example, in a 2014 research article published in the Review of Accounting Studies, a peer-reviewed accounting journal, John L. Campbell at the University of Georgia and colleagues provide compelling evidence for a sample of US firms that shows how risk factor disclosures are meaningful and informative about the idiosyncratic risks faced by firms. Such disclosures thus help reduce information asymmetry and enhance investors’ decision-making. Studies conducted in other settings echo these findings and report a positive association between the implementation of enterprise risk management programs and firm value. Additionally, appointing a chief risk officer, who oversees a broad range of resilience planning and risk management practices, signals a strong commitment to risk management and allows for a coordinated organization-wide response to a threat. More recently, in a 2020 study, Muhammad Farhan Malik at The University of Western Australia and colleagues, examine the role of a board-level risk committee and suggest that having a high-quality risk committee, which they define in terms of committee’s structural characteristics and composition, strengthens the positive effect of risk management on firm performance. Hence, while there is no off-the-shelf playbook on how companies should respond to important risk factors, academic literature indicates that having a well-established comprehensive risk management program, a designated chief risk officer, and a high-quality risk committee allows for a better safeguard against adverse events, ensures lower volatility, reduces information asymmetry, and promotes better performance.
In conclusion, most firms did not recognize the risk of pandemics as a potential threat to their operations and financial position despite previous disease outbreaks. While few anticipated that a virus could cause a crisis of such extraordinary proportions, some were warning that the risk should not be dismissed and cautioned that the world was not ready to cope with the outbreak of an infectious disease. For example, in a 2015 TED talk, Bill Gates raised concerns that the greatest threat to humanity was a devastating pandemic and urged decision-makers to prepare to respond to such a crisis when it happens. Will the preparedness level after COVID-19 be any different? Given the unprecedented impact of COVID-19, risk management and resilience policies will become more important to investors and employees alike. While in the short-term, most efforts are focussed on maintaining business continuity and ensuring swift recovery, in the long-term, companies should reassess their existing risk management frameworks and enhance their risk management practices. Measures such as including to a greater extent the corporate boards in this process and designating a chief risk officer or a committee to ensure high levels of diligence and corporate oversight will contribute to a company’s preparedness. There is certainly no one-size-fits-all approach that companies should follow. However, they will be expected to be better prepared, not if, but when the next pandemic hits.
Campbell, J. L., Chen, H., Dhaliwal, D. S., Lu, H. M., & Steele, L. B. (2014). The information content of mandatory risk factor disclosures in corporate filings. Review of Accounting Studies, 19(1), 396-455.
Hassan, T. A., Hollander, S., van Lent, L., & Tahoun, A. (2020). Firm-level exposure to epidemic diseases: Covid-19, SARS, and H1N1 (No. w26971). National Bureau of Economic Research. Available at SSRN: https://ssrn.com/abstract=3566530 or http://dx.doi.org/10.2139/ssrn.3566530
Malik, M. F., Zaman, M., & Buckby, S. (2020). Enterprise risk management and firm performance: Role of the risk committee. Journal of Contemporary Accounting & Economics, 16(1), 100-178.
Mariya N. Ivanova is Assistant Professor at the Department of Accounting at Stockholm School of Economics and Affiliated Researcher at Mistra Center for Sustainable Markets (Misum).