However, no organization has the resources to prepare for all possibilities. And, no matter how creative we are, we still can't imagine every one of them anyway. As it is said, "Things that have never happened before happen all the time." So, effective risk management is more than planning. It is creating the capacity to adapt to and recover from unexpected shocks, which is what we often mean when we talk about resilience. To me, successful risk management is as much about culture as it is about structure. My version of the saying "culture eats strategy for breakfast" is: "culture eats structure for breakfast."
Risk Management During the Pandemic
Our business continuity planning and testing helped us navigate the early days of the pandemic, but this event was far more extreme than anything we had practiced, and we learned many lessons. I highly recommend a recent paper by the Consultative Group on Risk Management that brings together insights from central bank experiences managing business continuity risks during the pandemic.
At the New York Fed, as we were changing where and how we worked, the pandemic's impacts spread to the economy and financial markets. In response to these conditions, the Federal Reserve System used our three-lines-of-defense risk model to build strong risk management into facility operations.
The first line of defense, the facilities teams, were responsible for understanding and managing their risks. The second line – my group (the Risk Group), the Compliance Function, and others – was responsible for independent assessment and oversight of those risks. And, the third line – our Internal Audit Group – was responsible for fully independent assurance.