The Challenges and Opportunities for ERM Post-COVID-19: Agendas for Future Research

: In this paper, we examine the impact that COVID-19 has had on enterprise risk management (ERM). Guided by the origins and philosophy of ERM, we suggest an agenda for future research on ERM in a “post-COVID-19” reality, by addressing its integrated, strategic, and value-enhancing orientation. To guide future research endeavors in ERM, which is still an evolving discipline, we present topics that would beneﬁt from additional research attention within both risk identiﬁcation and analysis, as well as the strategic dimension of ERM.


Introduction
Pandemic risk has been long recognized as a focus of risk management in practice; however, the COVID-19 pandemic has shown that generic pandemic risk was underestimated in both magnitude and dimension. Enterprise risk management's (ERM) role is to evaluate and define the risks that may affect the organization's success in achieving its strategic objectives. ERM does this by helping the board and managers understand the organization's risk appetite, identify risks, assess the risks impacts, develop a risk response, and finally communicate and monitor the risks. Ultimately, ERM is responsible for helping boards and management create, preserve, and realize value. COVID-19 has shown that pandemic consequences are difficult to reliably estimate and the persistence is difficult to define. In this respect, pandemic risk should be perceived in terms of a severe threat to an entity's overall strategic objectives and suggests that many organizations' risk management approaches may need substantial reexamination.
Not surprisingly, the COVID-19 pandemic has become a focus for risk management professionals and will likely remain the focus of businesses, governments, and academics, as it has caused challenges and stresses for ERM. A major question to be examined is whether organizations that viewed ERM as part of their strategic initiative can use ERM processes and methodologies to safeguard enterprise aspirations, capital, and performance while reducing variability in these measures.
The concept of ERM is a relatively recent phenomena, with an evolving research agenda. As highlighted recently by Anton and Nucu (2020), the COVID-19 impacts emerge as a relevant gap that needs to be addressed by the ERM-related literature. Thus, in this paper we conceptually identify the main challenges for ERM in a "post-COVID-19" reality. As the ERM philosophy calls for an integration of strategic oriented and value-enhancing processes for identifying, assessing, and managing risk, we develop suggestions for future research endeavors within these aspects. Facing the current stage of the ERM-literature development, our study will add to the emerging discussion on enterprise risk management in a pandemic environment.
In Section 2, we briefly discuss the main features of pandemic risk and we address the specific features of the COVID-19 pandemic. In Section 3, we provide an overview of the ERM process and identify the related challenges and opportunities for ERM in a "post-COVID-19 world". In Section 4 we conclude, by suggesting areas for future research.

The Features of Pandemic Risk
Over 100 years ago, the world was threatened by the Spanish Flu Influenza pandemic, which resulted in approximately 500 million infections and an estimated 50 to 100 million deaths (Madhav et al. 2017). Following the three waves of the Spanish Flu influenza, the world experienced a notable economic downturn, in which developed countries' per capita GDP is assumed to have decreased by approximately 6% on average (Barro et al. 2020). The incidents of an influenza pandemic repeated in 1957 (Asian Flu) and 1968 (Hong Kong Flu). In this millennium, the most threatening incidents have been the SARS outbreak in 2003, the "Swine flu" influenza in 2009, the MERS coronavirus outbreak in 2012, the Zika virus in 2015, and the Ebola virus in 2018 (Madhav et al. 2017;Broekhoven et al. 2006). However, the COVID-19 outbreak is unprecedented compared to the outbreaks that have occurred since the 1918 Spanish Flu influenza in both global reach and number of infections. Driven by the urgent need to stop the spread of the disease, severe restrictions on movement and association have been implemented globally. Lock downs, social distancing requirements, border closures, travel restrictions, and bans on mass events have all severely affected economies and communities. According to WHO (2020), as of 10th of December 2020, the number of people confirmed with COVID-19 exceeded 68 million, with the number of victims of more than 1.5 million, as shown in Figure 1. In addition, economists at the International Monetary Foundation (IMF) predicted that the virus would result in 2020 global growth decreasing significantly, from a pre-COVID-19 forecast of 3.4% growth to a post-COVID-19 forecast of a contraction of almost 5% (Jackson et al. 2020). As of the end of 2020, there are still questions about the nature of the virus, the evolution of the pandemic, as well as effective medical treatments and the timeline of possible vaccines.
identify the related challenges and opportunities for ERM in a "post-COVID-19 world". In Section 4 we conclude, by suggesting areas for future research.

The Features of Pandemic Risk
Over 100 years ago, the world was threatened by the Spanish Flu Influenza pandemic, which resulted in approximately 500 million infections and an estimated 50 to 100 million deaths (Madhav et al. 2017). Following the three waves of the Spanish Flu influenza, the world experienced a notable economic downturn, in which developed countries' per capita GDP is assumed to have decreased by approximately 6% on average (Barro et al. 2020). The incidents of an influenza pandemic repeated in 1957 (Asian Flu) and 1968 (Hong Kong Flu). In this millennium, the most threatening incidents have been the SARS outbreak in 2003, the "Swine flu" influenza in 2009, the MERS coronavirus outbreak in 2012, the Zika virus in 2015, and the Ebola virus in 2018 (Madhav et al. 2017;Broekhoven et al. 2006). However, the COVID-19 outbreak is unprecedented compared to the outbreaks that have occurred since the 1918 Spanish Flu influenza in both global reach and number of infections. Driven by the urgent need to stop the spread of the disease, severe restrictions on movement and association have been implemented globally. Lock downs, social distancing requirements, border closures, travel restrictions, and bans on mass events have all severely affected economies and communities. According to WHO (2020), as of 10th of December 2020, the number of people confirmed with COVID-19 exceeded 68 million, with the number of victims of more than 1.5 million, as shown in Figure 1. In addition, economists at the International Monetary Foundation (IMF) predicted that the virus would result in 2020 global growth decreasing significantly, from a pre-COVID-19 forecast of 3.4% growth to a post-COVID-19 forecast of a contraction of almost 5% (Jackson et al. 2020). As of the end of 2020, there are still questions about the nature of the virus, the evolution of the pandemic, as well as effective medical treatments and the timeline of possible vaccines. As a result of the smaller virus and flu outbreaks from 2000 to 2015, many members of the global risk management community were aware of the severity of the possible consequences of a global pandemic outbreak. In particular, the SARS and swine flu pandemics created the necessary impetus for discussion on organizations' abilities to properly identify and assess the risk of a pandemic, as well as managing its consequences (Trock et al. 2015;Jonas 2014;Verikios et al. 2016;Broekhoven et al. 2006). In addition, while many view the COVID-19 pandemic as a black swan event, there were notable voices stating that the world is inadequately prepared for a major global pandemic that may potentially strike again (Fan et al. 2018). Moreover, the analysis of the overall consequences of the pandemic needs to address the interplay of social (loss of lives) and economic consequences (loss of income, expenditures made to prepare and recover from pandemic) (Fan et al. 2018;Jonas 2014;Prager et al. 2017;Keogh-Brown et al. 2010;Estrada et al. 2016;Baumgart et al. 2007;Woolnought and Kramer 2007). Jonas (2014) discusses in detail the most relevant characteristics of pandemic risk, by referring to prior epidemic and pandemic incidents. In general, although the hazard (infectious pathogen) is As a result of the smaller virus and flu outbreaks from 2000 to 2015, many members of the global risk management community were aware of the severity of the possible consequences of a global pandemic outbreak. In particular, the SARS and swine flu pandemics created the necessary impetus for discussion on organizations' abilities to properly identify and assess the risk of a pandemic, as well as managing its consequences (Trock et al. 2015;Jonas 2014;Verikios et al. 2016;Broekhoven et al. 2006). In addition, while many view the COVID-19 pandemic as a black swan event, there were notable voices stating that the world is inadequately prepared for a major global pandemic that may potentially strike again (Fan et al. 2018). Moreover, the analysis of the overall consequences of the pandemic needs to address the interplay of social (loss of lives) and economic consequences (loss of income, expenditures made to prepare and recover from pandemic) (Fan et al. 2018;Jonas 2014;Prager et al. 2017;Keogh-Brown et al. 2010;Estrada et al. 2016;Baumgart et al. 2007;Woolnought and Kramer 2007). Jonas (2014) discusses in detail the most relevant characteristics of pandemic risk, by referring to prior epidemic and pandemic incidents. In general, although the hazard (infectious pathogen) is natural, the pandemic risk shall be classified as a man-made disaster, as human actions are relevant for controlling the spread of the disease. If these actions are ineffective, the epidemic escalates into a pandemic. COVID-19 is particularly difficult in this context, as this pathogen is easily transmissible.
The first dimension of human activities relevant for controlling the contagion are the actions initiated by authorities, in particular the nature and timelines of the restrictions in response to the spread of the disease. However, equally relevant actions are the effective procedures of detection, contact tracing, and diagnosis of infections. The authorities are also responsible for communication, building public trust, and enhancement of preparedness, which is extremely relevant to the second dimension of human actions, on the individual level. The behavior of the individuals, driven by the understanding of the pandemic threat seems essential for controlling the escalation of infections.
The second relevant feature of pandemic risk is its cascading nature related to the development and transmission of health risk into other types of risk (Jonas 2014). From the economic perspective, the first risk that emerges shortly after the pandemic outbreak is related to the insufficient labor supply. The restrictions imposed shortly after the COVID-19 outbreak have generated further shocks; in particular, loss of customers and supply chain disruptions, which has led to the dramatic business discontinuities. The fragile business climate ultimately results in the disruptions in capital flow, as related to the transmissions of shocks in the financial system. Jonas (2014) explained this mechanism with the example of the SARS outbreak (2003), and which suggests that the COVID-19 pandemic will result in a greater degree of economic downturn. Moreover, globalization and interconnectedness of economies amplifies the cascading consequences of the pandemic.
The unique characteristics of the COVID-19 pandemic can also be addressed using risk analysis. Commonly, the impact of risk is analyzed with reference to the probability of risk occurrence and the severity of its consequences (Aven 2016). Going beyond this view, Renn (2008) suggested consideration of other dimensions of risk relevant for analysis: risk ubiquity (geographic dispersion of damage), risk persistence (temporal extension of potential damage), and risk reversibility (resilience and recovery capabilities). First, Renn (2008) classified pandemic risk as an indecisive risk probability (as we have limited ability to capture the chance of its occurrence) but defined it as severe when considering the extent of the damage in terms of the number of fatalities. Following Jonas (2014), the severity of the COVID-19 pandemic must be considered by the transmission of health consequences into economic and societal consequences. If we consider risk ubiquity, COVID-19 has affected the whole globe in a relatively short period of time. As presented in Figure 2, since the confirmation of first infections on 31 December 2020 in Wuhan, China, to the end of April 2020, almost the entire global community was under some form of government-mandated lock down. The system intervention measures and restrictions, imposed to stop the spread of the disease, were believed needed to ensure the sufficiency of healthcare systems. However, such interventions and restrictions prolong the duration of pandemic and its persistence, as explained by Linkov and Trump (2019), using the example of the Ebola virus. Moreover, as of October 2020, our knowledge of COVID-19, while increasing, is still limited and thus we are unable to predict further escalation of the disease and its ultimate duration. Finally, the cascading consequences of COVID-19 in economic dimensions, as amplified by the globalization and interconnectedness of economies, lead to a questioning of the timing and recoverability from COVID-19 pandemic consequences. As we observed shortly after the pandemic outbreak in Europe or in the United States, the imposed restrictions resulted in the severe operating disruptions of numerous businesses and sectors. The possible bankruptcy waves and increase in structural unemployment, as well as the anxiety of the business community and financial sector, may result in further consequences driven by the economic downturn.

ERM Concept: Origins and Philosophy
Risk management has been practiced by organizations for centuries; however, in most cases it was considered only in a narrow context with reference to risky events that could be addressed through the transference of risk through insurance. In the 1970s and 1980s, the risk management discipline was mostly focused on financial risk management coinciding with the emergence and increased use of financial derivatives (Crockford 1982;Kloman 2010;Dionne 2013). During this time, organizations managed risks mostly within the business unit or silo in which the risk resided-credit risk within finance and treasury, customer loyalty and retention within sales, employee succession risk within human resources, etc. In the mid-1990s, the risk management concept evolved further toward an integrative, holistic dimension, which proposed the management of the portfolio of risks across the whole enterprise (Bromiley et al. 2015). In this context, the term ERM (enterprise-wide risk management) was created, to distinguish between this broadened view, as opposed to the previous narrow silo view, often referred to as traditional risk management (Dickinson 2001;Hoyt and Liebenberg 2011).
The organizational practice of ERM is still relatively new, with a limited but growing number of academic works examining its adoption, implementation, and consequences (Beasley et al. 2015;McShane 2018;Anton and Nucu 2020

ERM Concept: Origins and Philosophy
Risk management has been practiced by organizations for centuries; however, in most cases it was considered only in a narrow context with reference to risky events that could be addressed through the transference of risk through insurance. In the 1970s and 1980s, the risk management discipline was mostly focused on financial risk management coinciding with the emergence and increased use of financial derivatives (Crockford 1982;Kloman 2010;Dionne 2013). During this time, organizations managed risks mostly within the business unit or silo in which the risk resided-credit risk within finance and treasury, customer loyalty and retention within sales, employee succession risk within human resources, etc. In the mid-1990s, the risk management concept evolved further toward an integrative, holistic dimension, which proposed the management of the portfolio of risks across the whole enterprise (Bromiley et al. 2015). In this context, the term ERM (enterprise-wide risk management) was created, to distinguish between this broadened view, as opposed to the previous narrow silo view, often referred to as traditional risk management (Dickinson 2001;Hoyt and Liebenberg 2011).
The organizational practice of ERM is still relatively new, with a limited but growing number of academic works examining its adoption, implementation, and consequences ( (Miccolis and Shah 2000). However, these frameworks only provide guidance to organizations and do not require a specific version of ERM be implemented.
The existing ERM definitions highlight the evolutionary context of ERM (Mikes and Kaplan 2015) and its strategic orientation, designed to identify and manage the portfolio of risk (threats and opportunities), to assure the achievement of an organization's objectives (see e.g., definitions provided by Beasley et al. 2015, Lundqvist 2014, or Ai et al. 2012. The board risk oversight and comprehensiveness of ERM are also sub-components of rating evaluations (e.g., Standard andPoor's 2008, 2012). However, there is growing evidence that organizations do not adopt ERM solely to comply with regulatory pressure, but to enjoy its direct economic benefits (Pagach and Warr 2011). The positive association between firm performance and ERM implementation has been confirmed by numerous empirical works (e.g., Smithson and Simkins 2005;Gordon et al. 2009;Hoyt and Liebenberg 2011;Baxter et al. 2013;Farrell and Gallagher 2015;Bromiley and Rau 2016;Florio and Leoni 2017).
In practical terms, the evolution of ERM was emboldened by how some organizations were able to use the ERM process of risk identification, assessment, response, and monitoring to weather risks associated with corporate scandals (e.g., Enron collapse in 2002) or as a consequence of natural catastrophes (Beasley et al. 2015;McShane 2018). Thus, the ERM framework is greatly concerned with the alignment of risk management with corporate governance strategies, with specific attention to the definition of risk appetite and board risk oversight (Beretta 2019;Beasley et al. 2015).
As an on-going process, ERM has several interrelated stages (Falkner and Hiebl 2015;ISO 31000:2018ISO 31000: 2018. It begins with the identification of risk, that is directed toward the consideration of the threats and opportunities that could affect the organization's performance. Next, the assessment of risk is performed, with the assessment of probability (frequency of occurrence) and severity (the consequences, as the possible damage caused) of the previously identified risks (Bromiley and Rau 2016). The results of risk assessment are essential for the next stage of the process, which is the decision on the best risk treatment methods to be used (often the compilation of methods). The spectrum of the possible treatments is summarized by Hopkin's (2015) proposal, which distinguished between the decision to: (i) tolerate (accept/retain), (ii) treat (control/reduce), (iii) transfer (insure/contract), or (iv) terminate (avoid/eliminate). The actions taken within the ERM process shall be constantly monitored and reviewed, as well as communicated and reported internally and to the stakeholders. The stages of the ERM process, according to the ISO framework, are presented in Figure 3. With reference to these stages, we list the most relevant post-COVID-19 ERM challenges in the next section. (Miccolis and Shah 2000). However, these frameworks only provide guidance to organizations and do not require a specific version of ERM be implemented.

Risk Management: An Analytic Approach
The existing ERM definitions highlight the evolutionary context of ERM (Mikes and Kaplan 2015) and its strategic orientation, designed to identify and manage the portfolio of risk (threats and opportunities), to assure the achievement of an organization's objectives (see e.g., definitions provided by Beasley et al. 2015, Lundqvist 2014, or Ai et al. 2012. The board risk oversight and comprehensiveness of ERM are also sub-components of rating evaluations (e.g., Standard andPoor's 2008, 2012). However, there is growing evidence that organizations do not adopt ERM solely to comply with regulatory pressure, but to enjoy its direct economic benefits (Pagach and Warr 2011). The positive association between firm performance and ERM implementation has been confirmed by numerous empirical works (e.g., Smithson and Simkins 2005;Gordon et al. 2009;Hoyt and Liebenberg 2011;Baxter et al. 2013;Farrell and Gallagher 2015;Bromiley and Rau 2016;Florio and Leoni 2017).
In practical terms, the evolution of ERM was emboldened by how some organizations were able to use the ERM process of risk identification, assessment, response, and monitoring to weather risks associated with corporate scandals (e.g., Enron collapse in 2002) or as a consequence of natural catastrophes (Beasley et al. 2015;McShane 2018). Thus, the ERM framework is greatly concerned with the alignment of risk management with corporate governance strategies, with specific attention to the definition of risk appetite and board risk oversight (Beretta 2019;Beasley et al. 2015).
As an on-going process, ERM has several interrelated stages (Falkner and Hiebl 2015;ISO 31000:2018ISO 31000: 2018. It begins with the identification of risk, that is directed toward the consideration of the threats and opportunities that could affect the organization's performance. Next, the assessment of risk is performed, with the assessment of probability (frequency of occurrence) and severity (the consequences, as the possible damage caused) of the previously identified risks (Bromiley and Rau 2016). The results of risk assessment are essential for the next stage of the process, which is the decision on the best risk treatment methods to be used (often the compilation of methods). The spectrum of the possible treatments is summarized by Hopkin's (2015) proposal, which distinguished between the decision to: (i) tolerate (accept/retain), (ii) treat (control/reduce), (iii) transfer (insure/contract), or (iv) terminate (avoid/eliminate). The actions taken within the ERM process shall be constantly monitored and reviewed, as well as communicated and reported internally and to the stakeholders. The stages of the ERM process, according to the ISO framework, are presented in Figure  3. With reference to these stages, we list the most relevant post-COVID-19 ERM challenges in the next section.

ERM Post-COVID-19
Undoubtedly, with its unique features, the COVID-19 pandemic is an example of a tail-risk that has materialized and has a potential to impact ERM systems on an unprecedented scale. In response to the crisis caused by COVID-19, organizations across the globe have examined their risk identification, analysis, and evaluation processes in order better respond to continuing and new risks, communicate to stakeholders, and better connect risk management with strategy. In addition, the crisis has underscored the importance of treating ERM not just as a required regulatory requirement but as part of the strategic process that generates value for an organization.
The initial response to the pandemic may be more in the form of short-term actions to stabilize the organization and see it through the initial crisis. Smith et al. (2020) suggest that organizations adopt a three-phased response to the current crisis, involving first a rapid response to urgent pandemic needs, then shifting resources to ensure stabilization and then finally implementing changes to ensure long-term success. The initial response requires ensuring that employees and others are safe, and that the organization has a way to communicate critical policies and information to stakeholders. In the second phase, there is evaluation of risks, assurance of compliance with emerging safety and legal protocols, and an examination of risk recurrence. In the final phase of response, an organization should examine and implement changes to ensure sustainability and continued success of the organization. It is this third phase that is the focus of this Special Issue.
An initial response that organizations should take in the third phase is an examination of their risk identification process. Methods to identify risks are a fundamental part of implementing ERM. In addition, one of the most important aspects of an effective and mature ERM process is the ability to understand and manage tail events (Dardis et al. 2020). Many organizations were surprised by the depth and severity that the pandemic has had on their organizations. Given this, it is important that organizations examine scenarios that depict the type of scenario the world is currently facing in terms of concurrent pandemic predicaments resulting from demographic, economic, operational, and strategic risks. In this context, examining ERM from a strategic lens is required. This requires examining risk scenarios with a special focus on how the organizations' most valuable assets and value drivers are affected, so that in future crises these value drivers can be maintained to sustain the organizations' viability.
A second important activity that must take place is an analysis of risks facing an organization. The development of risk assessment tools and how the value drivers of the organization are affected under various scenarios is the establishment of "what-if" scenarios. In addition, an investigation of the models that the organization is using to assess and analyze risks should be undertaken; are the inputs reasonable? Are the interactions too simple or too complex? Are the outputs consistent with the current economy and organization strategy?
With respect to risk identification and risk analysis, we believe that the following areas of research would provide insight into how ERM can be more effective in a post-COVID-19 environment: • How have organizations identified, assessed, and evaluated the risks associated with pandemics, such as COVID-19 and the derivative risks caused by pandemic? • What has been the role of ERM in identifying and monitoring specific high-impact low-probability risks? Did organizations with more mature ERM processes fare better in identifying the pandemic risk? • What methodologies might organizations use or have used to consider and monitor long-term trends and the risks that they pose? Which methodologies are best practices? • What additional challenges has COVID-19 brought to ERM? What new risk management methods and risk response strategies could help firms better endure COVID-19 disruptions in operating activity?
A third important ERM activity that organizations should undertake within the third phase is an assessment of risk strategy. A critical outcome for organizations and ERM personnel will be to use momentum from their crisis responses to strengthen the foundation, framework, and strategy for enterprise risk management, including formal resilience principles (Smith et al. 2020). Boards of directors have a duty to exercise oversight and monitor the corporation's operational viability, legal compliance, and financial performance. Directors should regularly monitor the impact that COVID-19 is having on the organization's operations, understand how management is assessing the impact, and think through the acceptability of managers' response to the pandemic. Communication of this information should come in both the management discussion and analysis (MD&A), as well as risk factors (Item 1A for SEC filers). In this sense, the ERM process can be strengthened through communication and the further establishment of a risk culture. In both cases, the CRO will play an important role in providing information and reports to the board and management, ultimately strengthening the ERM organization and its centralized role. As Deans (2020) states, many risk managers have essentially acted as compliance managers and now must play a key role in crisis management and business continuity.
Examining the role of the CRO and communication, we believe that the following areas of research would provide insight into how ERM can be more effective in a post-COVID-19 environment: • How have the effects of COVID-19 been disclosed and communicated? • Have organizations that disclosed pandemic risk factors better responded and prevailed during the COVID-19 pandemic? • How can ERM provide better risk reporting and communication during a crisis? • Have organizations' disclosure processes adequately identified COVID-19 issues that may arise and ensured that this information is disclosed?
In addition, organizations should examine the importance that aspects of an organization's culture have on an organization's ERM maturity and sophistication. This is especially true given the role of culture and its foundational relation to effective ERM. In fact, COSO's (2017) ERM Framework emphasizes the role of culture in supporting effective ERM: Enterprise risk management is defined as "The culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating preserving, and realizing value" (COSO 2017, p. 10).
With respect to risk strategy, we believe that the following areas of research would provide insight into how ERM can be more effective in a post-COVID-19 environment: • What role did the importance of ERM maturity play in understanding and responding to COVID-19 risk? • What is the role of culture in implementing a successful ERM response to COVID-19? • What is the role of ERM in providing a framework for organizations to understand the effect that the COVID-19 pandemic has in transforming inherent risks? • What is the extent of COVID-19 pandemic impacts on the redefinition of risk appetite strategies? • What is the role of ERM in responding to COVID-19 challenges, development of new risk management methods, and new risk response strategies in response to continued disruptions in operating activity?

Conclusions
As we near the completion of 2020, we know that the global COVID-19 pandemic has created new and important challenges for the contemporary evolution of ERM. In this paper we have discussed these challenges, by referring to ERM philosophy and its strategic orientation. In addition, we have identified several broad areas of concern that would benefit from additional examination in future discussions. In this respect, our paper offers a map of possible research endeavors that may potentially fill in the emerging research gap on the role of ERM in responding to COVID-19 pandemic impacts, as identified recently by Anton and Nucu (2020).
In the risk identification and risk analysis dimension, there is a need to address the ability to understand and manage pandemics as a tail event, as well as to develop the reasonable scenarios for dealing with these types of risk events in the future. Moreover, future research endeavors should address the challenges within the available risk response strategies to COVID-19 disruptions, as well as the emergence and applicability of new risk management methods.
As a second relevant agenda for future research, we identified the role that ERM and the CRO play in communicating risk information to the board, management, and stakeholders. Disclosure is critical to a company's ability to help users discern the impact that risks and developments related to the COVID-19 pandemic may have on the company and its business, financial condition, and results of operations.
A final relevant agenda for future research we identified is the role that ERM has in organizations' strategic process, in which ERM culture, maturity, and sophistication play a significant role. An effective response to COVID-19 consequences and the enhancement of resilience strategies require an examination of the role of ERM in crisis management. An effective ERM function focused on governance and culture and which helps the organization align risk management with strategy will aid the organization in identifying opportunities that may be missed. As a result, existing industries and processes will be transformed as risks change and evolve, creating significant transformation.