The COVID-19 pandemic is causing organizations to reevaluate how they manage enterprise risks, experts say.

As multiple reports have found that spread of infectious disease is a major concern among executives, organizations need to shift their approach to be more resilient to future disruptions and shock events, they say.

“We need to be putting some real effort towards evaluating how shock events can impact organizations across the value chain,” said Reid Sawyer, Chicago-based head of the Emerging Risks Group of Marsh Advisory, a unit of Marsh LLC. “We tend to measure resilience in terms of traditional meanings that only really offer solutions to known and incremental risks, but there’s very little for unseen events.”

A World Economic Forum report released Oct. 8 found the spread of infectious disease is a major concern for executives in the United States and businesses globally, jumping 28 spots from last year to the second most recurring risk and appearing in the top 10 in all regions except South Asia. Cyberattacks remain the biggest risk for U.S. businesses, the report found.

Amid the global pandemic, organizations are shifting their conversation and reevaluating the prioritization of their enterprisewide risk, said Jim Wetekamp, CEO of Atlanta-based Riskonnect Inc., a risk management technology firm.  

“Probably more so than before there is now a more global or cohesive strategy with regard to risk being taken by the organization at the top level,” Mr. Wetekamp said.

This change in priorities is being driven by growing awareness of the need to address the compound effect of multiple risks occurring at the same time, he said.

Organizations are now looking at combinations of multiple risk scenarios, whether it’s employees missing work due to a pandemic, customers’ inability to get to certain retail locations, supply-chain disruption due to wildfires or earthquakes, or regulatory changes in a geography that they depend upon, he said.

“What used to be a risk discussion is now an operations discussion. There’s no way to have the strategy to handle that unless you’re tying together employee health and safety, field operations, supply-chain logistics, vendor management — all in a single integrated conversation,” Mr. Wetekamp said.

Risk managers in cities in particular are thinking more broadly about the next systemic risk, said Hank Watkins, New York-based regional director and president, Americas for Lloyd’s of London.

“The insurance industry needs to do a better job convincing governments that there are opportunities to transfer their risks whether from cities themselves, which are largely self-insured, or from businesses,” Mr. Watkins said.

“If we ever get that to the right place there’ll be much better opportunity for cities to spend less money responding to disasters…and more time developing education, health care and resilience around pandemics,” he said.

Lloyd’s Cities at Risk report released Oct. 8 found that an extreme market crash could cost New York up to $308 billion, an extreme cyberattack could cost $333 billion, and a flood loss could cost the city up to $1.3 trillion.

It’s critical to take a longer-term view to shock events, so that policyholders and the insurance market can start to anticipate and understand coverage needs, Mr. Sawyer said.

“It’s not just that we should be anticipating the shock event to be more frequent but that there’s a velocity of risk,” he said.

The NotPetya cyberattack in 2017 spread across 65 countries within hours, while the COVID-19 pandemic took several months to spread.

“The speed of risk is fundamentally changing because of how interconnected we are today and how many dependencies we have throughout the value chains of our businesses. We need to be anticipating systemic shocks, and we need to have the right risk systems in place to address this world,” Mr. Sawyer said.

A report released Sept. 24 by A.M. Best Co. Inc. found that although enterprise risk management had evolved rapidly over the past decade, the COVID-19 pandemic has underscored that insurers and reinsurers still can be affected by “unknown unknowns” and “unexpected accumulations.”

COVID-19 is testing insurers’ enterprise risk management approach, practices and resilience to current market conditions, Mahesh Mistry, senior director, criteria at A.M. Best, said in a statement accompanying the report.

Today’s loss events whether wildfire, hurricane or typhoon — “nothing’s under $1 billion anymore,” Mr. Watkins said. Several years ago, that level of property loss would have been “shocking,” but the insurance industry might pay more than $100 billion for COVID-19, he said.

“A $4 billion or $3 billion hit from a hurricane, while tragic for those experiencing it, doesn’t seem to make the industry flinch,” he said.

Pandemics are a global shock whereas every other type of incident whether it’s a terrorist attack or a targeted cyberattack or a flood has been focused on a geographic area. “That tends to be the main difference here. This thing’s coming at us from all sides,” Mr. Watkins said.