Business interruption has been a headline issue for enterprise for decades – but it’s now got a hard, crystalline edge.
In mid-2019 the chairman of property valuation business, Landmark White, which had been subject to a series of cyber security incidents, warned that unless it could satisfy customers that its systems were safe; “The constant attack on us will ultimately bring the company down”.
Cyber attacks, climate change, floods, fires –an outbreak of Legionnaire’s disease – whatever the cause, business interruption is a real and persistent threat to business of all sizes, in all sectors.
Aon’s 2019 Global Risk Management Survey saw enterprise leaders from around the world rank business interruption the fourth most pressing risk facing business globally. In 2017 it ranked eighth.
Asia Pacific business is even more alarmed; business interruption ranks third, after damage to reputation and brand in first place, and rising competition in second.
Disruption to any business can have direct financial impact in terms of foregone revenue, eroded profits and legal claims. It has potentially catastrophic impacts across complex, and increasingly global, supply chains that can make even domestic focussed businesses vulnerable to international events and elevated geo-political flux.
Meanwhile severe weather is having an impact; Aon’s 2018 Weather, Climate and Catastrophe Insight report calculated that combined losses over the last two years due to weather related incidents amounted to $653 billion.
And for all businesses the cyber threat continues to grow; this year alone has delivered Landmark White’s woes; a data breach at Sydney start up Canva exposing 139 million records; and the unprecedented attack against the Australian National University unravelling decades of student and alumni privacy.
According to the Ponemon Institute, the global average cost of a data breach in 2018 is up 6.4 percent over 2017 to $3.86 million.
While some business interruption triggers and hazards can be anticipated – cyber breaches for example are now considered inevitable for most enterprises – other black swan type events cannot be easily predicted. But business can be prepared for even the unexpected, and engineer a response to maximise resilience and minimise business interruption impact. It’s the key to rapid recovery.
Identify risks, prepare a plan
Preparation is key to any successful response to a business interruption. Enterprise leaders need first to identify the risks that the organisation may be susceptible to, and their probability, as this forms the foundation for mitigation strategies. An enterprise-wide, regularly reviewed risk register will help articulate potential threats to business as usual (BAU) operation.
Armed with that insight, businesses can start to develop processes to deal with a business interruption, to train staff and put in place communications mechanisms that would be triggered by an interruption in BAU. Critically, a business should also test those preparations in advance using a carefully crafted scenario, allowing a soft fail to take place if the plan is flawed in order to learn from mistakes and finesse response processes, so that when a real event takes place the recovery will be more effective and happen faster.
Working with an experienced third-party specialist to assess risks and prepare response strategies can be particularly useful as it ensures access to industry expertise and best practice insights. It also reduces the risk of vested interests within an organisation compromising its response to a business interruption.
Once in place, the plan should be tested annually and revised as required, with careful consideration of any regulatory or legislative changes that may have come into effect over the intervening 12 months that could potentially impact the efficacy of the response plan.
In order to restore BAU as swiftly as possible organisations need a clear understanding of specific exposures, the probability of occurrence, and the quantum of the impact that an interruption might have.
This helps sharpen the focus of the response plan and also scales the insurance coverage required to allow the business to effectively manage the situation and resume BAU quickly.
As part of the advance preparation companies should review current insurance policies, particularly industrial special risks policies and property insurance policies, and any cover for loss of revenue. Are those policies tailored in a way that responds to the period of loss? Do they feature accurately declared values of loss of revenues or profit? Does the business have effective cyber insurance and what coverage does that provide – not just in terms of financial loss coverage, but access to expert support to assist with remediation and recovery?
In short; assess whether the insurance program is fit for purpose, specifically in terms of delivering business interruption support, are the values and indemnity periods appropriate?
In the event of a significant business interruption, and potentially massive loss it is important to understand how the policy is going to respond and that it offers full replacement for physical items lost or damaged as well as mitigating or securing recompense for loss of revenue as a result of the disruption.
Not only does this mature approach help deliver enterprise peace of mind, but in the current insurance environment, provide you with strong evidence to underwriters of your businesses’ ability to respond to a non-BAU event. A number of insurers are providing strong recommendations that response plans be developed and tested. Whether or not there are business continuity plans or crisis management plans in place can impact on pricing, and even whether the insurer is willing to underwrite that policy.
How can you prepare your business?
Aon recommends companies:
- Identify risks and analyse your existing insurance policies and international program solutions
- Evaluate your unique risk profile, assess the probability of risk events occurring, and quantify potential loss from interruption to BAU
- Apply concrete measures and procedures for managing risks through targeted use of quantification, risk financing, and change management
- Control different risk measures at every phase, and embed effective and sustainable risk management practices across the business
- Use the risk assessment to determine appropriate limits of risk transfer and eliminate under-insurance, or the need to fund business interruption claims from internal capital. Similarly eliminate over insurance and excess premiums
- Share with insurance brokers and underwriters details of your response plan in order to ensure the best price and extent of cover.