The changing landscape of corporate risks
April 2017 | SPECIAL REPORT: MANAGING RISK
Financier Worldwide Magazine
Which global risks are most feared by businesses? It turns out there are plenty but the upshot of any risk is that which is most worrisome: business interruption (BI).
As they face increasing uncertainties, businesses are more sensitive to distractors that threaten the bottom line, including potential risks leading to BI. Along with traditional risks like natural catastrophes and fire and explosion, however, triggers to BI are increasingly intangible in nature, given the rapid advance toward digitalisation and ‘smart’ manufacturing.
The top three global business risks, according to the 2017 Allianz Risk Barometer, a survey of over 1200 risk experts from 50-plus countries, are BI (37 percent of responses selected it as one of the top three risks), market developments (31 percent) and cyber incidents (30 percent).
Other risks rounding out the top 10 were natural catastrophes (24 percent), changes in legislation and regulation (24 percent), macroeconomic developments (22 percent), fire and explosion (16 percent), political risks and violence (14 percent), loss of reputation or brand value (13 percent) and new technologies (12 percent).
Non-physical damage BI
Although physical perils like fire and explosion and natural catastrophes were identified as the BI threats that businesses most feared, non-physical damage BI (NDBI) events garnered more successive attention. Clearly, businesses worry about new technologies, a cyber incident or the indirect impact of an act of terrorism or political violence, not to mention less volatile but no less disruptive events, such as economic sanctions or unplanned power failures.
BI for the fifth consecutive year of the survey came out on top, because new triggers for BI emerge constantly, for example, from cyber incidents to market developments to the changing political landscape. In future, even more non-damage triggers of BI will emerge.
Other identified NDBI events included supplier failure/lean processes (33 percent of responses), followed by others like cyber incidents (29 percent), interdependencies from global networks (24 percent), product quality incident (15 percent), unplanned outage of IT or telecommunications systems (12 percent), power outage (10 percent) and political risks and violence (10 percent).
A main driver of NDBI is the ongoing influence of digital technology, as companies enhance processes and systems. Many things can impact a BI event, including smart technology systems, outsourcing of suppliers and the threat of cyber risks but cyber events do not have to be malicious, offensive attacks from hackers or other ‘hacktivists’. They can also be caused by human error.
While cyber BI risks from malevolent attacks are evident, companies face substantial losses from unintended cyber incidents. For example, a cloud failure to an on-demand computing platform provider that compromises customer data or an incorrectly measured variable fed to an industrial control system (ICS) of a power generation plant that causes unplanned outages or a service interruption to a payment gateway of a bank that causes accounts to go overdue – any of these events can devastate a company.
Supplier failure also is a threat, ranking third on the list of top BI risks that businesses most fear, predominantly related to single-source, low-cost suppliers or factories in regions where cheap manual labour is prevalent.
Cost-cutting measures can, of themselves, be recipes for disaster, because as supply chain costs fall, risks soar. Business resiliency and continuity is the objective; companies need to maintain the right level of supplier diversification at cost-competitive prices.
The survey points out that NDBI exposures exist independently of the normal flow of business and points to the explosions in 2015 in Tianjin, China, where a number of losses associated with the supply flow interruption occurred because the Port of Tianjin was closed by local authorities. Such damages may not be covered by insurance, unless extra NDBI coverage has been purchased.
For example, a business does not have to be the direct victim of a terrorist act to feel the effects of BI. If an attack occurs nearby, the surrounding area likely will have to be secured by police for an indeterminate amount of time, meaning businesses in the area will have to shut their doors.
Additionally, insureds should consider their supply chains and the possible impact a terrorist event may have on suppliers, including second- and third-tier suppliers, or even customers. Terrorism contingency plans should be in place, as it can take months for a company to get back to regular trading levels following a substantial interruption.
Similarly, conventional political risks – war, civil war, insurrection and other events – should not be overlooked. The impact on multinational corporations can be much greater and longer lasting.
Too often, there is little a company can do to prevent an incident, but they can monitor the political landscape of all the countries in which they and their suppliers do business and seek professional crisis management services from companies that specialise in that niche market.
SME BI risk
Forty-five percent of large-sized companies list BI as one of their top three risks while only 27 percent of small-sized companies (those with revenues of less than $250m) did so. Smaller companies are encouraged to: (i) maintain sufficient on-hand inventory reserves; (ii) avoid geographic supplier concentrations; (iii) monitor supplier M&A activity; and (iv) avoid production specialisation that leads to outsourcing.
Market developments call for new approaches to emerging dynamics
With a fast-changing, albeit unpredictable marketplace, companies are afraid that risk impacts such as intensified competition, mergers and acquisitions (M&A) activity, and market volatility and stagnation will stymie bottom line growth.
Much of the anxiety regarding market developments also hinges on uncertainties and potential intangible risks posed by the global political environment. Brexit, Trump, protectionism, and right-wing, nationalistic and anti-immigration movements in the Netherlands, France, Germany, Hungary and other European countries question the future of a strong EU and the efficacy of globalisation. Simultaneously, digitalisation and the ever more connected marketplace is forcing businesses into a rush to digitalise, further squeezing capital.
While digital innovation brings opportunities, some companies are concerned about its impact, as 53 percent of responses cited increased digitalisation and new technologies as the top trend currently transforming their industries. Technological changes are occurring at staggering rates, keeping many businesses slightly off-step.
No industry is immune to the impact of digitalisation and the vast quantity of data exchanged at all stages of the business value chain. Interconnectivity encourages growth, helps optimise costs and promotes more flexible business models close to the final customer, although on the other hand it also poses significant risks related to the inability to deliver products and services.
Applying machine learning, artificial intelligence, Big Data and other solid analytics necessarily entails accepting more cyber risk. Companies need to develop and implement proper cyber risk management and mitigation procedures in order to offset that risk.
What most worries companies about the impact of digitalisation is the increasing sophistication of cyber attacks, data fraud and theft (these factors were cited by 45 percent of respondents who replied). The breakdown of critical infrastructure was next (36 percent), followed by new competitors and disruptive start-ups entering the market (24 percent).
Cyber BI
There is also an anticipated shift away from human error, generally a leading cause of losses in many industrial sectors, toward technical failure as a cause of loss as digitalisation takes hold. Even though there is an increasing threat of cyber attacks, however, the vast majority of digital disruptions are routine glitches, power failures or other non-malicious events. Nonetheless, BI from such events can devastate a company’s bottom line. From an insurer’s perspective, cyber risk is still relatively unknown and un-modelled and all sectors are susceptible to disruption.
Increasing interconnectivity and cyber perils pose a huge direct risk for corporate and commercial clients, as well as an indirect threat by exposing critical infrastructure such as IT, water or power supply which could impact companies and societies with widespread BI of critical infrastructures.
BI, as a result of a cyber event whether of malicious intent, human error or systems malfunction, can greatly damage a company’s reputation and financial situation. For a customer-facing organisation, confidentiality of customer data is key, while in a production environment equipment data availability is vital to keep the financial implications of a cyber incident checked.
Meanwhile, data protection rules are getting steadily tougher as governments move to bolster data security and confidentiality. These actions will greatly affect businesses.
The strongest move to date is from the EU which will introduce the General Data Protection Regulation (GDPR) in May 2018. The rules will impose substantial penalties and liabilities upon companies operating in the EU or – an important caveat for multinational companies – with EU citizens. Companies in violation could be fined as much as 4 percent of their global revenues for breaching the rules. Businesses have just over a year to make necessary preparations to abide by the stricter rules.
Cyber risk mitigation strategies
Companies of all sizes should: (i) consider potential exposures and prepare for potential incidents; (ii) know their assets and how to prepare and protect data; (iii) implement monitoring and early warning systems to guard against breaches, data compromise and viruses, among others; (iv) develop a cyber strategy in conjunction with a business continuity plan (BCP); (v) train employees on how to identify fake emails and not to click through on suspicious links; (vi) back up data off-site, segmented apart from the company’s network; (vii) use role-based permissions for employees and not grant more data access than needed for their jobs; (viii) implement a comprehensive information security management (ISM) system; and (ix) appoint a chief information security officer.
Joel Whitehead is a communications specialist at Allianz AG. He can be contacted on +49 89 38000 or by email: joel.whitehead@agcs.allianz.com.
© Financier Worldwide
BY
Joel Whitehead
Allianz AG
FORUM: Ransomware risk management
Leading cyber security from the boardroom
Cyber security is creating significant cyber insecurity: new EU regulation only adds to the anxiety
The changing landscape of corporate risks
What companies can learn from the DOJ’s approach to evaluating corporate compliance programmes
Risk management trends and developments: what are leading asset managers and investors now doing?
Brexit: the legal contract review and repapering dilemma
Supply chain risks under US and EU sanctions and export controls
Litigation risk for companies which historically used fluorinated chemicals in manufacturing
Get ahead of the curve with IFRS 15 & 16 compliance