A Going (Growing) Concern

How can Canadian executives consider and respond to the growing concern around more frequent and severe natural catastrophes? Do these natural events impact their businesses and, if so, how can they address this within the complexity of day-to-day business?

In early May, Zurich Insurance released the findings of a research poll of 170 executives from medium-sized and large companies around the world. The study, conducted in January by the Economist Intelligence Unit and sponsored by Zurich, continues Zurich’s research into better understanding and mitigating risks.

The survey found there is a growing concern among organizations that natural catastrophes are becoming both more frequent and more severe, with 44% of respondents agreeing in each case. The poll looked into how well-informed organizations are about the growing risk of natural catastrophes, how well-prepared and exposed they are, and what mitigation or management processes they have in place.

The survey confirmed that companies recognize the potential risks posed by natural catastrophes, yet have insufficient mitigation plans in place. The results raise pertinent questions for risk consultants in Canada about determining the depth of risk management that an organization needs, as well as the impact of not sufficiently investigating their customer and supplier preparations.

QUESTIONS AND ANSWERS

How to do more with less?

The role of the risk manager

So how do Canadian organizations respond?

Not an easy question given that the response has to be considered within the broader context of business-critical functions and balanced against corporate expense challenges as a result of fiscal constraints.

While the survey respondents indicated that business disruptions from a natural catastrophe encompass multiple aspects of their enterprise – such as communications with customers, employee performance and the ability to protect sensitive data from theft or loss – the most severe threats were identified as coming from continuity of IT support, business-critical functions and supply chain logistics.

The survey found there is significant room for improvement in company planning and business continuity endeavours. Consider that fewer than half of respondents (45%) noted that they use some form of scenario analysis to assess the risks of natural catastrophes.

One of the challenges facing Canadian organizations today is that the country’s risk management landscape is shrinking. As Canadian organizations strive to remain competitive on a global scale while delivering shareholder value, they are feeling the squeeze of expense pressures.

The risk manager role, unfortunately, is one of the areas within organizations that has been adversely affected. This means that C-Suite executives lose the internal resource capability to effectively manage business risk, let alone a natural catastrophe. As a result, there is less technical know-how and resource(s) to address the ever-increasing natural catastrophe risk.

Without this core resource, an organization can fail to develop and implement appropriate risk management processes. Brokers and insurers can assist, but cannot replace the risk manager role that offers in-depth knowledge and understanding of business-critical functions, suppliers and customers, among other things. To prepare, an organization needs to prioritize and quantify its business and natural catastrophe risk, and then build a business case for risk management plans.

The global survey identified continuity of IT support as facing the most severe disruption (46%), followed by business-critical functions and supply-chain logistics (both 44%). Supply-chain logistics are difficult to address in the event of a natural catastrophe, as they are generally outside of an organization’s immediate control and often affect a variety of critical infrastructure.

This reinforces the importance of preparation and truly understanding the company’s exposures. Taken together, these findings indicate there is plenty of room for improvement.

One hopeful finding is that security of sensitive data is associated with a lower perceived risk of disruption. This may be a sign that companies are taking steps to protect their core IT assets even in the face of natural disasters.

About two-thirds (66%) of survey respondents reported that their companies have adopted at least one of three hardware-oriented strategies for mitigating threats to IT systems in the event of a natural disaster.

Integrated approaches to risk management

Efforts to address the interconnectivity of risk through integrated risk management remain incomplete, as the survey confirmed that only a minority of businesses has developed a comprehensive risk profile for senior management. Just 39% of respondents agreed that a single senior executive “owns” the overall risk management function, and less than one-third (31%) said that their company’s risk management strategy explicitly addresses the interconnectedness of different risk clusters.

A company should clearly explain to its insurance broker how the business works and the suppliers on which it is dependent. Only in this way can a broker work in conjunction with a client to ensure that risk management opportunities/threats are identified and planned for, and approaches to risk management, coupled with an insurance policy, are implemented and integrated. These would include the following:

1. Scenario analysis

A scenario analysis or crisis management program can assist Canadian firms better understand their exposures and the impact of these types of exposures before then working with a customer to consider and build in a contingency plan and alternative sources of supplies.

2. Enterprise-wide risk management programs

A key element of enterprise-wide risk management programs is a full integration of threats from natural catastrophes into an organization’s systems for identifying, assessing and controlling risks. The survey found that although approximately two-fifths (39%) have adopted enterprise-wide risk management, the analysis concluded that considerably more effort is required before the risks of natural catastrophes are adequately controlled.

• invest in a deep risk assessment of each supplier to understand real and potential exposures by identifying your supplier and their suppliers, determining which suppliers are more critical to the company’s ability to deliver, and understanding the bottlenecks and interdependencies for both your company and its suppliers;

• choose the right suppliers by considering both the risk and cost of selecting suppliers, knowing where your company stands in your suppliers’ priorities, and identifying and monitoring specific risks of each supplier;

• undertake the development of a business continuity plan by thinking beyond “just in time” and, instead, considering “just in case,” and creating a joint back-up plan;

• when selecting a supplier, key in on critical and single-source suppliers, follow the supply chain through all pinch points, assess the vulnerabilities and reach an understanding of customers’ suppliers and their suppliers;

• use the collected data to quantify the risk exposure, which includes quantifying the suppliers’ exposures, quantifying the supply chain transportation exposure and developing a total profile of risk to the specified supply/supplier; and

• develop loss scenarios based on the supply chain exposure by considering the potential for a single area to expose all supplies/suppliers (e.g. shipping port), looking beyond physical triggers (e.g. strike), and understanding how supply chain movement can intertwine.

3. IT planning

Particularly important progress has been achieved in the area of IT risk mitigation strategies. Almost 80% of survey respondents said tha t their organization has adopted at least one hardware-oriented and at least one employee-oriented IT risk management strategy related to natural catastrophes. And nearly 60% reported that these initiatives have been largely successful.

Consider the importance of locating IT infrastructure away from high-risk regions such as those prone to earthquake, flood or windstorm – be they in Canada or globally. This goes for both in-house IT infrastructure and outsourced IT support.

Other responses to managing IT continuity may include employee-focused strategies during emergencies, such as working from home or alternative locations, using social media or mobile devices and bringing your own device policies. No doubt using either an IT infrastructure-based solution or an employee-focused solution – or combination of the two – depends on the nature of the organization’s business.

Business risk preparedness in a new world

In today’s reality, natural catastrophes are becoming more frequent and severe, putting additional strain on Canadian employers. And for Canadian organizations with a global footprint of operations, suppliers and customers, natural catastrophes may have an even greater impact on their operations.

Companies must choose to understand and strive to manage these risks – or simply hope that they have adequate redundancy built into their operational model. Of course, having a solid insurance program in place will help to mitigate the risk.