What’s keeping corporate risk managers up at night? Allianz Global Corporate & Specialty (AGCS) addresses this question in its 2016 Risk Barometer. It will be no surprise to supply chain executives that business interruption retains its top spot for global corporate risks for the fourth year in a row. Rounding out the top five are market conditions, cyber incidents, natural catastrophes and changes in legislation.
The survey, comprised of responses from more than 800 risk managers from 44 countries, illustrates how traditional industrial risks such as fire and explosion dropped on the threat scale, allowing others to move to the forefront. A review of the key findings and shifting risk rankings has important lessons for supply chain executives across the globe.
Business Interruption and Supply Chain Risk
Business interruption remains the top peril for the fourth year in succession, with 38 percent of responses rating this as one of the three most important risks companies face. In today’s increasingly complex and interconnected corporate environment, many of the top 10 global business perils in the 2016 Risk Barometer rankings, such as cyber incidents and political risks, can also have severe business interruption implications.
AGCS insurance claims analysis reveals that business interruption losses are increasing, typically accounting for a much higher proportion of the overall loss than a decade ago. The primary driver behind these increasing losses is that interconnectivity of risk is growing day by day, as technology, globalization and social change create a complex web of relationships and interdependencies, with just-in–time and lean manufacturing now standard practices.
The primary causes of business interruption according to the 2016 Risk Barometer are natural catastrophes (51 percent), closely followed by fire and explosion (46 percent). Supplier failure ranks third (32 percent). Major loss events, such as the Japanese earthquake and Thailand floods in 2011, saw hundreds of businesses file such insurance claims, with the majority of these claims originating from companies based outside of the affected areas.
Steps to minimize this type of exposure can be taken by having alternate site operations, or by stockpiling parts or materials to handle any anticipated downtime event. Better understanding of key supplier locations and comprehensive business continuity plans are some of the ways to prepare for a supplier failure. Engaging an alternate supplier in a different region is also a prudent risk management practice based on the situation.
Increased competition, volatility and stagnation altered today’s business landscape, forcing companies into an ever-changing competitive landscape. Long-term strategic approaches are being challenged by growing system interconnectivity and interdependencies, as well as the non-stop evolution of digitization and automation solutions, and the rise of startups. As such, companies must continually develop innovative solutions in order to maintain market share.
Additionally, the setup of large, low-cost supply chain networks and manufacturing facilities globally inadvertently led to an increase in overall business exposures. As a consequence, some companies rethought their offshoring approaches, and are looking into possibly reshoring critical operations or processes.
For the first time in this report’s publication, risk involving cyber incidents moved into the top three concerns. Lack of understanding of the complexity and scope of these threats, as well as budget constraints, are the key reasons as cited by companies for not being better prepared; this, unfortunately, puts them in a reactive vs. proactive mindset and market position. As this category also includes internal glitches not caused by external hacking, many incidents go unreported and so, the actual global exposure is not known.
For example, in July 2015, stocks worth $28 million were suspended for more than three hours on the New York Stock Exchange, with authorities reporting that the interruption was not due to an external attack, such as a cyber terrorist or criminal action. During that same month, 4,900 United Airlines flights were impacted due to a network connectivity issue—again, an internal and not an external issue. The impact of cyber business interruption, triggered by internal problems such as technical failure, is something that is frequently underestimated by businesses and any interruption of the process chain—even for a minute—can cause a severe business interruption, throwing off the balance sheet of a company.
With a number of recent incidents impacting sectors such as telecoms, manufacturing, transport, media and logistics, studies show it takes an average of about 90 days for a company to discover an attack, and often, companies are not aware of cyber incidents until they are informed by customers.
Natural catastrophes, such as earthquakes, hurricanes, floods or tornadoes, are still a concern for businesses, many of which are connected to supply chain exposures across the globe. Although risk mitigation procedures are improving, often, supply chain complexity and fluidity make the full picture quite unclear, and its overall understanding very difficult. As such, a relationship between procurement and risk management departments is an essential factor needed to properly protect key facilities, critical suppliers and/or entire regions.
Changes in Legislation and Regulation
With the growth of technology comes increased concern over strict government action and regulation. The introduction of stringent legislation in a short timeframe could impact a company’s operations. Political instability, terrorism, and economic and trade sanctions can also affect clients’ flow of capital and operations.
Most notable are data protection rules, which are now becoming tougher as governments bolster cyber security. This has a significant impact for businesses, as penalties for falling foul can be severe. Strict laws in the U.S. already require companies to notify individuals of a breach. Elsewhere, the European Union is moving ahead with plans to harmonize its regime—the General Data Protection Regulation is expected in 2018.
The Importance of Diligence in Regard to Risk Understanding
Regardless of the concerns facing businesses today, it remains critical that a formal, flexible risk management process be in place to help eliminate or minimize potential exposures. A comprehensive solution involves identifying the specific risks facing one’s business, prioritizing them based on likelihood of outcome and potential loss, and creating mitigation plans for risks considered to be the highest priority. The good news is that risk managers are much more in tune these days. They scrutinize closely the business intelligence data, including maximum foreseeable losses.
Ultimately, to mitigate business interruption exposure, today’s effective risk managers are creating business continuity plans (BCPs) and business continuity management (BCM) positions. For example, a recent Manufacturers Alliance for Productivity and Innovation (MAPI ) survey of risk managers shows that 79 percent of their BCPs were started in the past five years. And to alleviate worries, the insurance industry can help by understanding risk by deeply engaging with the broker/insurer in the exposure evaluation, and ensuring that clients are buying the appropriate coverage.
Thomas K. Varney is a regional manager, North America, Allianz Risk Consulting, Allianz Global Corporate & Specialty North America.