2018 really did throw a lot of challenges at us, and things don’t seem to be backing off as we think about what 2019 has in store for us from a risk perspective. Economic and political fluctuations, cyber, technology and the complexities around the interconnectedness of risk are all expected to be chief concerns for business leaders, our latest Risk and Confidence research tells us.
The risk landscape has arguably never been so hard to navigate, but being in the business of risk, we understand the terrain is constantly changing and more often than not, resulting in new challenges for us to manage as part of the solution.
This is why planning for the impact of new risks, or indeed, the effect of a minor modification to current exposures within a risk portfolio is a crucial foundation for any risk management strategy. So, as businesses review their own response to risk in early 2019, they should all be asking themselves: are we keeping our business continuity plan up to date?
Well documented incidents
Last year, a number of events demonstrated the importance of having a current business continuity plan, which has adequately assessed current and emerging threats. Take the Marriott Hotel chain data breach, where the privacy of over 500million guests had been compromised since 2014. If you sit on the board of a company, or are part of the executive management team, this latest hack is yet another reminder that cyber risk needs to be at or towards the top of your business continuity plan agenda.
Business leaders should be asking some particularly hard questions about their company’s cyber preparedness, specifically whether the control environment is in alignment with the level of risk the business believes it has accepted. The difficult reality is that they are likely to discover they are not where they thought they were.
Another recent example is the utter chaos caused by drones flying over Gatwick airport in December, one of the UK’s busiest airports. This event once again highlighted challenges with the control environment and demonstrated the potential disruption an incident like this would create to the running of multiple businesses and industries that rely on Gatwick airport operating.
Business Continuity Plan objectives
While we can learn from these incidents, these events also act as an important reminder – loss prevention is better than cure.
As we consider both the findings of the report and what other risks might impact multinational businesses moving forward, below are a list of questions businesses should be considering when thinking about what their Business Continuity Plan objectives should be in early 2019:
1. Is your business continuity plan current?
This might seem like an obvious question, but more often than not, business continuity plans are often duplicated on an annual basis with very little thought given to how new exposures might impact what plan is already in place.
A business continuity plan should be a living document that is constantly reviewed in light of any significant changes that could impact on what is in place, even if the change might be something relatively minor.
The culture around risk within a business plays a hugely important part in the overall success of a business continuity plan and its relevancy. In an ideal world, business leaders should be using a business continuity document as they’re making changes to the business, to ensure they are constantly building in business resilience as part of the development organisation. It’s about having fewer hazards, less threats and less loss potential.
2. What technological changes or modifications are you planning on making this year and what is your formal management of change process for this modification?
With the changes you are making, it’s crucial to think about how these changes will impact on your overall business resilience and ability to recover in the event of an unplanned outage. However, when it comes to technology and the impact it may have on a business continuity plan, you are never really ‘done’.
New technical vulnerabilities are discovered every day; every business process change can create unintended process or system vulnerabilities. The cyber risk exposure needs to be effectively managed, utilising effective loss prevention techniques, with the help of specialist advice.
3. Within your organisation, do you have clear responsibilities and accountabilities relating to the five main risk factors our research has identified (Economic, Political, Cyber, Technology, Interconnected risk)?
Minor changes can have a big impact on business continuity planning if you’re not aware of threats or the consequences to your business and we are observing more than ever the need for effective oversight of these challenging risk areas.
Within your organisation, does your management of change process effectively identify changes in your supply chain which could have a significant impact on the resilience of your business. For example, the merger of two independent suppliers, into a single supplier of a key raw material?
With the increased usage of technology including web interfacing products, does your organisation have adequate business resilience in the event of an issue with the technology solution, for example a synchronized independent back-up mirror web system facility or the ability to manually process customer orders in the event of a technology system which has an extended period of unplanned downtime (e.g. cyber ransomware attack)?
For further advice and information on Business Continuity Planning, see how out Guidance Notes can assist you: Risk Management Services
By Stuart Kenyon, AVP, Risk Control, CNA Hardy
Email: [email protected]
Direct: +44 (0)20 7648 2658