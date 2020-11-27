Threat radar

The COVID-19 pandemic crashed into our lives abruptly and all-consumingly – and it’s irrevocably changed the way we do business globally. This new threat is now firmly on our radar. But significant existing threats haven’t gone away. In fact, cybercrime and climate change are still on our doorsteps and can have devastating consequences for businesses. In many ways, their ability to unleash havoc financially and reputationally is greater than ever at this time of economic uncertainty. Organisations need to ask themselves this pertinent question: given the existing disruption to business continuity, could we realistically withstand a serious cyberattack or flood?

Recovery first

Redefining resilience in a post-pandemic world, therefore, needs to focus on recovery as well as growth, with stringent risk management strategies based on a when, not if approach – and all directed by the Board. As this article will uncover, resilience is a choice, even at times of unprecedented volatility.

The pandemic has had a negative impact on the ability for companies to put money aside and invest, says Andrew Bryson, FM Global’s Operations Senior Vice President, Operations Manager, London Operations.

“However, it’s also highlighted the extraordinary impact a grey or black swan event can have. Risk management, therefore, needs to be a central focus of the Board. There may be more pressure on bottom lines and cash reserves - and a reduction in spending could impact the willingness of senior management to invest in risk mitigation. And yet, it’s essential to protect the future health of the business.”

Greater vulnerabilities

Cybercrime is certainly a healthy ‘business’ right now, with cyber risk simultaneously expanding due to the pandemic. Organisations are grappling with updating cyber defences apace with the accelerated digitalisation remote working has enforced, while ‘bad actors’ have many more access points to get behind firewalls and wreak havoc. This means companies are more vulnerable than ever. Given this context, hacks and data breaches have, unsurprisingly, been ubiquitous recently. To name just one, global transport and logistics conglomerate Maersk has reported $200-300 million in losses following a malware cyberattack in June this year, that disrupted its critical systems. The outage froze revenue from several of its shipping container lines for weeks.

‘It’s going to get worse’

The UK’s National Cyber Security Centre (NSCS) recent annual report states that more than a quarter of incidents it’s responded to in the past year have been COVID-19-related. This, as business operations become more complex, in particular vis-à-vis interruptions to and the changing nature of global supply chains. It’s grim reading, but statistics used by World Economic Forum estimate that cyber damage in 2021 could reach $6 trillion – equivalent to the GDP of the world’s third largest economy. In the words of the former head of the US National Security Agency, Michael Rogers, “The attack surface has just exploded..{..}..It’s going to get worse before it gets better.” And it appears that manufacturing is now most attacked industry, allegedly representing almost a third of all UK and Ireland cyberattacks.

Physical & digital damage

These poignant figures and predictions are not to scare-monger, but to convey a much-needed sense of urgency when it comes to re-defining resilience. Cyberattacks can cross borders and damage physical and digital infrastructure. The physical impact alone can be significant; business interruptions and damaged equipment are costly to resolve. Paradoxically, that expense is often overlooked, as organisations focus on data security.

Board priority

Against this backdrop, risk management needs to be a Board priority – especially as the risk landscape changed overnight when COVID-19, ‘the biggest technology disruptor’ struck. Mitigating risk is the mark of a resilient company, and demonstrates a proactive ability to withstand disruption before, during and after a loss. Cyber insurance is only one piece of loss mitigation and prevention puzzle. It doesn’t cover the reputational impact on a business. FM Global’s Cyber Risk Assessment Tool is a good place to start, while its Total Financial Loss Modelling helps businesses estimate the impact of a large disruption on its enterprise value.

Apart from the obvious damage to data and physical property, many of the consequences of cyber incidents are hidden and hard to quantify, warns FM Global’s Andrew Bryson.

“An impairment in investor confidence, caused by a data breach or a hack, will significantly impact the company’s reputation for handling third party data - let alone the disruption to business. Imagine this: you’re in the middle of a pandemic, then your key utility – your IT – is taken off you and it immediately paralyses your business. These intangibles of loss are hard to quantify, but they can unleash long-term negatives consequences.”

Climate hazards & COVID-19

We are far from winning the war against COVID-19; the same rings true for the fight against climate change. Despite a brief respite in C02 emissions during the initial lockdown phases, this existential risk rumbles on. What’s more, the cascade of pandemic disruption seems to have shifted the emphasis away from climate change.

Extreme environmental events

And yet, 2020 alone has issued a stark reminder of what those are. Concentrations of major greenhouse gases are increasing, with 2016-2020 being warmest five years on record. From California wildfires to China’s unrelenting flooding, Hurricanes Zeta, Epsilon and recent torrential downpours and flooding in the UK, extreme environmental events triggered by increasing global temperatures are on the up. Let’s not forget the trilogy of hurricanes in North America in 2017. Harvey, Irma and Maria caused total economic damage in excess of $337bn. However, the insured losses amounted to only $144 billion, meaning that nearly $200 billion of losses were born directly by businesses. Against this backdrop, tools like FM Global’s Natural Hazard Maps allow businesses to see if they sit in a vulnerable area.

Protect value & revenue

Despite these significant risks, as organisations reduce spending or attempt to protect cash reserves, longer-term mitigation strategies may be put on hold or cancelled – leaving them vulnerable to costly climate hazards. In fact, FM Global research has shown that more than 77 percent of CEOs and CFOs at the world’s largest companies admit their firms are not fully prepared for the adverse financial impact of our changing climate. It is savvy business sense to remember that losses emanating from climate-related events can be mitigated against, to help protect value and revenue.

Double disaster

Put simply, no organisation in the world would want to face catastrophic losses from a climate hazard and pandemic simultaneously. Understanding and mitigating against risks – such as flooding – should not be put on the backburner, even in times of chaos. And as production is ramped up again, and when ‘business as usual’ is resumed, organisations will want to be on the front foot, not clambering back from preventable financial ruin. Good governance is therefore needed more than ever, with investors increasingly looking to CFOs and CEOs to increase climate resilience, according to Andrew Bryson:

“Climate change is an ever-present risk. Its impacts, therefore, need to remain front of mind for Boards. Global supply chains introduce the threat of operations in natural catastrophe prone areas. It’s important to highlight where those exposures may be. Are your suppliers’ facilities on a coastal plain where they could be affected by a storm surge, for example? Resilience – through effective risk mitigation strategies - ensures that if an organisation is hit by a natural catastrophe event, even along its supply chain, the damage it sustains is manageable. Put simply, a proactive approach versus being caught on the backfoot is the difference between night and day when it comes to recovering from a shock event.”

A proactive stance

The shocking global COVID-19 pandemic has shifted the threat focus, adding another risk to the agenda of global businesses. However, it’s clear that organisations still need to be aware of the increasing threat of cybercrime and the long-term implications of climate change. Risk mitigation is what’s redefining resilience in our post-pandemic world, with recovery now as important as growth. When businesses proactively understand their specific risks and what to do about them to prevent loss, they are choosing resilience over inaction – and gaining competitive advantage.

