Natural disasters, human errors and terrorist attacks are just a few examples of events that can have enormous consequences for an activity.
Knowing the risks, preparing management and response plans, and knowing how to implement them in time of need are essential requirements for any activity. We will discover how large companies have faced crises that otherwise would have destroyed them, and we will learn how these experiences can help any company prepare for the worst.
It’s not about if it will happen, it’s about when.
The catastrophic events collected in the acronym DISRUPT
In recent years, more and more companies are finding themselves dealing with catastrophic events, and consequently they are changing their approach to the risk of business interruptions.
There are six main factors that have brought risk management to the fore.
These factors are often summarized with the acronym DISRUPT:
- Interdependencies – a denser network of interdependence between companies and services, for which an interruption risks affecting the entire supply chain;
- Short-term focus – the reduction of business cycle times, which leads to a more focused mentality on the present;
- Regulatory compliance – state risk prevention laws become increasingly specific and comprehensive;
- Urban concentration – urbanization goes hand in hand with the growth of some companies, and this increases the risks linked to the activities;
- Greater Probability of shocks – what appear to be minor risks in the long term tend to accumulate;
- Pressure for Transparency – companies are increasingly subject to scrutiny by the media and the public, and therefore interruptions also tend to play an increasingly important role in their public image.
Responsibility for a company’s readiness often falls on administrators, managers and managers, who are increasingly required to deal with risk planning and management.
If your organization has not yet faced a serious outage or crisis, the question to ask is not if it will happen, but when.
Disasters such as the terrorist attacks of 2001, Hurricane Katrina of 2005, the financial crisis of 2008-2009, and the earthquake in Japan of 2011 have led many companies to work more on predicting catastrophic risks, and to build risk management programs more robust, ready to be implemented in case of need.
Companies must be ready to imagine the unimaginable, plan response strategies, and prepare to face the worst.
Entrepreneurial decisions to manage interruptions
Managerial decisions are often made following an intuitive thought, characterized by different biases , that is, prejudices that lead not to face a situation objectively.
Among these, for example, there is the availability bias, or the tendency to base one’s own risk calculations using only the information available, thus leaving aside eventualities that have never occurred in personal or corporate experience.
When it comes to catastrophic events, therefore with low probability but high impact, a common trend is to underestimate the impact of events that have never occurred in the past, and to focus too much on events that have already happened.
Another bias that negatively affects managerial decisions is the status quo bias, or the tendency to try to keep a situation that seems stable unchanged.
All these arguments are part of an intuitive thought, which tends to be very personal, and therefore not to fully analyze a situation.
A deliberative approach, on the other hand, places greater attention on a systematic analysis, in addition to more complex decision protocols, both essential factors to guarantee the readiness of a company to face catastrophic scenarios.
Although the costs of designing and implementing these strategies are high, a positive aspect is that more executives are now ready to adopt a deliberative approach, having a greater awareness of the bias and that can lead them to make badly informed decisions, in addition to a greater openness to learning from the experiences of other companies that have faced similar situations.
The risk appetite of a company represents the type and quantity of risks it is willing to take to achieve its objectives. It is opposed to risk tolerance, or the maximum loss that it is willing to accept against a given risk.
Many companies have developed a deliberative risk-analysis cycle. Learning from past experience, the company identifies and assesses the dangers it could face, after which it establishes appetite and risk tolerance, the foundations on which to build its risk management strategies.
A large risk appetite requires greater tolerance for interruptions. Finding the right balance between the two measures has become an essential part of company resolutions, and can explain the growing importance that the role of Chief Risk Officer has assumed in many companies.
Risk management and crisis response strategies, combined with a company’s culture, are the main ingredients of the deliberative approach adopted by many large companies.
Many risk management strategies have emerged following large-scale disruptions faced by various companies since the 2000s, including the 2001 attacks and the 2008-2009 crisis. Companies are also learning from their own experiences, even in cases where catastrophes have been avoided by a whisker.
Companies are struggling to prepare and manage adverse events, disruptions, and crises, more comprehensively, in the area of corporate risk management and business continuity planning.
Some practical tools used in the preparation field are:
- risk models;
- systematic risk reduction;
- improved communications;
- strengthening of suppliers;
- creation of a network of contacts between competitors;
- promotion of production continuity;
- anticipation of future outages.
What companies affected by a crisis do
When a crisis strikes a company, if administrators, managers and managers have already implemented a risk management culture that allows them to respond promptly and in a targeted manner, companies will be ready to face and overcome these interruptions.
Personal knowledge and mutual trust between the crisis teams of a company and its managers are an excellent starting point for rapid mobilization in the event of a crisis.
Some fundamental elements for the recovery of a company are an organized and prepared management, the readiness to promptly initiate response actions, a good series of risk indicators, in addition to the real-time availability of data relating to potential risk situations.
Company boards are increasingly involved in strategies, and directors often take deliberative roles, driving strategies, helping to define appetite and risk tolerance.
The search for directors with previous experience in risk management can empower the entire board. They are responsible for identifying the dangers in company operations that can lead to disruptions or disastrous consequences, if not detected and mitigated.
Keeping directors informed of business operations can help them prioritize risk management strategies and make them an integral part of board resolutions.
A well-informed director can help identify risk factors in new business operations, and decide in which cases a more detailed risk study should be performed. It is important that managers are able to clearly distinguish between the risks they must be directly concerned with and those that should instead be entrusted to other corporate bodies. Catastrophic risks deserve the attention of all directors, not just specialists or a special commission.
Donations following disasters, whether for relief or victim support, are increasingly becoming an integral part of corporate strategies. This is a very important aspect, given the scale of some catastrophes, which would otherwise be borne by governments, humanitarian organizations and communities.
It should also be considered that if areas in which the company operates directly are affected, it is also in the company’s interest to give strong support to the community, in order to mitigate the negative effects on its operations.
Compared to traditional channels, moreover, aid from companies tends to be faster, having fewer bureaucratic passages, and can be much more targeted, going to help those who need it most.
In addition to implementing strategies to deal with the catastrophes that directly affect them, more and more companies are developing support plans for geographic areas or companies that are going through difficult times.
How companies are changing the way they approach risk
A further fundamental aspect that is characterizing this approach to risk is a new level of transparency as regards risks. Companies are increasingly publicly discussing the risks they face. All this new information is useful for all companies in a given sector, who find themselves able to benefit from this shared knowledge, drawing lessons from those who have already faced certain situations.
In recent years, rating agencies have also started to include in their reports a real assessment of a company’s ability to organize itself in risk management, analyzing its emergency plans and mitigation strategies, rewarding companies that demonstrate a great readiness, penalizing instead those that do not give enough importance to this aspect.
Among the various factors that companies perceive as possible sources of risk, there are often national governments. From tax laws to workplace safety laws, the relationship between the company and the state is often difficult, and new laws passed by a government agency can put a company in serious difficulty.
Failure to comply with these rules can lead not only to fines and measures that risk damaging an activity economically, but also to a damage to the image, from which it is often much more difficult to recover, and which risks persecuting a company for many years to come.
On the other hand, however, the government has a fundamental role in mitigating some issues that companies could not face alone. Think for example of laws that are created with the aim of preventing economic and financial collapses, rather than interventions in areas affected by natural disasters.
Risk is a fundamental part of the investment sector, and companies are increasingly sharing information about their risks, and the strategies related to them, with investors and shareholders.
Given the spread of a deliberative approach to this type of problem, investors and shareholders are becoming increasingly demanding with the directors and managers, to the point of requiring the resignation of those who demonstrate that they are not prepared.
In essence, how can a company be sure to follow the necessary steps to be ready in the event of a catastrophic event?
- The first step is not to delude oneself that it cannot happen to us. Let’s imagine five catastrophes that could affect the company in the near future.
- We involve all levels of the company organization chart, and outline response and management programs. We recognize the biases that influence our strategies and forecasts, and try to reformulate them in the light of new information.
- We identify the concrete risks that our business includes, and we prioritize those that require immediate action. We use the feedback provided by executives and managers to understand which events are likely to impact the entire company.
- We define appetite and tolerance for risk at the company level, and we immediately invest in measures aimed at protecting ourselves from possible interruptions.
- We learn from past negative experiences, not only lived directly, but also from those lived by other companies in the sector.
- We plan recovery strategies, so as to be ready to get back on our feet even in the worst case scenario.
- We use risk transfer techniques, such as insurance and other forms of protection against catastrophic events.
- We are committed to attracting and training the directors of the future, who have a clear vision of what risk management means today, in order to be ready to face a future in which it will be an increasingly important element of business management.
ln a world where catastrophic risks have an increasing impact on companies, the only way to survive a similar event is to not be caught unprepared.