In 2017 there were 301 catastrophic events that resulted in estimated losses of 33.7 billion dollars. The possible threats to which companies are exposed, whether due to natural, operational, geopolitical or technological causes, are numerous. Meanwhile, the impact on their production, finances, reputation and workforce can be so damaging as to call the viability of the organization into question if it does not have a good loss management program in place.
The Chinese use two strokes to write the word “crisis”: wei-chi. One stroke means “danger” and the other “opportunity”. And the fact is proper management of a major catastrophe can even strengthen corporate structure, avoiding large financial losses and allowing the company to preserve its reputation.
Corporations must never underestimate the possibility of suffering a major mishap: natural disasters, cyber attacks, acts of terrorism, wars, environmental damage. While unlikely, companies are exposed to a wide range of possible threats.
According to the most recent reports by the main insurance entities, interruption of business is at the top of the list of global risks most feared by corporations, due to its devestating effect on revenue. Interruption of business activity may arise from a number of scenarios, including material losses resulting from natural disasters, fires at facilities that affect the supply chain and cyber incidents, which, while not causing material losses, can result in major financial losses.
The World Economic Forum, in its “2018 Global risks report” indicates that one of the greatest dangers we face today is environmental danger (due both to probability and magnitude). These dangers have been increasing for some time now, as evidenced by the proliferation in 2017 of the high incidence of hurricanes, coupled with extreme temperatures and the first increase in CO2 emissions in four years.The European Environmental Agency has raised the cost of these types of events to 43 billion euros over the last 35 years (more than 12 billion euros a year).
Graph. Evolution of catastrophic events in the world (1970-2017)
Also increasing significantly are high-impact cyber threats, such as the recent WannaCry attack, which affected 300,000 computers in 150 countries, and the NotPetya attack, which last year caused quarterly losses of 300 million dollars to several affected companies. Today, the seriousness of the threat posed by employing cyber attacks against vital infrastructures and strategic industrial sectors is undeniable.
Political risks, resulting from wars, terrorist attacks or uprisings, and encouraged by growing military tensions and economic and commercial interruptions between countries, are also putting corporations around the world on alert.
These growing threats have a particular impact on the financial sector, as the Sigma studio conducted by the reinsurance company Swiss Re reveals. The study calls attention to the fact that during 2017, there were 301 catastrophic events (natural or due to human involvement), which generated overall losses estimated at 33.7 billion dollars. While the number of incidents was less compared to 2016, the economic shortfalls nearly doubled and, in fact, were much higher than the average for the previous decade, which is 19 billion dollars.
Importance of the BCP
A business continuity plan (BCP) is a logistics plan for the practice of how an organization should recover and restore partially or totally interrupted critical functions within a predetermined time after an undesired interruption or a disaster.
“43% of companies that experience a catastrophe without having a BCP in place never resume their activity.”
With so many dangers, the first step that a company must take if it does not want its future to be jeopardized is prevention. Actions taken during and after a catastrophe should be based on a prior corporate protocol designed to handle the event. For this, the preparation of a contingency or business continuity plan (BCP) is crucial .This comprehensive management tool allows for identifying the exposure of the organization to external and internal threats and establishing appropriate measures to prevent catastrophes and recover from them in case they occur.
The main objective of a contingency plan is to guarantee the functionality of the organization at a minimum acceptable level during an incident, reducing both the impact of the disaster and its duration.
The plan must include several stages:
“The average property insurance claim for a severe BI is currently more than 1.7 million euros.”
1. Analysis: This is based on identifying threats and setting the maximum tolerable period of interruption of production, in addition to determining which activities are critical and the plausible recovery time.
2. Strategy: A strategy allows for defining action procedures on the basis of the prior analysis and the resources (internal and external) needed for its implementation.
3. Response: Recovery strategies will be implemented, establishing the levels of priority in rehabilitating the organization’s infrastructure and involving all the elements affected (human and technical).
4. Testing: Annual simulations using monitoring tools are required to detect deficiencies, implement new resources, adapt to social and corporate evolution and, if necessary, amend protocols.
5. Awareness: Employees need BCP training according to production areas, establishing technical support resources for this training. Also, suppliers and customers must be informed of the contingency plan.
These management models are so important that 43% of companies that experience a catastrophe without a BCP never resume their activity, 51% disappear over the next two years and only 6% are able to survive over the long term, as the Emergency Management Forum highlighted.
What is clear is that a catastrophic event allows for a thorough assessment of the company’s reaction capacity in the face of unexpected incidents, analyzing vulnerabilities and enabling strengthening the corporation in a comprehensive way, both regarding its material components (infrastructure and resources) and organizational elements (logistics, departmental structure).
“The Emergency Management Committee must activate the contingency plan as soon as possible. This will allow for proactive understanding of the possible impact on people, property and operations.”
For this reason, the moments following a major loss are vitally important for the company’s future. The Crisis Management Committee, made up of managers from the different areas within the organization, must assess first of all the scope of the impact and its immediate repercussions.
The emergency response must first ensure the safety of employees, mitigate the spread of consequential events related to the catastrophe and protect physical assets. After guaranteeing these elements, the Crisis Management Committee must activate the contingency plan as soon as possible. This will allow for proactively appreciating the possible impact on people, property and operations.
Added to the direct losses caused by the incident (replacing and rehabilitating damaged installations) are other indirect losses that tend to have more of a financial impact. These include ones caused by loss of profit due to the interruption of business activity, which require prior insurance coverage by the company.
These damages are not only reflected in decrease in revenue over long periods of time but also entail the serious risk of losing market share in especially competitive environments, such as today’s. The result is loss of corporate value, which tends to be further aggravated by damage to the image caused by the incident.
Graph. Losses associated with the main business risks (percentage)
People and information: Keys
Even when the disaster has nothing whatsover to do with corporate accountability, as in the case of natural disasters, the company’s reputation is still shaken by these events. There is an 80% chance that a company that trades on the stock market loses 20% of its equity value in just one month because of a crisis affecting its reputation and continues suffering from this loss for five years, according to a study by Aon, which in its latest “Global risk management survey” indicated that damage to a company’s reputation and brand is the greatest risk to which a company is exposed.
For this reason, corporations that know how to respond to a catastrophe effectively place the initial focus on people and manage public exposure of the event efficiently.
Information management and communication are crucial when a major incident occurs. This management must take place at two levels:
– Internal. Employees, suppliers, customers, investors and shareholders must be informed of the scope of the disaster and how it impacts them. Internal communication protocols must be updated and verified in order to operate with the required efficiency and coordination, filter details according to the interest of each group and explain the measures being adopted to resume business operations, in line with the strategies established in the BCP.
– Public opinion. Managing the public presentation of the impact of the disaster is important. It is therefore advisable to consult crisis communication professionals, who know how to adapt the content of the messages and work with exposure times. These communication experts will always transmit messages accurately, immediately and transparently, providing certainty and control over the incident,
The affected company must never forget that the speed with which relevant and technical data are obtained and transmitted adds credibility in the eyes of all kinds of public (connected to the company or outside it). This is why is it is crucial that the messages are always approved by the professionals that manage the crisis so as to avoid contradictory statements, as well as clearly establishing the sole agents who will have the capacity to report, thus controlling leaks by unauthorized personnel.
Graph. Main risks for companies