Resilience is a buzz word in board rooms in the UK at the moment; but for a VERY good reason.
Control Risks, the heavyweight global business risk consultancy, recently published a survey on the “The State of Enterprise Resilience” for 2016-17.
[The State of Enterprise Resilience Survey 2016/7 – https://www.controlrisks.com/en/services/security-risk/the-state-of-enterprise-resilience-survey-2016-2017]
They explain business resilience as “an organisation being able to identify, analyse, and implement planning to be better able to recover or ‘bounce back’ from disruptive events”.
Researchers interviewed 144 global organisations about the disruptive external threats they were worried about in the upcoming year. The report lists seventeen challenges including political and security instability, terrorism, pressure group protest, loss of utilities, loss of telecommunications, current volatility and regulatory change.
It reads rather like a CEO’s bad dream, and has hopefully been the catalyst for a few uncomfortable conversations amongst business owners and board members.
As predicted, cyber security was the number one threat, with 47% respondents saying that this was their primary concern. The report ascribes this worry to the growing volume of cyber breaches, and the fact that clients are “not yet sure on how to best manage this complex, powerful and evolving risk to their business”.
Absolutely correct. And as we’ve said many times in the past, it’s the fact that the threat continually evolves and changes, which makes it such a complex challenge.
However, as well as cyber security, other major concerns include “political and security instability”, “terrorism” and “regulatory change”. Of course, once Brexit and the new President of the United States is factored in, it’s not hard to understand why businesses are concerned about economic unpredictability.
Ensuring that employees, buildings and other assets remain safe against the risk of terrorism has become an urgent matter, especially with the number of “lone wolf” terrorist attacks in America, the Paris attack in 2015 and Berlin attack in the latter half of 2016. The threat of a high profile attack against a major Western city, is a major fear to urban businesses, especially those with headquarters in large cities.
Political instability leaves financial markets fragile, volatile and vulnerable. According to the Financial Times, British businesses consider Brexit to be the biggest risk they currently face, ahead of economic weakness in the euro area and the UK. The EU is the UK’s largest export partner, accounting for around 45% of total UK exports, and leaving the EU is likely to make trade with EU more difficult and expensive, as well as leaving a skills shortage in some industries.
Worryingly, according to the Control Risk report, 65% of the 144 respondents had experienced a disruption in the last 12 months, but only 5% of respondents felt their organisation was highly capable of withstanding disruptive events, mainly down to the fact that they felt their organisation lacked the staff or talent to drive resilience forwards.
So how can a Board build resilience in their organisation?
In our experience, we believe that those business that have a realistic, even pessimistic view of the risks in the corporate world; and take the time and money to develop ways to prepare for those challenges, will be far more successful than their optimistic competitors whose leaders are not prepared for future threats.
- Building a risk management plan and business impact analysis are important parts of improving resilience. Only by assessing and planning for the potential risks to your business can an organisation find ways to minimise their impacts to recover quickly if an incident occurs.
- All risk management projects, no matter how small, should be shared across every operational discipline, and meetings need to be organised across departments to share best practice and identify those with essential skills.
- Determine insurance needs and obtain coverage. Senior management need to consider cyber security insurance seriously, and obtain the correct coverage for their business.
- Train employees. Avoiding risks and how to deal with the risk if it occurs can help the business avoid further damage or exposing itself to risk in the first place. Training on resilience can help employees collaborate, communicate effectively and understand what they need to do if everything goes wrong.
- Update plans. Even the best of planning efforts may fall short, so when the business is exposed to a risk, react accordingly and then put a formal plan and procedure in place in case the same risk occurrence happens again.
And finally, in our opinion, the most important thing is for Boards to put aside enough time and allocate a realistic budget and enough resources to prepare effectively for any disruptive event. No just Cyber. Only this will allow a business to quickly respond to an external challenge and rapidly recover to previous operating standards.
2-sec are experts in helping businesses create effective risk management plans to increase their business resilience. Please get in touch and we will be more than happy to help.