We’re in an era that’s plagued by an increasing threat of climate catastrophes and rapidly evolving cybersecurity threats. Risks like these (and many others) could mean costly disruptions to businesses of all shapes and sizes.
It might seem that risk management and business continuity planning for these innumerable risks are must-do items for organizations. But they aren’t, according to Jennifer Elder, an expert on the topic.
“A lot of organizations don’t do business continuity planning until they’ve experienced a disaster, and they go, ‘Yeah, we should have thought about this before,’” Elder, who is CEO of The Sustainable CFO and co-author of the book Faster Disaster Recovery: The Business Owner’s Guide to Developing a Business Continuity Plan, told CFO Brew.
It’s also far from guaranteed that a business continuity strategy benefits from regular testing or review. According to Gartner research, fewer than one-third of manufacturers said their recovery strategies were “tested and/or walked through as part of an annual business continuity management (BCM) testing exercise.”
Thankfully, business continuity experts are here to help navigate the vast threat landscape.
Understanding the threats
It doesn’t take a hurricane to disrupt business as usual. In a recent report, Gartner identified common business continuity risks businesses face including:
- IT disruptions, such as a ransomware attack or unscheduled outage
- Loss of a supplier or business partner, such as a logistics provider
- Loss of workforce because of major accidents or workplace violence
- Loss of utilities in the wake of natural disasters
- Infrastructure failures
Disruptive events that interrupt business occur more often than you may think. A 2023 Gartner survey found that 53% of supply chain organizations “were severely disrupted over 50% of the time” the year prior.
Another Gartner survey found that one-third of organizations’ supply chains weren’t equipped to minimize losses to that business if a “strategic supplier shut down indefinitely” the next three months and another 41% of supply chains couldn’t minimize losses if a storm destroyed a central warehouse within the next two weeks.
As part of its most recent annual “Horizon Scan Report,” the Business Continuity Institute (BCI) surveyed 251 organizations across 52 countries and 18 sectors between late July and late August of last year.
About one-fifth of organizations told BCI that an IT or telecom outage was their most disruptive event over the last 12 months (so, roughly from mid-2022 to mid-2023), making it the most common big disruption for that time period. Following it were critical infrastructure failures (10.9%), extreme weather (10.2%), cyberattacks (6.1%), and a lack or loss of talent (5.4%).
The greatest consequences of these disruptions were loss of productivity (63.7%), customer complaints (37%), a blow to staff morale and wellbeing (34.9%), reputational damage (33.5%), and loss of revenue (29.4%).
Looking ahead, the BCI identified cyberattacks as the biggest disruptive threat to organizations, both in the near term (12 months) and mid to long term (5–10 years). Extreme weather and IT outages were other major near-term challenges, while climate risk and supply chain issues were other major long-term risks.
According to the BCI, “organizations are facing a wider range of risks, as well as increasing occurrences of multiple, major incidents happening at the same time.”
Business continuity planning for an eventual, perhaps inevitable, disruption
Experts spoke to CFO Brew about strategies for crafting business continuity plans for organizations concerned with the consequences of major disruptions.
News built for finance pros
CFO Brew helps finance pros navigate their roles with insights into risk management, compliance, and strategy through our newsletter, virtual events, and digital guides.
Elder recommended that organizations take as little as half a day to think through the various scenarios that could prevent them from working.
She recalled her time working for a Florida-based homebuilder in 2004. This was the year the Sunshine State suffered four hurricanes in just six weeks. Hurricanes Charley, Frances, Ivan, and Jeanne caused more than $45 billion worth of damages and poured 30 inches of rain over the state, according to the South Florida Water Management District.
The company where Elder worked “didn’t have a disaster plan for hurricanes,” she said. At first, when no one at the company knew what to do, “it was just chaos,” she recalled.
“By the third one, we had a process in place, and it’s not that it was emotionally easier, but it certainly wasn’t chaos,” she said.
Businesses should prioritize their risk assessments to “areas of the organization that drive business value,” according to the Gartner report. Their plans should list, in order of importance, the activities that need to come back online first once a disruption occurs. Businesses should also “confirm plan effectiveness on a regular basis by developing governance covering all prioritized locations and activities,” according to Gartner.
Insuring against business interruption risk
Of course, as with virtually every business risk that needs managing, there are options to transfer those risks via insurance coverage.
Business interruption (BI) insurance can cover expenses such as profit reimbursement, fixed costs, temporary locations, employee wages, and more, according to Risk Strategies. The insurance kicks in for losses directly resulting from physical damage and the losses must come from an event listed on the organization’s commercial property insurance policy, according to the insurance broker.
BI insurance can be “a lot more complicated than people understand,” so it’s important that organizations understand what events their policy actually covers, Elder said.
“In some cases, business interruption only kicks in if another covered loss occurs,” she said. “But what if your business is interrupted by something that is not covered?” As an example, many insurers did not cover losses related to disruptions due to the Covid-19 pandemic, she noted.
Elder recommended companies “have a heart-to-heart with your insurance broker every year” to understand the exceptions (provisions that waive certain risks or events) in their policies, whether their deductibles have changed, and ensure the policies cover any new property or equipment they’ve recently acquired.
In the instance a disruption does occur, Risk Strategies laid out some best practices for filing a BI claim. Organizations should, among other things, get an adjuster on site as soon as possible, determine the outcome they want (rebuilding on the same site vs. relocating), maintain regular and open communication with the adjuster, and document everything, according to Risk Strategies.
“The early days after a business interruption event are key,” Risk Strategies wrote.
A cyber insurance policy, for its part, typically includes important tools and resources to help organizations manage cyber risk and respond to cyber incidents. For instance, property/casualty insurance giant Chubb notes on its website that its incident response team, which is comprised of independent contractors and made available to insured organizations during a covered cyber incident, provides “legal, computer forensic, notification, call center, public relations, crisis communications, fraud consultation, credit monitoring and identity restoration advice and services.”