At a glance
In the great global pantheon of corporate risks, business interruption in all its many forms still ranks as the most prevalent and feared.
For its 2018 Risk Barometer report, global insurance firm Allianz sampled 1900 business respondents in 88 countries. While general business interrupters (including supply chain failures, natural disasters and factory fires) remain the top risks for companies worldwide (42 per cent of respondents), cyber risk (number two, with 40 per cent of respondents) is the most feared. Five years ago, it ranked just 15th.
Right now, cyber attacks are not just physical disrupters, they’re mental disrupters. Last year’s high-profile ransomware attacks, Petya, NotPetya and WannaCry, have left their mark on the collective corporate psyche. You can always build another factory and fix a broken email server, but the very idea of sensitive business data – as well as the entire footprint of a company’s corporate and human interactions – being held to ransom by a hostile third party is deeply disturbing.
However, these fears may result in mistaken assumptions. While there’s been much press coverage and talk about ransomware attacks, they are infrequent, albeit potentially devastating.
While cyber risk may loom large in the minds of those in the C-suite, the reality is that the bulk of disaster scenarios across Australia and throughout Asia relate to physical infrastructure.
Mark Mitchell, regional CEO Asia at Allianz Global Corporate & Specialty (AGCS) in Singapore, says fire and explosions do the most damage, accounting for 59 per cent of the company’s business interruption insurance claims in the period 2011-2014, by value. In many instances, these types of disaster come down to human error.
The 2015 explosion in the port city of Tianjin, China, killed 173 people and is estimated to have cost US$3.3 billion. It was the largest man-made loss in 2015, and the largest to date in Asia. It’s believed highly flammable nitrocellulose was allowed to dry out and self-ignite, and it then set fire to other chemicals stored nearby.
Many companies are also counting the cost from havoc wrought by natural catastrophes in Asia, such as the losses from Typhoon Hato and floods in China last year. Hato produced a severe windstorm and an accompanying storm surge and was one of the strongest typhoons in southern China in 50 years. Market analysts put economic losses at approximately US$1.42 billion.
Typhoons Haiyan (2013) and Rammasun (2014) also caused widespread damage when they made landfall.
This should suggest that climate change is the real interrupter, but it ranks mere 10th on the Allianz risk barometer. Clearly, many business leaders are still not seeing a link between climate change and one of the most important risks companies face in 2018 – supply chain disruption.
Automotive and electronics companies in Europe and the US suffered severe losses when suppliers in Japan were unable to produce vital components following the Tohoku earthquake and subsequent tsunami in 2011. Similar losses were experienced by global companies later that year, when widespread flooding affected clusters of manufacturers in Thailand.
Australia, too, is over-exposed. Further, its manufacturing base is shrinking. Natural disasters can hit Australian businesses directly but also indirectly, says David McIntosh, Pacific practice leader at Marsh Forensic Accounting and Claims Services.
Yes, we have droughts and floods, but natural catastrophes in Asia can hurt local business more, McIntosh says. In supply terms, he says there is a “butterfly effect” where a loss in Asia can manifest in Australia-dependent businesses.
“It’s not just the main suppliers,” he warns. “So many businesses have a reliance on a Chinese manufacturer, but what about your supplier’s supplier? Therein may lie the weakness.”
However, this isn’t just an Australian problem. Mitchell says there are an increasing number of claims among Asian manufacturing companies, even though they may not be located inside a disaster zone. “It’s the subsidiaries of manufacturing companies located outside these areas that are just as heavily affected,” he says.
Time and money
It would be fair to say there is no such thing as an average business interruption loss, neither in cost nor duration.
Indeed, McIntosh is aware of an incident where a rogue tool was stuck in a factory’s manufacturing system, triggering a US$2 million claim. Another claim he worked on cost a much larger company close to US$200 million.
“The US$2 million interruption could have broken the small business, but the US$200 million claim, while being an annoyance and a significant amount, didn’t challenge the going concern of that business,” he says.
One of the most misunderstood problems in the C-suite about business interruption is how long it will take to fix. Getting a mine up and running again or a factory back on track can be a lengthy process, particularly for a distressed entity trying to implement a reinstatement strategy as opposed to a planned program. Companies intending to take out business interruption insurance should consider no less than 12 months’ cover, McIntosh advises, and preferably more.
“Longer is better,” he says. “It takes months to do investigations and all the while you will have to plan your restart. Then there’s the implementation, which can sometimes take years.”
Luke Stratford, director forensics at insurance broker JLT, agrees that often companies need 24-36 months to return to some form of normality, and that does not even take into account loss of market share during the shutdown. In South-East Asian markets the problem is particularly acute, as business interruption insurance has barely registered on the corporate radar.
“You might find the larger companies well organised about insurance, but throughout the Asian SME market very few are insured,” Stratford says. “They’re buying transactional insurance, not insurance tailored to their needs. They don’t declare the right value of the loss, which leads to cover running out.”
Reliant on the internet
While Stratford and McIntosh say CFOs and CEOs tend to misunderstand the duration of problems and underinsure, Watson believes that in cyber terms at least, most executives fail to fully realise the extent to which they are dependent on the internet. It is not just running messages and emails, but companies’ core operating systems, he emphasises.
“Orders and transactions are now dependent on it,” says Richard Watson, EY lead partner APAC cybersecurity risk management. “Call centres rely on cloud-based applications to document incoming calls. It’s in everything and part of everything.”
The rollout in Australia of the Notifiable Data Breach (NDB) Scheme on 22 February this year and implementation of general data protection rules in the EU has put firms on notice, but it seems that many companies may not yet grasp the full implications of a data compromise.
“The degree of possible exposure is still underestimated,” Watson says. “It is mandatory to know where all your data is but that’s not all. You have to prove that you know how to protect it.”
For some businesses, legislative changes, natural disasters and cybersecurity-related events may provide the impetus to put appropriate insurance and business continuity plans in place. However, even for those better prepared, no company can rest on its laurels in terms of its business interruption recovery strategy. As old risks create new supply chain fallout and new risks emerge, continuity plans will always be works in progress.
A stitch in time
The world’s largest container shipping company, Maersk Line, was among the most high-profile of the NotPetya computer virus victims last year. The company was forced to reinstall 4000 servers, 45,000 PCs and 2500 applications in a 10-day process that the chairman described as a “heroic effort”. While revenues were devastated to the tune of around US$300 million, Maersk Line withstood the hit. It was still able to turn a profit at the end of the year despite the disruption, mostly due to strong market fundamentals.
Of course, smaller companies may not have the same recovery powers as Maersk Line, but what exactly was it all about? When you drill down to the specifics, organisations affected by the virus had neglected to apply a simple and readily available Microsoft patch to their systems. The real problem was not cyber attackers, but a failure to upgrade.
What's your plan?
There is possibly nobody in the world spreading the gospel of resilience in the face of business interruption better than London-based Sarah Stephens, who heads cyber, content and new technology risks at insurance broker JLT. It is her remit, wherever she goes.
Stephens agrees that the big cyber attacks in 2017 hit some corporations hard, but it’s the little glitches and minor failures – neither anticipated nor tested for – which make up the bulk of technology “events”.
“Both kinds of problems, the big and the small, can be built into a context of building resilience,” she says. “It’s not about saying if we buy this technology or that, we’ll have a magic bullet.
“The more secure and mature approach is to think that it’s inevitable we will have incidents where technology fails or where we are hacked, so building in more sophisticated detection and escalation procedures is important, but so is integrating technology failures into business continuity planning.”
Stephens believes in testing the problem – especially how a company can best recover from a disaster scenario – and combine that with an understanding of how to identify risks.
“If you don’t know from a financial perspective what losses look like, then how can you know how to allocate resources? Look for redundancies, then test and measure. The three things together equal resilience.”
David McIntosh at Marsh also counsels that well-written contingency plans will help reduce the risk and impact of an interruption. “Sit down with your clients, get the key players in the room and start with a blank whiteboard,” he suggests.
Everyone should be asking what the worst-case scenario would be, and, as a business, how to respond to it.
“Ask what mitigations can be put in place,” McIntosh says. “An insurance policy may be part of it but just as important is a disaster recovery plan that deals with what happens in the event of X, Y and Z.”
Maintaining cash flow is also extremely important in the event of a disruption. “Cash is king. If you can work with insurers to identify a maximum loss scenario and structure a calculation as to what the scenario may look like prior to a loss, it makes it easier to talk to an insurer to free up dollars in the event of a loss occurring,” McIntosh says.
The cloud has often been seen as part of the solution for both physical and cyber business interruption, as is the ability for staff to work remotely. However, while people working remotely and having internet networks in several locations supposedly redistributes the risk, it can be a double-edged sword. Data being processed in multiple physical locations may help a company to be more resilient if one data centre suffers a fire, says EY’s Richard Watson, but there is regulatory risk too. You have to know which data is in the cloud and where it will be stored.
“The cloud is not immune to ransomware, as there have been instances of data being denied to people in the same way as a laptop or server,” Watson says.
JLT’s Luke Stratford says it’s worth exploring alternative supply chains – even possibly partnering with a competitor to do a deal. “If I lose some of my capacity, I can use some of yours and vice versa,” he says.
“Identify the key materials or parts you rely on and make sure you have access to them. Get your supplier to guarantee that they will maintain four weeks of supplies at their business. It’s all about knowing where your vulnerabilities are and taking action to address them.”
Here are the top 10 global business risks, as identified by the Allianz Risk Barometer in 2017 and 2018.
Changes in legislation and regulation
Loss of reputation or brand value
Political risks and violence
Climate change/increasing volatility of weather
Changes in legislation and regulation
Political risks and violence
Loss of reputation or brand value