CNA EXPERTS

The risk landscape is shifting: Are you prepared?

By Severio Pacini | Published July 12, 2019

2019 really did throw a lot of challenges at us, and things don’t seem to be backing off as we think about what 2020 has in store for us from a risk perspective. Economic, political, cyber, technology and the complexities around the interconnectedness of risk are all expected to be chief concerns for business leaders, our latest Risk and Confidence research tells us.

 

The risk landscape has arguably never been so hard to navigate, but being in the business of risk, we understand the terrain is constantly changing and more often than not, resulting in new challenges for us to manage as part of the solution.

 

This is why planning for the impact of new risks, or indeed, the effect of a minor modification to current exposures within a risk portfolio is a crucial foundation for any risk management strategy. So, as businesses review their own response to risk in 2019, they should all be asking themselves: are we keeping our business continuity plan up to date?

 

Major risks and drivers identified in May ’19 and in 12 months’ time:

 

Economic

  • Global financial strain
  • Rise in US rates by Federal Reserve 
  • Global debt at all-time of $184 trillion (IMF)
  • Businesses reining back 

 

Political

  • Rising protectionism
  • Fallout Brexit indecisions
  • Run up to
  • elections in both Canada and the US
  • Lack of cohesion in crisis event

 

Cyber

  • The impact of major cyber events
  • $1trillion damage globally

 

Technology

  • Keeping up with the pace of change
  • Lack of flexibility to adapt
  • Regulation
  • Unknown risk exposures

 

Interconnected Risk

  • The complexity around a number of risks impacting several areas of your business, such as: supply chain, reputation, business interruption and security

 

Well documented incidents

Last year, a number of events demonstrated the importance of having a current business continuity plan, which adequately assesses current and emerging threats. Take the Marriott Hotel chain data breach, where the Hotel revealed that the privacy of up to 500 million guests had been compromised since 2014. If you sit on the board of a company, or are part of the executive management team, this latest hack is yet another reminder that cyber risk needs to be at or towards the top of your business continuity plan agenda.

 

Business leaders should be asking some particularly hard questions about their company’s cyber preparedness, specifically whether the control environment is in alignment with the level of risk the business believes it has accepted. The difficult reality is that they are likely to discover they are not where they thought they were.

 

Another recent example is the utter chaos caused by drones flying over Gatwick airport in December, one of the UK’s busiest airports. This event once again highlighted challenges with the control environment and demonstrated the potential disruption an incident like this would create to the running of multiple businesses and industries that rely on Gatwick airport operating.

 

Business Continuity Plan objectives

While we can learn from these incidents, these events also act as an important reminder – loss prevention is better than cure.

 

As we consider both the findings of the report and what other risks might impact multinational businesses moving forward, below are a list of questions businesses should be considering when thinking about what their Business Continuity Plan objectives should be in 2019:

 

1. Is your business continuity plan current?

This might seem like an obvious question, but more often than not, business continuity plans are often duplicated on an annual basis with very little thought given to how new exposures might impact what plan is already in place.

 

A business continuity plan should be a living document that is constantly reviewed in light of any significant changes that could impact on what is in place, even if the change might be something relatively minor.

 

The culture around risk within a business plays a hugely important part in the overall success of a business continuity plan and its relevancy. In an ideal world, business leaders should be using a business continuity document as they’re making changes to the business, to ensure they are constantly building in business resilience as part of the development organization. It’s about having fewer hazards, less threats and less loss potential.

 

2. What technological changes or modifications are you planning on making this year and what is your formal management of change process for this modification?

With the changes you are making, it’s crucial to think about how these changes will impact on your overall business resilience and ability to recover in the event of an unplanned outage. However, when it comes to technology and the impact it may have on a business continuity plan, you are never really ‘done’.

 

New technical vulnerabilities are discovered every day; every business process change can create unintended process or system vulnerabilities. The cyber risk exposure needs to be effectively managed, utilising effective loss prevention techniques, with the help of specialist advice.

 

3. Within your organization, do you have clear responsibilities and accountabilities relating to the five main risk factors our research has identified (Economic, Political, Cyber, Technology, Interconnected risk)?

Minor changes can have a big impact on business continuity planning if you’re not aware of threats or the consequences to your business and we are observing more than ever the need for effective oversight of these challenging risk areas.

 

Within your organization, does your management of change process effectively identify changes in your supply chain which could have a significant impact on the resilience of your business? For example, the merger of two independent suppliers, into a single supplier of a key raw material?

 

With the increased usage of technology including web interfacing products, does your organization have adequate business resilience in the event of an issue with the technology solution, for example a synchronized independent back-up mirror web system facility or the ability to manually process customer orders in the event of a technology system which has an extended period of unplanned downtime (e.g. cyber ransomware attack)?

 

For further advice and information on Business Continuity Planning, see how our Guidance Notes can assist you: Risk Management Services

In Canada, products and/or services described are provided by Continental Casualty Company, a CNA property/casualty insurance company. The information is intended to present a general overview for illustrative purposes only. Read CNA’s General Disclaimer.

Severio Pacini
Vice President, Risk Control

Severio joined CNA Canada in November 1999 and currently serves as Vice President, Risk Control. He is responsible for leading and executing the Risk Control function of underwriting risk assessments and "value added" customer services to support CNA Canada’s underwriting strategic plans. Prior to joining CNA, Severio held the position of Casualty Manager of Risk Services at Liberty International Underwriters Canada and Manager of the Loss Control/Boiler Inspection departments in Ottawa and Toronto at Chubb Insurance. Severio graduated from Seneca College of Applied Arts and Technology as a fire protection technologist and earned his Certificate of Risk Management (CRM). He is also a Level II Certified Infrared Thermographer (CIRT) and UL Recognized Risk Engineer (RRE).