In the past few years, business interruption (BI) has been one of the hottest topics in risk management. In 2020, the spread of COVID-19 and resulting lockdowns and travel restrictions had a huge impact on many businesses, inflicting massive losses. In 2022, even before the world could fully recover from the pandemic, business interruption once again came to the forefront after Russia launched its invasion of Ukraine and NATO responded with a barrage of economic sanctions on Moscow.
According to Andrew Tait (pictured above), partner at risk management firm Sigma7 and a 30-year veteran of the risk management industry, supply chain impact and cybersecurity failure are two of the risks that worsened the most from 2020 to 2022.
“We have learned the hard way that supply chains are more interconnected than we thought and increasingly vulnerable to any number of risks,” Tait told Corporate Risk and Insurance. “We understand better that we need to increase our competency to manage supply chains effectively and expand our view of them to include critical people, technology, trade routes and customer priorities. Additionally, there is an increased need to anticipate scenarios that may impact or disrupt operations in new ways – such as a combination of war, natural disasters, and pandemics. We have learned that the supply chain is longer than we understood it to be, with far more links. We need a deeper understanding of our suppliers and those that supply to those suppliers several layers deep.
“With both insurable and non-insurable losses stressing companies’ bottom lines and frustrating customers in all sectors, an intentional approach to resiliency is more important than ever and requires significant planning. Revenues and reputation are at serious risk; the Board of Directors and customers are paying attention.”
Business interruption blunders
Tait said that one of the biggest mistakes many organizations and their risk management functions make is being unwilling to look for or fully understand the blind spots in perceptions of risk. This resulted in a lack of a holistic view of the potential impact of interruptions, leading to worse organizational risk outcomes.
“A fundamental flaw in the approach to calculating and reporting BI exposure to represent global revenue minus variable costs (simplified) has set us up for the challenges we experience today,” he said. “Limiting the discussion and reporting of BI exposure to only support insurance procurement and focusing on annual ‘allocated’ BI, limits the ability of operating staff to understand the potentially severe impacts of actual exposures. Without establishing a consistent capability to calculate and understand the real global impact on margin, including knock-on effects from losing a single site, production line, boiler, trade route, supplier, or technology system, companies cannot effectively prioritize investment in supply chain protection.”
Another major mistake is that many organizations lack an operational business continuity and disaster recovery plan, which leads them to underestimate the potential impacts and the length of potential disruptions.
“Now is the time to sharpen the axe before the next real-world event,” Tait said. “Management hates surprises, and product supply chains are the lifeblood of so much of what companies do – so why are we surprised by product shortages that materially impact results?”
Addressing BI mistakes
Having learned the lessons the hard way, businesses now have a chance to make things right. Tait said that organizations should focus on understanding their supply chains and the stressors that can impact them. Risk managers, business executives, and the entire industry should be better prepared to anticipate risk in advance and plan for better risk outcomes.
“Taking an intentional approach to supply chains, understand dependencies, and think through the recovery options can allow companies better to allocate precious resources to focus on the optimal risk treatments,” he said.
Tait shared a sample supply chain risk planning process consisting of 10 steps:
- Identify and document priority products/product families
- Map supply chains, including critical suppliers/customers (to manufacturing site)
- Quantify the annualized impact of the loss of critical sites, down to individual production lines
- Identify and catalog inventory positions, lead times, alternative sourcing strategies, parallel or redundant product standardization, key staff, technology dependencies, etc.
- Assess the potential duration of outages and restoration periods (current and best future case and then add additional time for unanticipated delays)
- Develop risk curves across a range of possible return periods
- Document plans to prioritize action to protect – and communicate with management
- Conduct a gap analysis and perform risk assessments to identify vulnerable sites/nodes
- Develop appropriate plans, policies, and procedures for business continuity/resumption
- Rinse and repeat
“Aligned to the process above, take time to understand where technology is critical to the supply chain, what cyber security protocols and frameworks are in place, and how these protections will affect a breach or disruption to your supply chain,” Tait said. “Partner with the chief information officer/chief information security officer to model the impacts of technology loss on product supply chains. It is important to align the technical response plans with the specific business needs and consider key global standards to help communicate current and future maturity at all levels of the organization.”
Looking forward, Tait expects further challenges to current resiliency models, as countries drive toward regional convergence at the expense of global integration. With organizations increasingly relying on technology to operate, the supply chain threat to the business will grow, as will costs. He also expected higher demand for transparency from customers, shareholders, and boards of directors, along with continuing improvements in tools and services to visualize and understand supply chains. Insurers will be more willing to reward those who better understand their exposure, resulting in increased competency in supply chain management.
“To all risk managers who want to make a difference, we urge you to partner with the operations and senior leadership to drive engagement and begin the journey to resiliency,” Tait said. “To provide a little hope – this may help offset some of the increasing risk increases we are experiencing due to global warming, shortages of critical raw materials, and dynamic geopolitical stresses.”
What are the top risk management lessons you’ve learned in 2022? Let us know in the comments.