Robust Business Continuity Plans Need Regular Updates – and Insurers Play Vital Role

Having a robust, fit-for-purpose business continuity plan (BCP) should be a central part of risk mitigation at any major organization, yet far too often companies don’t give enough consideration to the matter, and don’t update them on a regular basis. Stuart Kenyon, AVP Risk Control at CNA Hardy, examines the evolving risk landscape and how the insurance industry can help.

The risk landscape is constantly changing, making it more important than ever that organizations keep their business continuity plans (BCP) up to date to enhance resilience, prevent loss and mitigate risk. Insurers can and should play a vital role by regularly checking in with their insureds and supporting them with their BCPs.

What a Difference 2 Years Make

The last two years have seen the emergence of completely unforeseen risks compared to 2020, when the UK National Risk Register (NRR) cited pandemics and large-scale Chemical, Biological, Radiological and Nuclear (CBRN) attacks as the most impactful threats, and malicious attacks on publicly accessible locations as the most likely.

While these risks continue to be significant, in less than two years the global risk terrain has changed radically in ways that were not envisioned. For example, accelerating climate change saw wildfires spark across London this summer while data from Effis shows that 515,000 hectares (1.27 million acres) of land had already been burned across Europe by July 23 – four times more than the average recorded since 2006 and nearly twice the previous record. Meanwhile, California continues to experience longer wildfire seasons as a direct result of climate change, but wildfires and severe droughts were not considered a high threat on the UK 2020 risk register when both were rated in the second-lowest likelihood category.

The biggest global threat to world economies and the geopolitical order – Russia’s invasion of Ukraine in February this year – did not feature on the risk radar at all in 2020. Yet this ongoing conflict has caused huge increases in the cost of energy, as well as disruption to global grain and cooking oil supplies, resulting in soaring inflation and a cost-of-living crisis in many countries. The threat to gas supplies from Nord Stream 1 being cut off and the recent possible sabotage of pipelines supplying gas from Russia to Northern Europe have seen a huge rise in fuel prices around the world.

In the UK this autumn, the government’s proposed fiscal policies sent markets into turmoil, with a steep rise in the cost of government borrowing and a spike in mortgage rates, fluctuations in sterling, and the Bank of England taking emergency action to stabilize the bond market. A year ago, the Bank of England was forecasting inflation of 5%, but Goldman Sachs is now predicting UK inflation of 22% by early 2023.

These multiple macroeconomic and global events underscore the critical importance of having a business continuity plan (BCP) which keeps pace with current and emerging threats. BCPs are often revised on an annual basis with little consideration given in the interim to how new exposures might affect the existing plan.

While steps are being taken to mitigate new risks such as governments finding alternative energy sources to bolster fuel security, and the sharing of global data on wildfires, it is impossible to predict the future. The emergence of unforeseen risks over the last two years is an important reminder that loss prevention is better than a cure.

Practical steps for business resiliency

According to Forbes, one in two businesses will experience a major disruption in their lifetime, as a result of which 25% of businesses will shut down entirely. In contrast, almost 90% of businesses with a BCP reported having reduced disruptions, improved resilience, and faster recovery from disruptions. As a result, risk managers should be asking themselves these three key questions when creating and maintaining their BCP:

1. Is your BCP up to date?

The simplest and most fundamental way to improve business resiliency is to ensure your BCP is up to date. BCPs are most commonly updated annually, often being duplicated from one year to the next without proper review. Risk managers should ensure a thorough review of the plan takes place regularly and accounts for any new exposures that may have emerged or following any significant change.

With such a rapidly evolving risk landscape, BCPs can quickly become outdated and no longer fit for purpose. Where possible, BCPs should be reviewed more than once a year and when making changes to a business – even minor ones – it is essential that risk control managers update a BCP to consider the impact of these changes as part of modification controls.

2. Are your business digital transformation plans threatening your resiliency?

It is crucial to think about how technological changes can affect your overall business resilience and ability to recover in the event of an unplanned outage. When it comes to technology and the impact it may have on a BCP, you are never really “done.” New technical vulnerabilities are discovered every day, and every business process change can create unintended process or system vulnerabilities – this is referred to as “creeping change” by global process safety professionals.

Consider whether your management of change process effectively identifies changes in your supply chain that could have a significant impact on the resilience of your business, such as the merger of two independent suppliers into a single supplier of a key raw material. The cyber risk exposure of this supplier needs to be effectively managed with effective loss prevention techniques and the help of specialist advice. Solutions could include a synchronized independent back-up mirror web system facility or the ability to manually process customer orders in the event of an extended period of unplanned downtime from an outage or cyber/ransomware attack.

3. Does your BCP include a talent management strategy?

CNA Hardy’s Risk and Confidence Survey reveals there are five main drivers for risk in business: economic, political, cyber, technology, and interconnected risk. More than ever, we are observing the need for effective oversight of these challenging risk areas. Risk managers should be aware of the vulnerabilities exposed by the “Great Resignation” and ensure contingency plans are in place to mitigate any impact high staff turnover may have on business resilience.

Businesses also should take care to safeguard the “corporate memory” – collective learnings built up throughout a company’s history are a wealth of knowledge, particularly previous risk events and their associated learnings that should remain embedded in the company’s working practices.

Role of Insurance Industry

One of the crucial ways the insurance industry can help businesses facing multiple risks in a fast-changing environment is by providing them with adequate coverage for their losses in the event of a worst-case scenario. Insurers can assist their insureds by looking at a broad range of loss scenarios from “amount subject,” to probable maximum loss through to normal loss expectancy. (Amount subject is an estimation of the maximum loss derived from the coverage provided, which could reasonably be sustained. However, it excludes losses which may be possible, but which remain unlikely.)

However, working on the principle that prevention is better than cure, insurers have a key role to play in helping clients understand and mitigate their risks. Specialist risk control departments embedded within many insurers can provide policyholders with tailored, expert advice to check whether client BCPs are robust and fit for purpose so that every business is as prepared as possible for a wide range of scenarios. Improving the sharing of key trends can help promote and embed better horizon scanning practices, allowing businesses to adapt their BCPs to account for new and emerging risks.

While the insurance industry can never eliminate risk, it has a vital role to play in providing clients with the advice and guidance they need to be as well prepared as they possibly can for any peril they may face.

Topics Carriers