If 2020 has taught us anything, it’s that things are getting more unpredictable in the business world. Where we were once secure in our knowledge of what the risks were and where they lay, we now have no idea of what will be thrown at us or when.
In the recently released World Economic Forum’s survey Regional Risk for Doing Business 2020, the top five risks that Australian businesses felt were (in order):
- Cyber attacks
- Spread of infectious disease
- Fiscal crises
- Energy price shocks
- Extreme weather events.
Interestingly, the top three are intertwined to an extent – with one likely affecting the others.
Why are these things on the list?
So, what do I think about this list? In the past, I haven’t taken this survey too seriously because we address these factors with our clients anyway. But infectious disease at number two, that’s a new one.
Further, the fears around most of the list are media-driven, and yet Alleviate Risk isn’t witnessing or experiencing any broad pessimism across the economy. In fact, banks are even starting to make it a little easier to borrow money. Of course, the banks still prefer to lend to those who seem like more of a safe bet.
Now, while a pandemic was always a possibility, no one could have forecast its timing or magnitude with any precision. Nonetheless, all businesses should still have prepared for catastrophic upsets to their standard operations. That’s just good risk management.
For me, the current situation brings to mind the ‘presilience’ concept that risk expert Dr Gav Schneider has talked about for years. In simple terms, the concept states that the more effort you put into preventing and preparing for something bad to happen (regardless of how unlikely it is to happen), the more effective your response to recovery will be.
Given what 2020 has thrown at us, I can’t stress enough how important it is for businesses to be prepared for the probable sources of business upset in the future. So, let’s have a look at some of these risks in more detail.
Fiscal crises and the spread of infectious disease
These two risks largely go hand-in-hand given the pandemic triggered fears of a second GFC. At the best of times, I encourage businesses to be innovative and agile enough to change when things don’t go the way they should to minimise financial fallout.
However, when things do not go for the best, businesses must realise they can’t just sit back and rely on their insurance, because insurance isn’t as easy to come by as it once was.
Most insurance policies now are quite inflexible – largely the result of living in an increasingly unpredictable world. Why? One of my theories is that there’s so much more data available that the modelling used by insurers is becoming highly accurate.
This increased level of accuracy allows insurers (and their re-insurers) to reduce their exposure significantly. Risks they may have accepted in the past are, they now see, mathematically no longer worth taking on.
The businesses prone to presenting those risks now need to think about transferring them and/or finding ways to alleviate them as best they can. Some may choose to pass on costs to the end-user or to ‘self-insure’ – have enough money in the bank to cover the costs of an incident.
Making hay while the pandemic rolls on
Yes, there are sectors that haven’t suffered in the current conditions – such as postage, online retailers, alcohol retailers and food delivery providers, etc. They have actually thrived in the face of the pandemic and largely dodged the resulting financial fallout.
So, while it all looks good for them financially, how about their processes and general way of doing business? Yes, they have plenty of business, but can they cope with the increase in demand? Can they keep up with new, competing businesses that are well equipped to deal with these increases? These factors come into play at some point and this is where ‘presilience’ measures are needed.
Since about March this year, most businesses have been at action stations working out how to maintain operations throughout the pandemic. Many office-based businesses have had to implement a model where most of their staff work from home. That’s what I’ve done in my own business: my staff are rarely on-premises anymore.
As a risk manager, I already had a general ‘bug out’ plan in place prior to COVID-19. As such, our transition to work-from-home wasn’t disruptive. Unfortunately, this wasn’t the case for many.
I know that not all businesses can transfer their operations offsite, but they can still adapt to the changing situation. Cafes and restaurants are a perfect example. When lockdowns were enforced, dine-in service was off the table (pardon the pun). In response, the smart cafes and restaurants started offering take-away and delivery. They made the most of a dire situation.
Fears over cybersecurity
While financial ups and downs are a priority, the survey surprisingly found that cyber-attacks are the leading concern. I think there’s a good reason for this: with so many businesses now operating remotely, the opportunities for cybersecurity breaches have dramatically increased.
Ransomware is a particular concern for businesses that aren’t maintaining enough security in their systems. You’d be amazed at how often Alleviate Risk reviews a client’s systems to find that they aren’t up to scratch. The questions go like this:
Us: Do you back-up?
Us: Do you test your back-ups?
Client: I’ll check on that.
Us: Can we get a report of the last back-up you did?
When these tests are undertaken, things often get a little shaky. Most clients leave testing up to their IT people and when we ask for a report of the latest back-up, they admit they’ve never done one before. And when we review the report, the clients are shocked that the tests failed. They think they’re covered but their back-ups are losing data.
How to handle extreme weather
Extreme weather events came in at number five. Yes, they scare everyone, but perhaps that fear isn’t spurring people to undertake risk mitigation. For example, we’ve been told over and over that the 2020 Australian summer will feature La Nina weather patterns – rain, flooding, storms, wind and so on.
Businesses are hearing it, but they’re not doing anything about it. Everyone’s distracted by COVID-19, so no-one’s thinking about how to become resilient when wild weather rolls in.
Example: a few weeks ago, the Brisbane suburb of Springfield Lakes was hit with hailstones large enough to smash right through tiled rooves. Everyone was warned that La Nina would probably bring this sort of fury, but how many people made contingency plans?
These plans don’t need to be elaborate, they just need to exist and be effective. It can be as simple as asking “how will we get the kids home from school if there’s a hailstorm coming that could destroy the car?”
An unpredictable future doesn’t equal a powerless present
This year, 2020, has seen quite a few things reaching critical tipping points: disastrous bushfires, geopolitical turbulence in the US, increasing technological advancements and a series of weird weather events.
However, I argue all of these could have been predicted in general … if not in particular. And a general sense of the likelihoods is more than enough to go on when you’re mitigating your risks.
John Doyle, the CEO of global risk experts Marsh, has observed that the COVID-19 crisis has shone a spotlight on the topic of organisational resilience.
“As firms look to the future, they are matching their risk and resilience arrangements with a threat landscape marked by significant customer and workforce behavioural shifts,” Doyle says.
“To optimise recovery, organisations will need to build greater preparedness into their business models in order to be more resilient in the face of future disruptions.”
I couldn’t agree with this quote more. If 2020 has taught us anything, it’s that the global pandemic has exposed the fragility of the economy. In a lot of cases, it has given people a wake-up call and the realisation that perhaps their business is not as resilient as they thought.
Businesses need to think about alternative ways to manage risk or seek advice on how to mitigate the risk entirely.
Choosing what to do about the risks you know about – and the ones you don’t yet know about – isn’t always straightforward. At the very least, you should minimise your known-unknowns and unknown-unknowns. I mean, compare the cases: what can you do when you’re caught out by surprise versus what can you do if you’ve got a contingency plan?