The world has changed in countless ways over the past 21 months. Words like corporate scandal, catastrophe and terrorism have entered mainstream vocabulary. The public suddenly has a new perspective on risk – that the world is a much riskier place than it once was.
Front-page stories on corporate financial mismanagement and images of terrorism remain etched in many people's minds. But what is the real state of risk? Has the world really changed? Have those responsible for managing risk addressed this change? Are companies better prepared for disruption to their top revenue sources than they were a year ago?
According to the 2003 Protecting Value Study (posted at http://www.protectingvalue.com), which surveyed nearly 400 financial executives and risk managers at the world's leading companies, more than one-third report their firms are not sufficiently prepared to protect their top revenue sources and clearly have room for improvement.
The study was conducted by commercial and industrial property insurer FM Global, the Financial Executives Research Foundation, part of the world's largest association of financial executives, and the National Association of Corporate Treasurers (NACT).
Threats to revenue
In contrast to the 2002 Protecting Value Study, this year respondents were most likely to cite improper management and employee practices as the leading hazard affecting top revenue sources, probably as a result of high profile news of financial mismanagement within several major corporations.
Collectively though, 59% of the companies reported the greatest impact on revenue sources would arise from property-related hazards, including fire or explosion, natural disaster, terrorism, theft, mechanical or electrical breakdown, service disruption, a supply shortage, employee strike or cybercrime. However, there were marked differences between financial executives and risk managers as to whether property or non-property related hazards constituted the greater threat to revenue. This suggests that business continuity planning may not be sufficiently aligned with top revenue sources at many corporations.
Specifically, a slight majority of financial executives say non-property-related hazards, including improper management and employee practices, product recall, pricing volatility and personal accidents, would pose greater threats to revenue. In contrast, risk managers overwhelmingly consider property-related hazards as posing the greater threat. (See Table 1)
While financial executives and risk managers share the common pursuit of balancing risk and return, the study found that each party has different perspectives about their company's top sources of revenue. For example, financial executives cited personnel and customer support as their top revenue source, while risk managers cited manufacturing, plant and process equipment.
Among the study's other findings, 100% of the companies surveyed reported that a major disruption to a top revenue source would have a negative impact on earnings, with 28% stating such an event would threaten business continuity.
A good return on investment?
Additionally, 85% of respondents indicated that they view risk management as an investment. In particular, those who view risk management as an investment said they do so because they believe it protects their business continuity. As a result, they believe there is a realised return on investment. Conversely, those who view it as an expense do so because they see it as a necessary cost of doing business, with no realised return.
However, 86% of respondents described the extent of their preparation to recover from a major disruption to their top revenue sources as less than excellent. Likewise, 84% of all companies surveyed rated their contingency planning efforts as less than excellent. This begs a number of questions. What should be a sufficient level of preparation for protecting a firm's top revenue sources? Are companies receiving a good investment return on their risk management efforts? (See figure 1)
It is important to realise that, in the event of a major disruption, there are two significant outcomes: financial and customer loss.
On the financial side, how long can your company endure operational shutdown in terms of cost? To answer, look at each business unit. What is your budget for each, and how would the overall business be affected by a major loss? Which units are most critical and how much will it cost to get them operational again? How long can you afford to have them out of operation?
On the customer side, what will be the impact on the quality of products and service to customers if there is an indefinite shutdown? What will customers demand on a daily basis? What can be put on hold? Prioritising products or services in terms of customer demand is a good way to analyse this.
Willing to spend?
The World Trade Center disaster provided a clear example of the outdated notion that insurance will cover all consequences of a loss. There are many studies that have highlighted the uninsurable costs, that can result from any loss.
So it is encouraging to see that the corporate world is looking beyond insurance to further enhance their risk management efforts. In particular, respondents indicated that more than one-third of any additional funding to protect their company's top revenue sources would be spent on business continuity (23%) and contingency planning (14%) efforts. (See figure 2)
The main objective of business continuity planning is simple - no matter what happens to your company, any disruption should be transparent to your customers. At the core of this objective is protecting the value created by an organisation's top revenue sources and its ability to compete profitably in the marketplace. If a company is unable to meet its customers' needs – in the event of a fire, flood, employee strike or other catastrophe – those needs will be quickly filled by a competitor. By not adequately protecting your company's value, the company stands to lose more than money. It also risks losing the intangibles, such as its reputation, market share and customer base.
As you assess your level of preparedness, be aware that risk management is a long-term proposition, and this requires sensitivity to the broader realities of the global marketplace.
Much of the financial executive's world involves dealing with a broad portfolio of risks. The risk manager's world, in contrast, revolves around developing and implementing optimal risk aversion practices while adhering to budgetary constraints.
Given this delicate balance, there must be communication between financial executives and risk managers regarding perceived threats and business continuity planning efforts in order to form a more complete strategic view of risk management.
Ken Davey is senior vice president and managing director international division, FM Global, Tel: 01753 750 000, E-mail: firstname.lastname@example.org
UK survey highlights gaps
Organisations of all sizes are failing to plan for possible disruption to their business operations caused by war and terrorism, according to the latest findings from the Chartered Management Institute. Half of all managers say that the UK's preparedness for possible terrorist attacks is insufficient.
This was the fourth annual Chartered Management Institute business continuity survey. The results reveal that over the past few months, organisations are more likely to have addressed the possibility of disruption to their business by a fire-fighters' strike (44%) than the war in Iraq (17%). They also gave 'increased threat of terrorist activity' (32%) equal consideration with 'damage to their reputation/brand.'
When asked if their organisation had a business continuity plan in place, more than half of all managers admitted that they did not, or were unsure. Of the 46% that did, only around half had actually rehearsed its effectiveness in the past year.
Perhaps not surprisingly, there appears to be a strong correlation between the size of the organisation and their preparedness for war or terrorist attacks: large organisations (over £500m turnover) are almost three times more likely to have a business continuity plan (68%) than small businesses (up to £1m turnover) with only 24% having one in place.
"Organisations of all sizes should have a business continuity plan: not having one is cavalier at best, negligent at worst," comments John Sharp, CEO of the Business Continuity Institute.
Are managers complacent or realistic in their response to possible business disruptions? Less than half (47%) fear terrorist damage, while only 16% are concerned about military conflict. The threats which organisations fear the most are loss of IT capacity (58%) followed by loss of people and loss of site (both 54%), with fire risk and loss of skills (both 51%) considered less important.
The findings lend weight to the view that an unrehearsed plan is not worth the paper it is written on. Of organisations that do carry out a dry run, more than four in five rehearsals revealed shortcomings, but of these one in six then failed to address them