Horizon scanning remains overly dominated by events that are happening now, finds report

After being considered the primary risk in 2021, the threat of the pandemic still lingers, with non-occupational disease remaining the primary risk to organisations and their staff over the next 12 months. This is according to the BCI’s Horizon Scan Report 2022, sponsored by BSI.

However, interviewees for the report admitted that had they known about the escalating situation in Ukraine, they would have answered the survey questions differently – an example in itself of relying on current incidents only and deprioritising the threats of other incidents.

Indeed, the conflict in Ukraine has already resulted in an increased number of cyber-attacks and varied disruptions to the supply chain.

The main theme arising from the report is therefore preparing for the unexpected. In this effort, while organisations are seeing a better awareness of disruptions from their management, work still needs to be done to improve the interdisciplinary nature of Business Continuity Management.

Rachael Elliott, head of Thought Leadership at The BCI, commented: “This year’s report has been written at the juxtaposition of two major global incidents: the COVID-19 pandemic and the conflict in Ukraine.

”After business continuity and resilience professionals made learnings during the pandemic, transformed their BC programmes and won the attention required from senior management to breathe additional investment into their departments, the findings of this report show that the old adage is still ringing true.

“Practitioners’ concerns when it comes to scanning for future risks are still dominated by events which are happening now.

“Professionals need to continue to broaden their view of the risk landscape to ensure their organisations are fully prepared for a myriad of risks – even if the likelihood of some is perceived as low.”

Pietro Foschi, BSI group executive director assurance services, added: “This report, more than previous editions, confirms that leaders need to focus on enhancing their resilience as a direct response to increasing threats from cyberattacks, changes to working practices, the climate crisis or geopolitical disruptions.

“To become truly resilient and future-ready, organisations embedding best practice will increase the agility of their teams and accelerate their response to new, emerging global risks, as well as to unpredicted and somewhat unpredictable events.”

Cyber resilience

The top four survey responses in the risk and threat assessment for the past year are all linked to the pandemic. This indicates that businesses prepare not just for global threats, but also the associated risks from the same.

Despite both falling a few places in the threat and risk assessment ranking for the past 12 months, ‘IT and telecoms outages’ and ‘cyber-attacks and data breaches’ are still critical considerations for organisations, particularly those operating on a hybrid or remote working basis.

Indeed, both are in the top five risks for the coming 12 months, on the basis of frequency and expected impact.

The number of cyber-attacks increased by around 50% in 2021 but the conflict in Ukraine has increased the number of attacks by up to 800%, according to some sources.

The security of global supply chains are at particular risk from the threat of cyber-attacks. If an organisation’s critical supplier is hit, then one cyber-attack has the potential to impact many organisations down the line.

This highlights the importance of building resilience into a supply chain at all levels, from the pre-contract stage all the way to delivering to market.

Emerging risks

This report also marks the first time practitioners were asked what they see as the greatest threats on a medium- to long-term (5-10 years) basis. Alongside cybersecurity concerns, organisations also highlighted climate risk as an emerging threat.

While extreme weather events, such as storms and floods, have received much coverage over the last few months alone, many organisations view extreme weather as an ‘acute’ risk.

This scale of risk would see plans regarding extreme weather regularly exercised and eventually enacted in the event of a flood, for example. However, discussions regarding the upgrade of extreme weather to a ‘chronic’ risk should now be taking place. This could, for example, entail pre-emptively moving offices out of areas prone to extreme weather events.

Other findings:

  • The effect on staff morale, wellbeing and mental health are now the greatest consequence of disruptions for respondents.
  • After the pandemic, there has been an 11 percentage point increase in the number of organisations who are seeking to align their processes and procedures to the ISO 22301 standard.
  • Remote working remains among the primary risks for 2022, with organisations starting to find ways of embedding their new working practices.