Why Planning for Specific Risks Doesn't Work, and What to do Instead
Every year the Business Continuity Institute surveys professionals in the risk management world to see what the top business interruptions were for the previous year, and what those professionals think the top interruptions will be in the upcoming year. Yet, even with such a wide ranging survey of professionals across the world and across all industries and organization types, there are always unexpected events that hit businesses worldwide.
To get a better understanding of why it's far more effective to plan for THE IMPACT on your business from a crisis or interruption, instead of trying to plan for every crisis or interruption that might happen, let's take a look at how 2019, 2020, and predictions for 2021 compare.
What Happened in 2019?
In 2019, we can see that of the top 10 business interruptions, only 2 would be considered in your direct control:
Product Safety Recalls
Of the remaining 8 interruptions, Health Incidents could be considered to be somewhat within your control, based on the work environment and culture of your business. Which leaves 7 interruption types that are caused by other people, companies, organizations, and nature.
Could you have planned for every single one of those possibilities? If you can, I'd love to see what kind of overhead your business operates with!
What Was Predicted in 2020?
So based on what happened in 2019, risk management experts predicted that only 5 of the 10 types of interruptions from 2019 would repeat as a top 10 item in 2020. Of the top 3, both Health Incidents and Safety Incidents were left out of the prediction for 2020. Why is that? Is it because those are items that we feel like we can control? Do we tend to think business interruptions are only caused by outside forces?
What Happened in 2020?
So when we look at what ACTUALLY happened in 2020 vs what was PREDICTED for 2020, we can see that many more of the predicted types of interruptions, 6 of 10, happened. Yet, those two interruptions that were not predicted, Health Incidents and Safety Incidents, repeated as top 3 interruptions, only missing being the top 2 interruptions because of a world wide pandemic from COVID!
Perhaps there really is a tendency to minimize the impact of business interruptions we feel like we can control.....
It's also interesting to note, that despite the prediction of Political Change being in the top 10 of interruptions, with all of the attention given to the elections of 2020, it did not end up making nearly as big of an impact as predicted. Just a reminder that because there's lots of "news" about something, that doesn't necessarily mean it will have a direct impact on your business.
What Was Predicted for 2021?
So now we're working through 2021, and wouldn't you know it, Safety is once again left out of the top 10! I'm not typically a gambling man, but I'd say that if you're not planning for a safety incident to impact your business this year, it should become a priority in your risk management planning.
As for the other types of interruptions, we're starting to see some more consistency in what's been happening being expected to happen again the next year. There's still the trend of the top 10 incidents primarily consisting of things that seem outside of your control. So what to do?
So what do we do with this information?
If you know something outside of your control is likely to happen, what can you control? How you respond to that interruption! Take the list of likely interruptions and do a Business Impact Analysis on what would happen to your business if any of these events occurred. And quantify that impact! You want to know what it could cost you in dollars, time, personnel availability, client retention, and repetitional impact. Will there be insurance impacts, regulatory requirements that aren't met, customer contracts that get broken?
In addition to Safety and Health Incident interruptions, these additional items have been consistently in the top 10 from 2019 - 2021, so now is a great time to review or create plans for these types of interruptions:
IT/Telecom Outages - The world is more connected than ever before, and outages are a fact of life. Have a plan now for when an outage impacts you.
Lack of Talent/Key Skills - There has been a shortage in skilled labor since the 2008 financial crisis caused millions of people to go back to school to get degrees in fields that weren't necessarily applicable to business needs. Using degrees as screening tools ensures you miss out on great people that could have the skills you need. Now is a great time to review your hiring and talent search practices to ensure they meet your business needs, and that if they get interrupted, you still have ways to search for talent.
Cyber Attack/Data Breach - We've seen several high profile cyber attacks and ransomware incidents already this year. Cyber criminals look for easy targets, not just big targets. Even if you don't think your business is a target, if you're visible and successful, chances are good someone will try to cyber attack you for money. And if you think you're too small to be a target, that also means cyber criminals will assume you have fewer protections in place, making you an easier target.
Extreme Weather Events - Extreme weather is more than just hurricanes and tornados. Droughts, flooding, and extreme heat and cold can also wreak havoc on your business. Much of the current United States spike in construction material costs and shortages can be attributed to the wide ranging need for building and home repairs due to the brutal winter weather conditions that swept across the country this year, causing widespread damages in places not prepared for such cold conditions. Have a plan for the weather extremes your geographical area can have, and make sure you've reviewed your insurance coverages with your insurer to know what's covered, and more importantly, what's not covered.
The variance between what is predicted and what happens shows us the importance of planning for how your specific business processes will be impacted if they get interrupted, vs trying to plan for specific occurrences. For example, if your business is heavily dependent on a specific building location, your goal should be to quantify the impact of not being able to get to that building. That way you can plan for such a scenario, no matter if it's caused by a fire, tornado, earthquake, flood, pandemic, or terrorist attack. The cause doesn't matter, only the impact to your business!
I hope this risk review is helpful to your company for planning, and if you would like help in managing your business risk, contact us and we'll be happy to help!