Rule #1: Always Conduct a Risk Assessment
Too few companies do a risk assessment regularly or at all — but this is a critical first step for a stronger business continuity strategy.
“Companies need to know what risks are inherent in their business, culture, geography and beyond, how susceptible they are to those risks and what the possible negative impacts are if that risk occurs,” says Tony Adame, director of Business Continuity for Aon’s Global Risk Consulting. “As natural catastrophes increase, the risks to the business and its people are increasing as well and must be assessed frequently.”
Businesses must regularly ask themselves various questions based on their specific exposures. For example, if a business has a footprint in California:
- Have we fully assessed wildfire risk not only as it relates to property, but also the supply chain?
- How will our business be interrupted?
- What impact will this have on our people and their ability to work as expected?
The same careful questioning goes for Gulf Coast operations, which face hurricane risks. The important differentiator is not just knowing the risks but understanding the extent of vulnerability and impact.
Risk assessments can help quantify risk and establish a risk threshold. They can also form the basis for critical processes, including business continuity plans and insurance, as well as necessary resources to manage and respond if an event occurs.
Rule #2: Rethink Your Risk Management Structure
As companies continue to build resilience around natural catastrophe exposures, they are also assessing gaps in their risk management strategies, structures and business continuity plans. Following the L.A. wildfires, Aon’s survey revealed that 82 percent of organizations plan to review or improve their preparedness plans. To do so, many will need to change their risk management structure to allow for more dynamic and integrated risk management and business continuity strategies.
In addition to fostering more agility across the organization, rethinking risk structure and roles can also change how organizations use data and analytics to push decision making. The use of data and analytics to build more sophisticated capabilities can go a long way in a business continuity strategy, enabling companies to make better decisions faster. To make these changes, companies will need to take a different approach to talent and consider risk roles as a strategic and executive-level function.
Rule #3: Build a Risk Framework
In the event of an incident companies need to be able to rapidly respond to a crisis with the goal of protecting employees, customers, financial stability, the brand, property, technology and operational integrity. Having a pre-designed, well-established, thoughtful risk and business continuity framework will help companies achieve this.
A strong risk framework should:
- Utilize three critical components: discovery, planning and governance:
- Allow companies to act and make decisions quickly for a number of risks, with more agility and flexibility and a shared understanding of what needs to happen across teams and functional groups.
- Help companies quickly identify priorities and actions, like understanding the impact of a given incident on people, facilities, IT and the supply chain — and knowing where to act first to maintain operations and safety.
Discovery – risk assessment and business impact analysis
Planning – emergency response and management, crisis management and communications, business unit continuity planning
Governance – plan auditing, updating, training and exercising
With this risk framework, companies also have a stronger narrative to share with insurers — letting them know what they’ve done to protect themselves and mitigate risks. As those risk solutions evolve to meet the changing needs of companies and their business continuity strategies, the framework can help guide both strategic and operational decisions.
Clearly, business continuity strategies will continue to play a critical role in responding to crisis — and companies who follow these three rules will be the ones who lead the way.
link
