25 May 2021
At the start of the pandemic in March 2020 Mercer found that 51% of organisations worldwide didn’t have a Business Continuity Plan. Many plans that did exist in early 2020 didn’t factor in a pandemic and so quickly became redundant.
Also, uncertainty has obviously been the norm for some time now, which makes it hard for businesses to plan and protect themselves against different types of risk.
Our May Business Club focused on giving helpful pointers when preparing for and managing risk in a business. Dean Hardy from Shipleys was joined by Club regular and insurance specialist, John Lanning of Robinson Buckley – a Finch Company recently acquired along with the Headley Group – to co-facilitate the discussion.
Common risks for businesses
John took the group through common risks for businesses and how they’d changed.
The Risk.net analysis is based on a survey of operational risk practitioners across the globe and shows that, although the top 2 risks remained unchanged, the pandemic had caused movement further down the list.
In comparison, the Allianz Risk Barometer for 2021 (which collates views from Allianz global business customers, and industry experts), found that across 92 countries and territories the top 3 threats were:
1. Business interruption (including supply chain disruption)
2. Pandemic (health and workforce issues, restrictions on movement)
3. Cyber (cybercrime, IT failure/outage, data breaches, fines and penalties)
When protecting against risk, the cost of insurance has risen in the past year but this isn’t just down to the pandemic. Issues such as compliance changes in the industry mean insurers are having to increase their capital reserves to trade. There’s also been increased compensation for personal injury claims and 2020’s storms and floods meant the insured property market loss for floods across the United Kingdom is estimated at £375 million.
Identifying and being prepared for risk
John explained that businesses need to identify risks unique to their organisation and set-up. This means considering what could affect the business and the impact it could have. It is also important to not just think of risks in terms of insurance policies as good risk management is broader than that.
Components to look into include:
- Assessing the business and considering what aspects you couldn’t operate without – for example, critical activities, key services, resources, staff and what could affect them.
- Scenario planning and considering ‘what if?’ – for example, exploring what incidents could impact on you and discussing worse case scenarios.
- Working across your different departments – this is to identify further risks, brainstorm ideas, analyse other events’ impact and assess processes.
- Managing the risks – considering what action can be taken to eliminate or reduce the risk, considering how cost-effective this is.
Businesses will be on a firmer footing by creating a live, accessible and regularly updated business continuity plan should the risks identified occur. This can be referred to when situations arise to show what is to be done and give the details of who should be contacted. Most importantly, the plan should be regularly reviewed, tested and amended as required.
Boosting business resilience
Club members then discussed how some sample businesses could boost their resilience and prepare for and manage risk in the coming year. The businesses were:
- A retail business with high street units across the UK
- A manufacturing business whose markets are UK and Europe
- A regional advisory / consultancy business with 5 offices across SE England
Suggestions from club members included…
Creating a positive customer experience in the retail environment and delivering regular training to encourage staff to upsell. Also it is important to embrace the threat of online and blend an onsite and online element as part of the customer experience.
Protecting the supply chain by anticipating potential delays and issues which could disrupt it, then managing stock levels and alternative suppliers to step in and fill any gaps.
Bolstering employee resilience – giving training and support for people to help them remain engaged, consistent in their work levels and maintaining a positive wellbeing (especially when people are working disparately as they have been over the past year).
Factoring in any changes in Government incentives and taxes as part of your scenario and risk assessments.
The importance of having a business risk register – this focuses on the departmental level and risks for that area. It should be kept live and updated via regular internal audits. A good register also gives mitigation activities for each risk. The mitigations mean, if something happens that isn’t covered by what you’ve planned, the register has comparable solutions to help you quickly formulate a plan to get through the issue which has arisen. Risk registers are a great foundation for a business continuity plan for the wider organisation.
Making the business continuity plan part of job descriptions where relevant – if a person has responsibility for it as part of their remuneration, the plan has a greater chance of being kept current. There should also be agreed dates for the plan to be reviewed.
Government figures suggest nearly one in five businesses suffer a major disruption every year. Further research suggests 80% of businesses affected by a major incident close within 18 months, and 90% of those who lose their data are forced to close within two years.
Risk is at every stage of the business lifecycle – from start-up through to wrap up or merger. The insurance industry offers a broad range of protection to cover the risks different businesses will encounter. From compulsory insurance such as employers’ liability, through to very specific policies focusing on professional indemnity, cyber threats, management liability and even personal accident and sickness of staff.
It is important for businesses to understand the detail in their insurance policies and ask a specialist if they’re unsure in any way. Cheap policies may not give the level of cover you need or may have tough clauses or detailed caveats. Seek expert opinion to ensure your business is protected in the way you want.
Club members also circulated this video as part of their discussions around cyber threat planning: The hacking challenge at DEFCON
A very big thank you to John Lanning for his words of wisdom and invaluable insights during the session. If you would like to join our future Business Club events, please contact the Shipleys’ Godalming team for more information.
Specific advice should be obtained before taking action, or refraining from taking action, in relation to this summary. If you would like advice or further information, please speak to your usual Shipleys contact.
Copyright © Shipleys LLP 2021