Companies recognize potential risks posed by natural catastrophes yet have insufficient mitigation plans in place. This is the key finding of a survey on «Natural catastrophes: business risks and preparedness», presented today by Zurich Insurance Group (Zurich). The study, conducted in January 2013 by the Economist Intelligence Unit and sponsored by Zurich, continues the Group’s research into understanding and mitigating risks.
The research polled 170 executives from medium-sized and large companies around the world, and confirms a widespread perception among organizations that natural catastrophes are becoming both more frequent and more severe, and that commensurate importance is assigned to assessing and mitigating the associated risks.
Survey respondents say that business disruption from a natural catastrophe would encompass multiple aspects of the enterprise, with the most severe threats confronting continuity of IT support, business-critical functions and supply-chain logistics. The research suggests that there is significant room for improvement in company planning and continuity endeavours. This is true for business-critical functions and is a serious concern for IT functions in particular.
Although most companies surveyed have taken some steps to mitigate associated threats to IT systems, the adoption of systematic, integrated approaches to risk management is surprisingly low. The findings suggest that while businesses are aware of the challenges they face, most have not yet developed a holistic approach to protect themselves from these risks.
Combining the top two most severe ratings on a scale of five puts continuity of IT support as facing the most severe disruption (46%), followed by business-critical functions and supply-chain logistics (both 44%). Supply-chain logistics are difficult to address in the event of a natural catastrophe, as they are generally outside of an organization’s immediate control and often affect a variety of critical infrastructure. This reinforces the importance of preparation and truly understanding the company's exposures. Taken together, these findings indicate that there is plenty of room for improvement. One hopeful finding is that security of sensitive data is associated with a lower perceived risk of disruption. This may be a sign that companies are taking steps to protect their core IT assets even in the face of natural disasters.
Fewer than half of survey respondents (45%) say that they use some form of scenario analysis to assess the risks of natural catastrophes. Another 16% use third-party risk assessments, but nearly three in ten (27%) say that they do not systematically assess business risks related to natural catastrophes. In addition, roughly half of those who do not use scenario analysis say that they do not systematically assess risks of natural catastrophes at all. This means that many companies are unprepared for natural disasters despite being aware of their severity. Inadequate budgets and a lack of technical risk-management skills seem to be the main hurdles, based on the survey’s results.
Nearly one-fifth (19%) of companies have not adopted any strategy to mitigate IT risks related to natural catastrophes. About two-thirds (66%) of respondents say that their companies have adopted at least one of three purely hardware-orientated strategies for mitigating threats to IT systems in the event of a natural disaster. These include locating IT infrastructure away from high-risk regions, hardening IT infrastructure against physical disruption and adopting early-warning tools for back-up or fail-over systems. Clearly most businesses are trying to be proactive in some form, but only a small minority (5%) is employing the full array of robust risk-mitigation tools available to them. And only a minority (31%) of companies is transferring risk through insurance, frequently to bolster their own enterprise risk-management endeavors.
The survey suggests that progress has been made in recognizing risks from natural catastrophes. However, a full integration of risk management across the enterprise remains spotty. Although a long-term trend towards integrated enterprise-wide risk-management programs has been documented, progress remains slow. When asked to name the single biggest weakness in their company strategy for managing IT risks from natural catastrophes, nearly one-quarter (24%) of respondents point to the failure to incorporate the full range of risks into the business-continuity plan. This is followed closely (22%) by the lack of clear ownership of the organizational risk-management function.
A key element of such a strategy would be a full integration of threats from natural catastrophes into an organization’s systems for identifying, assessing and controlling risks. While the survey found that many organizations are taking action in this direction, the analysis concludes that considerably more effort will be required before the risks of natural catastrophes are adequately controlled. Particularly important progress has been achieved in the area of IT risk-mitigation strategies. Nearly 80% of respondents say that their organization has adopted at least one hardware-oriented and at least one employee-oriented IT risk-management strategy related to natural catastrophes. And nearly 60% say that these initiatives have been largely successful. Yet efforts to address the interconnectivity of risk clusters through integrated risk management remain incomplete, as only a minority of business has developed a comprehensive risk profile for senior management.
“A lack of resources and technical know-how are the most common reasons for organizational failure to develop and implement more efficient risk-management processes”, comments Axel P. Lehmann, Chief Risk Officer of Zurich. In fact many respondents lack the ability to present a compelling business case for risk-management initiatives. “But, while in-depth analysis may provide clearer data for decision-makers, it is incumbent on Chief Executive Officers and Risk Officers to develop appropriate risk strategies and to ensure their companies are better prepared.” As already highlighted in the study, «Risk Management in a Time of Global Uncertainty», published last year by Zurich and Harvard Business Review Analytic Services, the Chief Risk Officer’s role is to establish an enterprise risk management framework, to align and control group-wide risk taking, to advise and to communicate regularly as well as to provide resources for better risk management.
