With COVID-19 dominating so much of organisations’ current operational resilience agendas, it’s important to remember that the threat from other global risks and local incidents remains. Climate change continues to pose a major threat as well as changes in the “world order”. On a more concrete level fires still occur in factories, supply chains are disrupted, and IT systems encounter critical outages. And, if anything, cyber-attacks are on the increase.
As more countries begin vaccination programmes and we begin to envisage an “end” or at least a major slow down to the coronavirus pandemic, 4C Strategies consultants Josefin Agelii Mayotte and Nils Kjellgren discuss the 2021 risk landscape beyond COVID-19.
Let’s start with global risk. What should we be concerned about?
Josefin: If we look at World Economic Forum’s annual Global Risks Reports from the last decade we can see how environmental and climatic risks have become more pressing issues. Back in 2010, the top risks most likely to occur in the next decade were listed as:
Not surprisingly, most of these were related to the 2008 recession, the reverberations of which were still being felt globally. Ten years on, the picture looks very different. Four of the top five long-term risks deemed likely to occur in the next decade are linked to climate change.
Moving further down the 2020 list we see cyber security and IT continuity risks featuring prominently in spots six to ten. Interestingly, the threat of infectious diseases was only ranked tenth in early 2020, which shows how difficult it is to prepare for one specific risk. What’s obvious from the report, however, is that we need to plan for climate-related issues, both now and in the long term. These will have the “most impact” and are “most likely” to occur, we just don’t know exactly when.
Why are risks so difficult to predict?
Nils: Predicting which major risks are being faced is not so much the difficult part, it’s predicting when they will happen that is challenging – as can be seen with the predictions (or lack thereof) regarding the pandemic. Today, we live in a globalised world, events on the other side of the planet can have serious consequences for global supply chains and individual consumers. For instance, just over ten years ago floods in Thailand led to a global shortage of hard drives – something that hadn’t been prepared for. Another telling example can be found in Germany, which has seen historically low water levels in the Rhine river. This has led to an 18% reduction in cargo transport on the river compared to 2017, which in turn has created a shortage of raw materials, lowered industrial production capacity and increased costs.
Essentially, we have an uncertain future ahead of us. The United States has, in principle under the Trump Presidency, stated that it no longer has the “world’s policeman” role and China is acting to extend its footprint in the world. We also don’t know for the moment how President-Elect Joe Biden will conduct his foreign policy, and how limited he will be by partisan divides in Congress. At the same time the threat from climate change and cyber-attacks could not be more apparent.
Why are people becoming more concerned about these risks?
Nils: The climate is something we hear about every day and will continue to do so. If we look at cyber-attacks, to a large degree the threat to IT infrastructure used to come from a bunch of hackers, but today we see more and more state-supported cyber-attacks that can last for several years.
Cyber-attacks are also more in the public eye as large-scale intrusions with major consequences become global news. The NotPetya malware attack, for example, cost the Danish transport and logistics company Maersk hundreds of millions of dollars. That’s big news! It’s estimated that 2% of the world’s trade is always on a Maersk ship. The consequences are enormous when you attack a company like this – 4,000 servers and almost 45,000 computers had to be repaired at Maersk due to NotPetya. Recently Google had a major global outage which affected all their services world-wide.
Do you have any tips on how to improve the monitoring of major global risks?
Nils: Risk Management in different ways. One advanced method is to look at operations, build triggers and analyse what occurs. For example, how is risk impacted when the gold price rises or the oil price falls. Such triggers must, of course, be linked to your activities so the impacts are felt by diverse events in the world.
Josefin: Identify the greatest risks or focus areas, monitor the outside world, and see what triggers exist for them. In my experience what’s happening around the world, however, isn’t where the biggest issues lie. A bigger issue is that risks are measured differently within business units in the absence of a common method for risk assessments. Many people do risk analyses but they can be done half-heartedly and the results are not usually aggregated so you don’t get a common risk overview. Risk management is too often treated as a ‘tick-box’ exercise, without full buy-in from senior management and a risk-aware organizational culture.
Nils: There is a need for closer cooperation between those who work with information, financial issues, security, and sales, so that everyone has the same understanding. Different business units understand their own risks – and it can quickly turn into an internal battle over which risks should be prioritised and worked with.
What type of benefits can the Exonaut® software bring to risk planning?
Josefin: Exonaut Risk Manager is a well-established digital solution that has been in use for many years. The system delivers a structured, systematic and integrated approach to project-based and enterprise-wide risks, in accordance with the ISO 31000 standard. It’s intuitive and easy to work with providing users with a clear overview of the risk landscape, visualised by probability, consequence and treatment status. Based on this, you can conduct impact assessments and the treat the most severe risks through control programs and other mitigation measures. The risks you should focus on are those that are both likely to happen and have major consequences if they occur.
When doing such an assessment you also need to look at low probability risks which, if they occur, will lead to major consequences. For example, if the company will go under due to a particular event – you need a plan to counter this event, even if it is unlikely to happen.
In the public sector, many people who work with risk analysis are having to make do with using spreadsheets rather than using a smart digital tool. If they had Exonaut, they would be able to easily structure risk work by systematically identifying, assessing and treating risks, as well as producing automated risk reports. They could also spot trends across or within diverse risks using risk dashboards.
Book a free demonstration of our Exonaut® software solutions for your risk, business continuity, crisis and exercise management needs.
Which risk areas are most important to monitor closely and which should be prioritised in 2021?
Nils: The vast majority of companies have a good idea of which risks they are most likely to encounter. In principle, senior management decides the company’s risk appetite and, based on this, which risks are acceptable and which are to be avoided. A company’s strategy will, of course, affect risk appetite. If your strategy is to increase market share, you will probably have to take more risk to succeed than say a strategy of market stability. Companies just need to make sure they look beyond the coronavirus, even though it continues to generate risks.
Josefin: Something I think we keep coming back to is that the risk landscape is very complex to assess. Some of the world’s leading risk experts listed infectious diseases as the tenth biggest threat in early 2020, and today we are in the middle of a pandemic.
We usually say that you should avoid scenario planning because the exact scenario you have trained for will most probably not happen – at least not the way you trained for it. At 4C, we prepare companies to handle whatever comes at them. Our integrated approach to organisational resilience combines risk with Business Continuity Management and Incident and Crisis Management. Since there are both known and unknown risks, having an effective business continuity plan will ensure that critical processes are secured and upheld regardless of the eventuality of a risk, in particular those that cannot be mitigated.
With the optimal integrated approach, you can deal with fires, a terrorist attack, a natural disaster, a cyber-attack, or whatever is disrupting operations.
Finally, with the pandemic still very much at the forefront, what should organisations be considering?
Josefine: The role out of COVID-19 vaccinations will impact all of our lives. Organisations are going to be faced with big decisions. Will employees be returning to offices full-time? Will regular face-to-face customer meetings resume? How will our suppliers be affected? These are just some of the post-pandemic questions that will need answering as we move forward. Securing key staff may become a major concern, depending on the choices made. Risk analyses moving forward should take this into account.
Nils: The digital transformation has been greatly accelerated due to the pandemic. IT departments have put security processes into place to cope with large scale remote working. But this has been a case of working from home or at the office. What happens if these worlds merge, can IT systems cope? Increased digital adoption also means organisations will be expected to integrate more and newer software into their IT systems, which will put more strains on security and bring with it a greater risk to IT continuity. These, along with other risks, must be addressed.
If you have more questions about predicting and/or managing risks in 2021 and beyond we can help.
Meet with our Experts
Discover how you can build your risk, business continuity and crisis management capability with our advisory services. Book a free consultation with one of our expert consultants to discuss your requirements.