By Fusion Risk Management:
Every day most of us spend at least some of our time reading or watching the news. It seems like any time we look, there is another crisis dominating the news cycle. Since the start of the global pandemic, we’ve seen global political instability, war, an increase in cyber and ransomware attacks, supply chain disruptions – including shortages of critical commodities like food and baby formula, increasingly frequent and severe climate incidents, inflation, recession, and on and on. It’s like Murphy’s law has caught up with the global economic engine – anything you can dream up that can go wrong, is happening. We barely have time to respond to the crisis in our proverbial frying pan before we are running straight into the fire to deal with the next.
This is a concept that was a theme that echoed at a panel discussion at the World Economic Forum’s Davos Summit (“Davos”). Kristalina Georgieva, Managing Director, International Monetary Fund (IMF) said it best in the concluding remarks at Davos: “The overlaying of crisis upon crisis has taught us one thing: think of the unthinkable.” That unthinkable (at least in our current paradigm) is how resilience professionals can leverage the North Star to anticipate, prevent, plan, respond, and learn about the impact of compound crises on our business operations we face today.
What is a compound crisis?
A simple definition of a compound crisis is one where “a second or even third crisis occurs – either simultaneously with a first crisis, or before the impact of the first crisis has been completely resolved.” That’s squarely what has happened to the world in the past few years – we’ve not had time to catch our breath before we’ve had to respond to the next big thing, and it’s a core driver leading most organizations down the path of building resilience programs.
How is the concept of compound crisis affecting resilience?
Let’s break down how this concept applies to what we are experiencing today.
When the Covid-19 pandemic struck the world, it forced many businesses out of their comfort zone. Suddenly, employers who valued face time were forced to allow their personnel to work from home to keep their businesses running. While the new working model was underway, the number and severity of cyber and ransomware attacks spiked. According to an article in TechRepublic, “In June 2021 alone, the total number of ransomware attack attempts (78.4 million) was higher than three out of four quarters in 2020.” IT (information technology) security professionals and risk departments had to contend with the security risks that this new remote working model held. We had to adjust how we managed our internal risk and control frameworks.
The pandemic triggered stay-at-home orders that caused changes in sourcing of many of the raw materials that are part of the goods that many of us use. There have been many issues related to transport – from borders being closed to staffing shortages to ships like the Evergreen running around – which prompted shortages of supplies. We had to adjust how we managed our supply chain models.
Just when things with the pandemic seemed to be calming down, global geo-political tensions escalated. Russia invaded Ukraine, and world leaders responded with unprecedented sanctions to cripple the war machine. Many of us also had to make tough decisions on whether to continue business operations within the impacted region. For companies who made the choice to exit because the war made doing business impossible, they had to unwind their business operations. We had to adjust our reputational risk management and on-going third-party monitoring programs.
Just as supply chains are starting to bounce back, the war in the region has impacted transportation routes because of no-fly zones over Russia and closed ports on top of impacted production of grain. This has unfortunately driven up prices for the consumer for a commodity that they cannot avoid spending money on: food. Additionally, the sanctions impacted the flow of Russian oil and gas, causing the price of those commodities to increase as well. Inflation is on the rise, and to combat this, central banks are increasing interest rates. Rising interest rates put added pressure on consumer spending; it’s possible that these pressures combined will trigger a recession. And remember Covid? China has a “zero-Covid” policy, and some parts of the China economy are shut down which is worsening an already constrained supply chain. We had to adjust our thinking that a crisis was a singular event.
Meanwhile, climate-related incidents are on the rise. In the US (United States) in 2021, there were 20 separate billion-dollar climate-related disasters. They were diverse, and it seemed no portion of the country was spared (https://www.climate.gov/media/13976). This is also consistent with the climate emergency that we are experiencing globally. We’ve had to adjust how our businesses impact our scarcest resource: the planet.
It seems like we cannot catch a break.
Operational resilience is something that has always been around. These resilience teams are often a voice to executive leadership about what could go wrong with operations and how to fix it. Too often, their voices about the investments, policies, and programs that are needed to keep businesses operating in the face of disruption are not heard until after an incident. These professionals are adjusting their plans to account for these compound crises and are working to understand how their existing continuity plans can be impacted when faced with addressing multiple crises. We’re now at a point where this is no longer an acceptable approach.
There’s emerging regulatory scrutiny around the concept of business resiliency in nearly every sector that supports critical infrastructure. For better or worse, this imperative has thrust resiliency to the top of the to-do list for boards, as checking-the-box on contingency planning is outdated. To ensure that we can avoid disruption for customers, we must think through scenarios that could happen to facilitate preparedness when we are trying to do business in a world that is sending us an increasingly complex crisis.
Tips for companies to leverage their North Star to anticipate, prevent, plan, and respond to compound crisis
- Assess your risk – Undertake an initial evaluation of your organization’s potential exposure to the multiple crises that we are experiencing today. Each organization is different, so it’s important to work closely with your risk management lead and your leadership team to understand the frequency and severity of potential disruptions from external factors that may be beyond your control.
- Identify potential disasters and activate contingency plans sooner – Unfortunately, there is not a crystal ball to help us foresee every disaster; however, better technology and data have enabled us to predict foreseeable events like hurricanes. For non-foreseeable events like a tornado or political unrest, have a plan in place to be as prepared as possible ahead of time.
- Establish a business continuity plan to help you prepare for the disruption of essential services – Anticipate and prepare for extended downtimes and longer waits for restoration of services with multiple crises in the background. Re-evaluate your existing sites and vendors to decide if they have the right contingencies in place to meet your standards of recovery as well.
- Horizon scanning – Register for notifications from reliable sources and consider investing in technology that can help you check events on the horizon and automate notifications. While this can’t help you predict when something happens, it will enable you to activate your plans as soon as an issue arises.
- Consider supply chain disruptions – Supply chains and transportation options have already been disrupted because of the global pandemic and war in Ukraine. An additional natural or geopolitical disaster will add another dimension that requires reassessment of essential processes, functions, and materials. Use your original disaster plans and business continuity plans as a springboard to find potential solutions to the new challenges.
- Map your dependencies – As your business continues to grow, so do the complexities of the business relationships that you need to manage. It’s important to have a grasp on each of your critical products/services and what is required to make them run, but more importantly understand what happens if one of those requirements becomes unavailable.
- Exercise your plans – Exercising your plans is an integral part of any resiliency program. You have the plans in place, but do all impacted teams know how to use them should the time come? From a basic plan walkthrough to tabletop exercises and even full simulations, testing your plans ensures you have the right process, procedures, and controls in place to continue through any disruption. Take it to the next level by simulating the impact of a disruption on your business by scenario testing.
- Continue to evolve your program – Recognize that as the world around you changes, your program will continue to change with it. Establish best practices and timings to conduct an annual review of your risk assessment. Embed lesson learned sessions into your incident response plans. Always keep a pulse on evolving regulatory expectations and needs of your customers.
Learn more at Fusion Risk Management.