Some six out of ten (62 per cent) of managers report that cyber-security threats are increasingly posing a serious risk to their business, with nearly a third of UK organisations (32pc) having come under a cyber attack of some sort in the past 12 months. That’s according to new research published by the Chartered Management Institute (CMI) in March.
The ‘Managing Threats in a Dangerous World’ report, published with insurance company Aon, the British Standards Institution (BSI, www.bsigroup.com), the Business Continuity Institute (BCI, www.thebci.org) and the Civil Contingencies Secretariat in the Cabinet Office, examines how prepared organisations were for unexpected and damaging disruptions to their day-to-day operations over the past year. These include cyber threats, which saw 12pc of companies losing confidential information and 9pc suffering a significant attempt to hack into their network in the last year; heavy snow, which caused disruption to 92 per cent of companies; the volcanic ash cloud, which impacted 53pc; and the influenza epidemic, which also caused problems for 53pc.
The findings, released to coincide with the start of Business Continuity Awareness Week, also show that the recent media focus on high profile business continuity failures has had a real impact on the UK’s business planning, with 15pc of managers feeling that Deepwater Horizon had strengthened the case for their organisation to develop robust business continuity management plans; and 14pc believing Wikileaks had caused their organisation to revisit their security arrangements.
Yet despite 82pc of those surveyed reporting that their senior management view business continuity management as important or very important, just 58pc say they have plans in place to cater for unexpected disruptions. A further 16pc didn’t know whether or not their company has set crisis plans they should be following. This is of particular concern in the private sector, where fewer than half of businesses (49pc) are prepared for threats to their day-to-day running.
Despite this, the report shows clear advantages for organisations which do have plans in place to deal with crises when they hit. Of those who had to activate plans, 84pc agreed it reduced disruption and 77pc stated that any cost in developing plans is offset by the business benefits they bring.
Ruth Spellman, Chief Executive of CMI, says: “Today’s report shows that UK organisations must be better at putting plans in place to deal with disruptions to their day-to-day business. Every time an unexpected event interrupts or halts the operations of a business, charity or public sector body in this country, UK plc suffers – yet with good management, this could be avoided. ?
“With so many organisations now relying on online networks and systems to function, cyber security breaches have joined extreme weather, contagious illness and transport disruptions as one of the top risks to businesses performance. Managers need to ensure that they have proactive plans in place to deal with the potential threats that could impact their business. Anticipating and planning for threats will help drastically reduce the negative impacts on your organisation, should they occur, as well as helping you recover faster from any ill effects.”
As part of its commitment to revitalising management and leadership in the UK, CMI is calling for all organisations to learn the lessons of the last 12 months in line with the report’s recommendations. These include:
* Assembling a team of specialists from across the business to identify specific potential threats that would prevent or diminish its ability to operate and plan for them.
* Integrating business continuity planning into the wider management strategy – understanding threats and putting processes in place to mitigate them can give businesses a competitive advantage.
* Testing crisis plans regularly to ensure they are comprehensive and robust – a quarter of organisations with crisis plans have never tested them, running the risk that the plans don’t work when they are most needed.
* Ensuring that coordinating a media response is part of all plans – 61 per cent of managers believe that reputation damage is now a more significant threat to their business than financial loss.
* Ensuring that key suppliers also have crisis plans in place – the findings show that just 5pc of organisations check whether their supply chain will be able to survive a major disruption.
Spellman adds: “In post-recession, ‘age of austerity’ Britain, accountability and transparency are key to success. All organisations have a responsibility to their stakeholders, shareholders, customers, employees and partners to develop plans to ensure they can continue to operate through difficult or uncertain circumstances.”
To download the report visit www.managers.org.uk/bcm2011.
Meanwhile a new guide published by the Business Continuity Institute (BCI) aims to help those looking to make smarter decisions around their risk management and risk transfer strategies, by clarifying the complementary relationship between business continuity management (BCM) and business interruption insurance (BII): while insurance can provide cash flow after the incident, only BCM will protect brand and customers.
The guide for business continuity and risk management professionals was developed by practitioners and industry experts over a 12-month project, involving a number of discussions with major writers of business interruption insurance.
Key conclusions from the guide:
* BCM can help with BII because it reduces risk as well as the scale and duration of losses. Research by the BCI and The Chartered Insurance Institute (CII) published in November 2010 endorsed this position.
* BCM is a factor in BII because it can affect the Estimated Maximum Loss (EML). So long as you are able to calculate an improved EML, you have a strong case to argue for improved terms of cover.
* Premium savings of up to 15 per cent have been achieved by some organisations from some insurance providers; however there is no fixed discount rate on BII in reward for adequate BCM programmes. Rating for BII still lacks a common or formalised approach across the industry.
* Within BII discussions, BCM can be used to help understand what the loss of profit and increased cost of working could be. It also provides cover whenever policies impose deductibles in time or money, and where the policy does not respond to the perils encountered.
* BCM is good for insurers – clients with BCM represent a better quality risk. Insurers need to think about their BII exposures especially when considering their capital adequacy arrangements as required by Solvency II.
Tim Astley, Strategic Risk Consultant at Zurich, one of the contributors to the working committee which published the report said: “Zurich welcomes the publication of this important paper. The BCM community has a responsibility to help drive customer understanding of how a resilient enterprise can positively influence Business Interruption insurance risks. In exploring the linkages between BCM and Business Interruption Insurance this guide will help stimulate further discussion and help bring the business continuity and insurance professions closer together.”
Lyndon Bird FBCI, Technical Director at the Business Continuity Institute said: “BCM is widely recognised in the insurance community as an effective method in reducing claims. The increasing professionalism of business continuity practitioners, coupled with the availability of good practice guidelines and management standards, help to build confidence that BCM processes are likely to be effective.
“However, more needs to be done by insurers to discriminate between insured BCM programmes and clearly reward those that represent a better quality risk. A consistent approach to assessing the adequacy of programmes, and rewarding such programmes in the premium price are required; practices which are already commonplace with property insurance.” The guide is available to download from the resources section of the Business Continuity Awareness Week website: www.bcaw2011.com
