To understand the risk surrounding business interruption in more detail, StrategicRISK canvassed the views of more than 100 risk professionals from Asia-Pacific and Europe who have experience in business interruption policies to get their views on how to get the best from this type of insurance.
When respondents were asked about events in terms of their likelihood to cause a business interruption and if they were to occur, the cost of physical damage, most respondents believed fire and/or explosion and extreme weather events (wind storm, flooding etc) were in the danger zone where they are most likely to occur and cause high physical damage.
In addition, machinery breakdown, human error/operating error, cyber attacks and IT systems outages also rated very highly with respondents.
Respondents were also asked to rate events according to the likelihood of the event causing a business interruption and if they were to occur, what the economic impact on the business would be. From one (very low) to five (very high).
Once again, cyber attacks topped respondents’ fears of both likelihood (average score: 3.27) and economic impact (average score: 3.59). Other business interruption scoring highly included supply chain disruption/failure of a supplier which had an average economic impact score of 3.26 and natural catastrophes (earthquake, tsunami, volcanic activity) which though respondents felt was less likely to occur (average score: 2.17), the economic impact if it did score higher than average (3.40).
Interestingly, our survey respondents scored shortage of talent/skills higher than average for both likelihood (3.15) and economic impact to their business (3.02).
Are you ready?
Preparedness for a catastrophic event hitting your business is arguably the key to how well the firm will bounce back. Scenario testing is one way of preparing for a crisis and according to our survey respondents, it is a key tool in their risk management toolbox.
Risk Insight Consulting principal consultant, Gareth Byatt says: The immediate effects of business interruption events, and the “long tail” of dealing with them, can sometimes be felt for a long time (we can all think of recent examples of such cases). The consequences of a significant business interruption event can be wide-ranging.
“When such an event is managed well, the impacts can be minimised and the organisation’s standing and reputation can remain intact, or quickly recover if it is immediately impacted when the event occurs. When a business interruption event is managed badly, the negative outcomes that result can cause long-lasting damage.
“I think that as a result of all of this, we are seeing an increasing recognition of the importance of preparing well for dealing with business interruption. When I say “preparing”, I don’t mean a few people writing detailed plans. That is part of the preparation, but only part of it (and in any case, when you write plans, you should consult widely). Good preparation means people in your organisation are ready to respond in an effective way at any moment.
Singaporean telco giant StarHub’s head of Enterprise Risk Management, Nigel Tay agrees on a more specific basis: “Specific to the telecoms industry, we are regulated by very strict regulations which requires us to maintain an uptime with very high levels of resiliency. In terms of preparedness, this is absolutely imperative for our industry largely due to compliance and regulatory requirements. On a larger scale, emergency preparedness is definitely important, especially with the current socio-political landscape.”
Proper scenario planning may reveal the key issues that could arise when resolving a claim for business interruption. This will help ensure that the process of resolving the claim does not cause further delay at a time when speed is of the essence. It will also allow management teams to focus on ensuring the business fully recovers following a loss rather than worrying about claims resolution.
“The key is in the ‘thinking through’ how you will respond and being ready to act when something happens. You can’t predict how or when a major business disruption event will unfold, but through scenario testing you can practice responding to events in order to learn and get better at how to respond and how to work effectively as a team in a high-pressure situation. When a big disruption event occurs, there will be lots of different elements to deal with, and being responsive, agile and resilient under pressure is key,” says Byatt.
Unsurprisingly, the overwhelming majority of firms surveyed run scenario tests for fire and/or explosion (89%), cyber attacks (74%) and IT systems failures (82%).
“The telco industry is a little special we are the gateway and network services provider to most businesses, we are subjected to network hacking activities on a daily basis,” says Tay.
“A massive cyber incident for example a DDoS attack could result in a catastrophic network outage which could be a substantial business interruption event. More specific to your question, these two events have scale and could result in larger crisis,” he adds.
Conversely, more than half of all respondents said they do not conduct any type of scenario testing for political instability, despite the event rating quite highly in terms of likelihood and economic impact to their firms.
PARIMA board member, Victoria Tan, says being open to all possible scenarios with mean you are adequately prepared should disaster strike. “Part of the business impact assessment is the visualization of the possible impacts (people, regulatory, financial, reputational) of each possible scenario. Based on these impacts, recovery measures are considered in the overall plan. Usually, the one with the highest impact is prioritised. Based on this assessment, the one with the highest impact is tested either by table-top testing or by simulation or drill. For a mature organisation, simulation or drill is usually implemented.”
Building resilience into business continuity plans is one way of preparing for an event. We asked respondents how prepared they are to deal with certain BI events on a scale of 1 (not resilient) to 5 (extremely resilient). Once again, respondents felt their firms’ preparedness to deal with fire and/or explosion is well above average (4.05), power outages (3.92) and machinery breakdown (3.86).
Cyber-attacks, however, are proving trickier for firms to prepare for with responses averaging 3.05, despite risk managers beliefs that this event is one of the most likely events to befall their business. Insurance coverage for cyber attacks also remains low in respondents firms with only 27% being comprehensively covered for an attack. Another 43% said their firm has partial coverage for an attack while 13% of respondents said their firm has no coverage for a cyber attack. Similarly, IT outages is a huge concern for businesses in terms of business interruption but only a quarter of firms have comprehensive insurance to protect themselves.
“To be a resilient organisation, business continuity management system should be established. And the system emphasises the relationship/connectedness of incident management, IT/DR, crisis management and business continuity plan. The main objective is to protect lives, to recover at an acceptable time, and most of all to protect the brand,” says Tan.
“This system prepares the organisation for every possible business interruption (natural or man-made). But of course, you will never know that everything is working not unless an actual event happens,” Tan adds.
Insurance coverage for fire and/or explosion is wide across most firms with more than 78% of respondents telling us they have comprehensive coverage. Extreme weather events (54%) and natural catastrophes (48%) also rated very highly for comprehensive coverage with most respondents.
“For me, this is vital. The insurance companies give you an outside-in perspective, risk engineering expertise and provides the needed balance sheet protection. For us, we work closely with our Insurance Broker (Marsh) to help us to quantify certain loss scenarios,” says Tay.
“For example, we recently engaged Marsh to run an actuarial study of several cyber loss incidents. This gives us a good base to look at the necessary cyber insurance coverage that we need and also helps us to negotiate for better insurance premiums,” he adds.
Having insurance is one thing but making a claim is another. We asked our respondents how many had experienced a BI incident in the past 24 months and how many had subsequently made a claim on their associated insurance policy.
Results showed fire and/or explosion was the most claimed for business interruption with around a quarter (23%) of respondents making a claim against their policy. Other claims came from extreme weather events (14%), machinery breakdown (14% and human error (13%). Interestingly, around 9% of respondents had experienced machinery breakdown but didn’t claim against any insurance policy. The reasons for this are unknown.
One of the biggest frustrations for insureds is a lengthy, complex and difficult claims process. Due to the complexities of business interruption policies, claims can sometimes take an extended period of time to resolve.
Some of the issues which can delay a claim include not understanding the policy and not understanding the volume of information that is usually requested by forensic accountants. Other common complaints are complying with the requests for documentation within certain time frames and quantifying the loss for insurers.
In our survey, almost a third of respondents found quantifying the loss to be the most difficult part of the claims process. A further 21% found providing information and paperwork required by the insurer while 13% of respondents said claims disputes was the most challenging aspect of the claims process.