Business Interruption in Today’s Technological World – Time to Rethink?
Usually, discussions around business interruption (BI) are in the context of property damage, for example, a fire or flood. However, in today’s environment, with significant dependence on technology across the retail, food and beverage industries, events which don’t damage property can still severely disrupt operations and are often underestimated. For example, what would happen if a cyber-attack led to the shutdown of a web shop, automated distribution centre, or disrupted a business’s supply chain systems?
New technologies continue to reshape industries, legacy retail management software and systems are struggling under the strain of multi-channel expansion plans, while in the food manufacturing industry, profit margin battles and new product demands continue to put extra pressure to implement new technology for increased efficiency. Changes in the use of technology will result in a rethinking of business models and profound changes to firms’ risk profiles.
PREPARING FOR CHANGES IN YOUR BUSINESS
While most businesses will have assessed the potential maximum loss of revenue following a property damage event, many may not have quantified the revenue they would lose if their systems were hacked or taken offline for a significant period of time. Whether the trigger is at a business’s own location or at a customer or supplier location, these risks demand a new approach:
ASSESS: Cyber risk should be defined, and organisations should identify and develop loss scenarios arising from cyber triggers. Maximum losses for non-damage business interruption, data breach, data deletion/corruption, and system outage should also be quantified. A practical understanding of cyber risk management should include a review of control maturity assessment, remediation strategy development, and threat monitoring to inform risk management activities.
MITIGATE: Mitigation measures might include changing business and IT processes to improve resilience, enhancing restoration capabilities, or strengthening technical cyber-security controls and contractual risk management.
TREAT: Customised insurance can be considered where identified risks exceed tolerance levels. Coverage is available for first and third party risks including non-damage business interruption.
Assessing and treating today’s new technology-driven business interruption risks is a major opportunity and an essential activity to build resiliency.