Bad things shouldn’t happen to good businesses, but they inevitably do. Companies face hurricane-force winds, floods, earthquakes, fires, political upheaval, corruption, power blackouts, and transportation failures, to name just a few. And for many businesses, a disaster striking a key supplier could create a threat every bit as serious as a disaster at corporate headquarters.
What’s not inevitable is for unforeseen events, wherever they strike, to do irreparable damage to the business. The ability to sail through difficulty and rebound from disruption is known as “resilience.” Despite its buzzword status, the concept perfectly captures the position companies should strive to occupy in an increasingly risky world.
Even a brief disruption in business can cause lasting harm to company revenue, market share, shareholder value, and reputation. In fact, Accenture research has shown that supply-chain disruptions can reduce an affected company’s shareholder value by 7 percent. These stakes make resilience a C-level—if not a board-level—priority.
Disruption and Dependencies
Although becoming resilient is a priority, it’s not simple. No organization operates in a vacuum, and companies are increasingly finding that their business partners are sources of potential business disruption. Supply-chain brittleness is a key counterparty risk that business partners pose to corporate cash flow. Brittleness stems from factors such as increased outsourcing, the geographic clustering of suppliers, and supply chains’ growing size and complexity. Four out of five respondents to the Business Continuity Institute’s (BCI’s) Supply Chain Resilience 2014 survey said they had experienced at least one instance of supply chain disruption in the past 12 months.
As you may recall, workers in the auto industry—both in large plants and in dependent smaller firms—became idle when Japan’s 2011 earthquake and tsunami choked off component supplies. Floods in Thailand that same year are still affecting businesses that had concentrated operations or supply chains in Asia. For example, one-third of the world’s hard drives were produced in Bangkok. When the region flooded, many technology businesses around the world discovered that their loss-prevention planning was inadequate. Those that had planned well capitalized on the disruption by winning market share.
Sometimes a company’s direct suppliers aren’t even the problem. Issues with the suppliers’ suppliers can also disrupt an organization’s supply chain. More than half of the respondents in the BCI study indicated that the disruptions they experienced during the previous year came from suppliers below the top tier.
Companies outside the manufacturing sector are not immune. Even companies that don’t have a supply chain usually face risks around the complex interdependencies that exist within their own organization. Thus, they too need to take measures to ensure that revenue-producing operations aren’t disrupted by natural disasters or other unexpected events.
Complicating matters is the global move toward more due diligence and transparency in corporate governance, which pressures treasurers and other risk managers to work more closely with the board of directors and senior management. This trend means executives responsible for managing company risk are carrying a heavier load today than they have in the past—some without the budget, time, or personnel they need to be optimally effective.
The bottom line is that resilient companies take deliberate steps to shore up their vulnerabilities before a catastrophic event. They understand the hazards they face and take preventive measures to avoid disasters as well as proactive measures, such as business continuity planning, to be fully prepared in case disaster strikes. When an emergency occurs, they execute on those plans. In the event of a fire, for example, that might just mean letting the sprinkler systems do their job. Then after the event, resilient companies take the right actions to bounce back quickly—whether it’s firing up generators or activating cross-trained teams in other facilities. Unlike chronically vulnerable businesses, resilient companies see business disruptions as preventable, not inevitable.
Understanding the Risks
To determine the best strategies for becoming resilient, an organization must first conduct a business impact analysis (BIA). The goals are to systematically understand the most critical business processes, identify the most serious risks to those processes given realistic worst-case scenarios, understand the ultimate financial impacts that can result, and lay out potential solutions to reduce these exposures. Any risk a company can eliminate or effectively mitigate is a risk that won’t put it out of business at some point in the future. Conducting a BIA may even lower an organization’s total cost of risk, since risk management resources can be deployed more efficiently toward those areas that represent the greatest risk.
The BIA may be performed by a business’s internal staff, or the company might bring in consultants. Either way, the BIA team should include experts who are experienced in business processes, finance, and engineering. After determining that a specific location is critical to a company’s business, the team needs to analyze what would happen if that location were severely disrupted. Then the team should determine the cost of the disruption and establish strategies for getting past it.
A business impact analysis consists of three parts:
Step 1: The big picture. First, you need to look at your company’s business model and overall operations. A thorough analysis of this kind may take several months to complete, or it may take much less time, depending on the scope of the project and the level of detail desired.
At most large multinational companies, the BIA team needs time to meet with key personnel throughout the organization. These learning and update sessions should be conducted with mid- to upper-level management from the finance, operations, IT, procurement, marketing/sales, HR, and legal departments, as well as any other functions that are appropriate. The BIA team should thoroughly evaluate the company’s:
- critical processes,
- special equipment,
- supply-chain vulnerabilities,
- sales channels,
- functional single points of failure,
- marketing campaigns,
- product and operational interdependencies,
- IT infrastructure and software applications, and
- labor resources.
This research will yield a comprehensive picture of the organization’s key business drivers and related risks. How does the company generate revenues and profits? What are the financial dependencies and interdependencies? Where are the biggest vulnerabilities? This exercise will also help determine what production alternatives need to be in place for key locations, and how the company can utilize or develop risk-mitigation capabilities at alternative locations.
Step 1 will help make corporate leaders more aware of the company’s risks around possible supply-chain bottlenecks and the potential effects of supply-chain interruptions on customers, employees, partners, and shareholders.
Step 2: A closer look at risk. Whether or not it conducts other, separate risk assessments, a company working to build resilience should examine location-specific risks as part of the BIA process. Take a focused look at the unique, inherent risks facing each of your company’s facilities. Consider both financial risks and physical risks that have financial implications, such as natural disasters, fires, and equipment breakdowns. This analysis will help your organization:
- understand the underlying risks in its operations;
- analyze vulnerabilities at key locations/functions within the business model;
- develop benchmarks and risk profiles for each location;
- identify natural hazard exposures (e.g., earthquakes, floods, windstorms, etc.);
- understand the types of emergency response plans needed, or the effectiveness of plans the company has in place; and
- quantify the potential time periods for which a location or function may be disrupted given various disaster scenarios.
Many forward-looking companies dispatch teams to each of their facilities, on a regular basis, to obtain or update vital location information and to create risk reports on each facility. This helps build knowledge of the major risks to each location and their worst-case loss scenarios.
When you’ve completed Step 2, you’ll be prepared to gauge a disaster’s potential financial impact on your company.
Step 3: Number crunching. Next you need to develop an understanding of the full financial impact that could result from various disruptive events. First, identify any specific revenue streams that you would cease to receive from a customer in the event of each prospective disaster you’ve identified. From the projected reduction in revenue, subtract the variable costs, which are the costs that would be eliminated if disaster struck. The difference is your variable margin. Map each variable margin stream to the locations, corporate functions, and/or suppliers whose disruption would result in the revenue stream reduction you’ve envisioned.
The result of this exercise is the assignment of a total annual value exposed at each location. From that point, you need to adjust the total annual value exposed to account for the time period you believe recovery will take—so, take into consideration how many years in a row you would expect the revenue stream reduction to last. Make sure to account for other risk-mitigating factors such as production makeup capabilities and expenses the company would incur to expedite recovery.
Lastly, you need to consider the impact on organizational revenues of lost market share or long-term customer dissatisfaction, which could extend well beyond the expected recovery period. In some cases, these losses can dwarf the direct financial impact of the business interruption.
The end result of these calculations is a net exposure value which reflects the true financial impact that a major disaster might have on the company. When the BIA team calculates financial impacts for a multitude of locations or processes, it gets a clear picture of which areas of the business require the most attention from a risk management perspective.
At the end of Step 3, you will understand the potential consequences of a significant disruption to a single business unit or multiple points of your company’s operations. You’ll know better how such an event would affect corporate profits, whether the company is prepared to meet its ongoing expenses, and how the disruption would affect its market share and, ultimately, share valuation. And you’ll be prepared to intelligently prioritize capital improvements and response efforts, including business continuity management efforts.
Once it has completed a business impact analysis, an organization will have a good grasp on the exposures it truly faces. Decision-makers can be confident that risks have been quantified and that the foundation of their resilience initiative is solid. At this point, they are prepared to take action.
Sometimes the appropriate action is obvious. Consider a very simple example: Suppose an organization’s business model analysis spotlights the critical role its data center plays in revenue production. Its financial analysis shows that a website outage longer than two days might put the company out of business permanently. And the risk analysis shows that all the company’s servers are located in a basement, where they’re vulnerable to a 100-year flood. The obvious solution is to move the servers, either to a higher floor in the building or to a new facility outside the flood zone. And for the time before the data center can be moved, the company should deploy equipment to hold water back, create a flood emergency response plan, create a business continuity plan to move data center functions to an alternative location, and then practice executing these plans.
It’s worth noting that one of the easiest ways for any organization to improve its resilience is by boosting fire protection capabilities. The average fire loss that FM Global clients experience in locations that have sprinklers installed is around one-sixth the size of the average fire loss in locations that don’t have sprinklers—US$600,000 per fire with sprinklers, vs. $3.4 million per fire without.
Another example of building resilience involves one of our clients in the food industry. Executives at this company were concerned that a hurricane might affect their processing operations on the coast of Florida. They determined that the company might lose $75 million to $100 million of product if a power loss occurred. To mitigate this risk, they secured the sections of their buildings that were most vulnerable to high winds, and they purchased backup generators at a modest cost. When the company’s facilities took a direct hit during two of the four devastating hurricanes that struck Florida in 2004, the company sustained only superficial damage and continued to operate.
It’s not always easy to determine where to invest in resilience, so each company needs to evaluate the costs of risk mitigation in light of the information the BIA uncovers about outstanding risks and the severity of those risks’ expected business impact.
Extending the BIA Throughout the Supply Chain
To ensure that you understand exposures throughout the supply chain, consider conducting a separate business impact analysis for each key supplier that poses a serious threat to your company’s resilience. Have a team visit key supplier locations to identify which of the supplier’s processes are critical to your business and to assess the resiliency of those processes.
This may seem easier said than done. Given the scope and complexity of supply chains at most multinational organizations, the key issues in undertaking a supply-chain impact analysis are how to get started and how to build the capability over time.
The first thing to do is define your company’s most critical product lines, as determined by their effect on revenue and profit, and their strategic importance. Then, for each of the product lines you’ve identified, map the production and service process. Identify the key suppliers serving that product line, and define their roles in the supply chain. Also identify any logistical providers that pose significant risk. This exercise will enable you to assign revenue streams, or variable margins, to key suppliers and providers, establishing a basis for quantifying the true exposure that each external organization poses.
One mistake many organizations make is to base prioritization of critical suppliers on levels of corporate spending. Instead, suppliers should be prioritized on the basis of their support of the profitability of the enterprise, as well as whether they represent a sole source—in other words, whether they are the only possible provider of a component that is necessary to the end product. Note that some suppliers may be critical even if other companies manufacture the same component; it depends on whether alternative suppliers would be able to rapidly increase production capacity to accommodate a short-term need.
Some companies mandate extensive surveys, undertaken periodically, to get a handle on the operations and financial viability of their most critical suppliers. What is essential is getting answers to these questions:
- What are your exposures with regard to natural disasters, fire, and other risk factors?
- What is the quality of your construction?
- What operations taking place in your facility pose risks?
- What are you doing to mitigate those risks?
Businesses that are expanding or moving operations, or that are building a new supply chain, should also pay attention to geographic differences in risk management and mitigation. Businesses are more resilient when they’re located in a geographic region with a strong economy, a stable government with integrity, moderate oil consumption, sound local infrastructure, protection from (or low incidence of) natural hazards, strong fire risk management, and reliable suppliers.
FM Global annually aggregates hard data from nearly 130 regions of the world, ranking businesses’ resilience to supply chain disruption. This Resilience Index is online and interactive, allowing finance and risk managers to parse out individual risk drivers, such as corruption, or compare two countries head-to-head.
Tips for Resilience Success
When done right, a business impact analysis gives finance and operations managers the information they need to make well-informed decisions that build organizational resilience. But doing a BIA right can be a big undertaking. To prepare for success, make sure to:
Choose your team wisely. As noted earlier, you’ll need a strong cross-functional team with engineering and finance expertise, but you don’t want to break the bank in the name of protecting your business. Keep it lean, but not understaffed. FM Global clients often find it makes sense to use our loss prevention engineers in conjunction with our client service team and our business risk consultants for a BIA. They’ve already gathered a fair amount of the data in the underwriting process and loss prevention visits, and they’re skilled in such efforts. If you don’t have the internal staff, you may have similarly well-positioned partners.
Be candid. A BIA team is not an audit team. They’re completely on the side of corporate management. Give them full access to facilities, people, and books, and make it clear that management should welcome the BIA team. No one benefits from secrecy in this process.
Establish momentum and maintain it. Rather than conducting one massive BIA for an entire multinational organization, which could take months or even years, break it up into smaller parts. It’s helpful if each discrete project can be completed in a two- to three-month time period for a division, major product line, or group of locations. Then plan subsequent projects to keep the effort moving forward, expanding teams if possible to cover more ground. In this way, the organization can experience rapid and clear progress, bolstering support for these efforts.
Have a clearly defined process. Start out with a kickoff meeting where you set a strategy, timetable, and list of anticipated deliverables. Next, schedule visits and interviews of key management and operations staffers, possibly also distributing questionnaires. Then perform the thorough analysis of all the data. Draft a final report and send it out for comment and fact-checking. Finally, implement the BIA’s recommendations.
Resilience is a critical ingredient of a sound business model. It not only enables a company to endure potentially disruptive circumstances, but also positions the company’s management to capitalize on opportunities presented when competitors fail to do the hard work. An organization that can demonstrate its resilience to clients and shareholders gains an advantage over organizations that can’t. That’s why every organization needs to take action to become resilient.
Managers should take a hard look at their organization. They should explore what makes the business work and identify what could disrupt it, detailing worst-case scenarios and calculating the costs of those scenarios. Then they need to explore alternatives for mitigating the risks and prioritize an action plan.
Building resilience is hard work. But it’s hard work that pays off when disaster strikes, as the company may find that avenues open up leading to new revenue, market share, shareholder value, and a winning reputation.
Jonathan W. Hall is chief operating officer for FM Global, one of the world’s largest commercial and industrial property insurers.