Business leaders need to plan against cascading risks
Imagine you’re a scaling startup or an early-stage technology company serving a growing but highly vulnerable industry, such as supply chain. You’ve doubled your team with outsourced talent to better maximize costs and reach a global market. You’ve invested in proper office space and grown your customer base exponentially.
Halfway through the year, you find out from a news network that a large container ship is stuck at a major port. You haven’t had time to notify your customers, and you're not sure how this impacts them—but now, they are calling their account representatives with questions.
Over the weekend, a flood occurs unexpectedly just around the corner from your new office space. You scramble to figure out how to activate mitigation plans and notify employees.
The next week, you find out there's a power outage in a neighborhood in Hyderabad, India, that affects your developers—just as a major product is scheduled to launch.
Welcome to a world where dynamic risk is expected daily. Floods, power outages, and supply-chain disruptions happen all the time. Today, however, they are more prevalent, severe, and interconnected than ever before. Previous assumptions of stability just don’t hold true anymore.
In 2022 alone, we have experienced broad global political instability—cascading effects from Russia’s invasion of Ukraine, surging inflation (with an impending recession) and record-high temperatures.
How does the new normal affect your business? What are the outliers? Many organizations think they have a mitigation or continuity plan for risks such as these, but in fact they only have a plan for the risks they expect—not the ones they don’t expect. The most significant disasters are those that we are not prepared for—those that have an impact outside of our control.
Planning for the unexpected
Increasing risks and global volatility have a significant and unexpected impact on customers, employees, assets, supply chains and, as a result, a company’s top and bottom lines. For a company navigating an extremely volatile market, it is important to understand that risk is dynamic.
Businesses must reshape their understanding of operational risk. Risks aren’t limited to the crises that make major news headlines. They can also result from hyper-local physical threats that tend to fly under the radar—yet result in major disaster for a company that isn’t prepared. For instance, putting the attention on all of the possible outcomes of a major storm instead of on merely the direct damage that event may bring will help companies better develop safety and security processes that are proactive rather than reactive.
It is impossible to expect the unexpected, but organizations can take simple steps to anticipate, prepare, and mitigate the outcome from dynamic threats.
Make managing risk a strategic imperative
Most business leaders wear multiple hats and have an unending list of mini-crises to handle daily, particularly those who are operating in or serving customers in the physical world. This makes it more difficult to take a holistic look at the end-to-end operations of the company. As a result, many companies are left unprepared; they lack a true understanding about what types of risks pose the greatest threat to their people, places, and property.
The biggest risks aren’t always large-scale disasters in and of themselves, such as pandemics. Rather, they can be the subsequent risks that result from those disasters, such as what we’re seeing since the pandemic started: the Great Resignation, a labor shortage, supply-chain disruption, and incessant cyber threats. These risks were not a direct result of the COVID-19 spread, but rather ripple effects of the pandemic.
For example: A major airline based in Atlanta experienced an unexpected labor shortage when a tornado hit a nearby town. While the company prepared for how the tornado would directly impact its office locations, terminals, and flight schedules, it was completely unprepared for the indirect impact the storms would have on the local labor pool—in particular, flight attendants. Many team members lived in the nearby town and were unable to report to work for almost a week because of power outages, gas-main breaks, and evacuations.
A predetermined contingency plan, built through proper analysis and teamwork, could have prompted a better response to the tornado’s consequences. The airline could have mapped out how many employees lived in the affected town and determined how to manage the potential absence of those employees—while also making a plan to support those affected employees needing help.
Crafting the right plan can help teams manage the ripple effect of major events, no matter how unexpected that event is.
Critical operational-component impact planning
Work backwards, from the consumption point of your or your customers’ services or products to the operational components. Quantify or calibrate the impact of the failure of each of these operational functions to prioritize your response plans. This approach empowers your team to look at all possible implications a physical threat could have on your company’s ability to generate revenue.
Then, develop response plans for your highest-impact operational functions by bringing together cross-department teams—particularly those in security and operations. These stakeholders should be able to answer questions such as:
- What are the different ways this event could impact my people, places, and property?
- Where do we have single-threaded dependencies relative to our customers, employees, data centers and R&D teams?
- What other subsequent risks should we be looking at based on the industries we serve? For example, if we serve customers in agriculture, should we be monitoring how wildfires and heat waves impact that industry?
- Where are we misaligned in how we identify, manage, and respond to risk?
- What are the specific roles each function has in responding to and managing risk?
- What are the shared resilience goals or outcomes our executive team should adopt?
Based on this information, find the topmost pressing risks to your business. Then, run tabletop exercises based on those risks to work through different crisis scenarios and what their outcomes could be—mapping out who needs to be involved, how to respond quickly, and how to mitigate effectively. You should run these exercises regularly enough so that plans, roles, and responsibilities are clear to all involved—helping to build operational resilience in your organization.
Use technology to fortify planning and response
Using data and artificial intelligence can help companies achieve operational resilience. Companies can leverage internal and external data, such as travel routes and the locations of global employees, customers, and assets. This data, combined with information about localized physical threats (e.g., extreme temperatures, floods, tornadoes, port traffic, local crime, chemical spills, power outages) can unlock key proactive insights for any company looking to get ahead of the unexpected for their customers—and ahead of the competition.
When it comes to disruption, predicting enables organizations to plan in advance and mitigate impact. AI improves the speed and accuracy of risk notification and response. This level of advanced visibility can help guide and prepare companies, so they can survive and thrive in the wake of acute and large-scale disasters.
For instance, one of the primary concerns regarding the ongoing conflict in Ukraine is the threat of cyber-attacks from Russia or pro-Russia hacker groups. Such attacks can not only compromise an organization's physical security but can also send ripple effects through its entire operation.
Leveraging data from how past cyber-attacks, such as the Colonial Pipeline hack and JBS meat-production hack, were managed shows the extent to which these attacks can impact not only a single organization but also national supply chains. More importantly, this data can reveal markers or key indicators that companies can incorporate into their risk intelligence plans. Using AI to run scenarios against this historical data can converge your physical-security and cybersecurity risk and resilience capabilities. Investing in data and AI to predict how specific risks can impact your operations gives you the necessary information to develop a proactive, tailored plan to address your vulnerabilities.
Operational resilience is a measure of the ability to absorb, recover from, and adapt to business disruption—and to continue operations despite the risks standing in the way. Without question, organizations can’t afford to overlook the impact threats have on their operations. Understanding the dynamic nature and ripple effects of risks, planning ahead, and leveraging data and AI can help ensure that an organization thrives in a competitive and highly volatile economy.