In a time of global uncertainty, businesses large and small are well advised to build a framework that will enable them to continue to operate — and perhaps eventually flourish again — no matter what threats may come.

CNA’s Strategic Business Resilience Report outlines the risk landscape in 2022 and offers some suggestions for how businesses can better respond to threats that could disrupt or even end their ability to operate.

Tom Nappo, CNA’s vice president of property and marine risk control, said that when the first report was issued last year, the company didn’t think it would do another for 2022.

“It was something we thought would be a one-off product, but when we looked at the state of the world right now and how much has changed, we said it is something we want to do on an annual basis,” he said.

Even in the short span of 12 months, the sorts and levels of risk in various risk areas have changed.

“I think inflation wasn’t really as big of an issue at that point [when the first report was issued in 2021],” he said. “That really started to take off at the end of year and has expanded globally.”

The report notes that inflation reached 9.1% in June 2022 in the U.S., a level not seen in more than 40 years.

“While the impact of inflation will vary depending on the business and industry, few, if any, will emerge unscathed,” the report reads. “There is clear evidence that consumer behaviors are changing because of inflation, and the rising costs will force businesses to make difficult decisions to manage the impact on their revenue and profitability.”

In addition to inflation, the reports lists seven other prominent threats to businesses in 2022:

Conflict and Geopolitical Instability: The war in Ukraine contributed to inflation, particularly with respect to fuel prices. It also had a negative impact on the global supply chain.

Technological Advances: New technologies — such as the internet of things (IoT), autonomous vehicles, 3D printing, nanotechnology, biotechnology, materials science, energy storage and quantum computing — continue to transform businesses. These advances also spawn new vulnerabilities and make businesses more prone to cyberattacks.

Cybersecurity: The cybersecurity area changes quickly as bad actors continually come up with new ways to attack and exploit unsuspecting businesses.

Environmental, Social and Governance Expectations (ESG): Investor, customer and workforce interests continue to grow and favor companies that provide information on how they are managing risk and developing business strategies to address ESG issues.

Supply Chain Challenges: The supply chain issues that began in the early months of the COVID-19 pandemic continue, and new stressors, such as rising fuel prices, continue to heighten the cost of doing business.

Climate Change: The impact of climate change is a growing risk for businesses in various regions across the globe. The dollar value of economic loss associated with all disasters geophysical, climate- and weather-related has averaged approximately $170 billion per year over the past decade, with peaks in 2011 and 2017, when losses soared to over $300 billion.

Systemic Workforce Change: The U.S. Chamber of Commerce reports that, as of May 2022, 4.4 million U.S. citizens quit their jobs for more free time or better opportunities. Human resources departments are reviewing and, in some cases, altering employee benefits to better retain and recruit employees.

With so many risks, Nappo says, businesses need to be proactive about how any one of these hazards (or others not listed) might impact them.

Tom Nappo, vice president of property and marine risk control, CNA

“When it comes to resilience, when it comes to assessing risk, one of the things you have to be careful about is having a failure of imagination,” he says. “There are certainly things that happen where you say, ‘Well, I didn’t see that one coming,’ but I think, for the most part, you have to stay current with what is happening in the world, certainly, and you have to think about how it impacts you as a business and about all the different ways it could.”

The report recommends establishing a resilience framework that includes these components:

Risk Management: This function typically considers current and emerging risks, and works with various business functions to put loss mitigation plans in place.

Incident Management: This function is responsible for implementing strategies and plans at each site where the organization operates to reduce the impact of loss.

Business Continuity Management: This function develops strategies and plans to ensure business recovery teams have the resources to continue critical processes that were interrupted.

To that end, a resilience plan should do the following:

Define a Resilience Program: Develop clear and concise business resilience policies that describe an auditable structure. These policies should cover such items as updates, exercises and training, as well as the leadership roles for implementation across the organization.

Establish Resilience Response Teams: Put in place the policies, procedures and resources needed to implement the resilience framework for each organization. Two structures crucial to minimizing impact and loss across the operational footprint are a response structure and a recover and restart structure.

How well companies have developed a resilience framework often depends on the size of the company.

“Larger companies, because of their scale, have the ability to have individuals — or multiple individuals or sometimes dozens of individuals — support these functions and concepts,” Nappo said.

Even without such resources, he added, companies of any size that develop resiliency plans are in a better position to meet challenges.

“You have to manage those things [disruptions] when they happen,” he said. “You have to have a plan in place so you can get ahead of it.”

Businesses of any size can anticipate business disruptions and develop a plan to address them.

“Tabletop exercises working through these things is so incredibly important,” Nappo said. “It is important because there is learning, there is always learning. I have never been in an exercise where there hasn’t been several ‘Aha!’ moments [of people saying] ‘Oh, we hadn’t thought of that.’”

The report also outlines insurance coverages for businesses:

Property: Companies that are protecting property and equipment need to be mindful of the true replacement cost of these items when a disaster strikes.

Business Interruption: Some of the elements that may be covered include business income, ordinary payroll expenses and equipment breakdown. Annual review and updates are recommended to ensure coverage levels remain adequate. Fast-growing businesses may need to review exposures and coverage levels more frequently.

The report labels the highest level of business resiliency as “optimal,” which means that a “resilience mindset drives business strategy and sustained response capabilities.”

Since the pandemic struck in 2020, Nappo said, more businesses are aware of the need to have crisis response plans in place.

“I think a lot of companies, pre-pandemic, were a little hesitant to put in the initial work, because it is a lot of work and it takes time to build those plans,” he said. “But I think the pandemic really was a sort of line in the sand when it comes to these kinds of plans. Many more companies now are paying attention to this because they saw the unbelievable impact the pandemic had on their businesses in so many different ways and how they really need to prepare.”

Even after an incident occurs, businesses can learn to be better prepared next time.

“We recommend that people do after-action reviews,” he said. “That term comes from the military. It is a great way to look at that incident and look at everything that happened and say, ‘What did we do well?’ and ‘What didn’t go well? What can we learn? What can we do next time to prepare for or reduce the impact of that incident even further?’”

Nappo said the C-suite and executive leadership set the tone for creating a resilient culture within a business, but everyone plays a role.

“They can drive a resilient culture,” he said, “but a lot of the work that gets done, a lot of the risk reduction, is done in the field, factories or offices.” &