Any risk manager worth their salt should have a firm grip on the risks that could result in a business interruption (BI) event, though assessing exposures is arguably getting harder.

Cyber risks now pervade almost every aspect of business, supply chains are global, and there is continued pressure to operate as leanly and efficiently as possible, meaning limited budget for redundancies.

Add in the increasing unpredictability of adverse weather and political trade risks bubbling under the surface, and the task of identifying, quantifying and mitigating BI risk becomes even more complex.

BI is a major risk factor for businesses, with a severe disruption event able to significantly damage revenues, stock prices, customer retention and growth.

According to the Business Continuity Institute’s (BCI) Business Continuity and Resilience Report 2018, the average cost of a severe business interruption was $350,000 last year — no small sum — and more than a quarter of its 500+ respondents suffered a loss of more than $250,000.

Otto Kocsis, principal of business interruption & resilience, Zurich

While less frequent than property damage losses, BI claims are usually more expensive. “BI is not often at the forefront of discussions but causes a lot of pain,” said Otto Kocsis, Zurich’s principal of business interruption & resilience.

“The key question organizations must answer is ‘how much of my business is at stake if a supplier or location goes down?’ But understanding the complexity of the supply chain is still the big challenge.”

BCI’s Supply Chain Resilience Report 2018 found that 56 percent of businesses experienced a supply chain disruption in the past 12 months. Some major companies with global supply chains have contingent BI exposures running into hundreds of millions of dollars.

Nearly half of 2018’s reported losses were totally uninsured. Of those who were not fully insured, 19 percent were happy to take the loss but more than half (52 percent) did not know why they were not covered.

Hidden Risk Factors

Cyber risks continue to grow and complicate supply chain risk assessment. According to BCI, unplanned IT or telecoms outages were the most common cause of disruption in 2018, with cyber attacks and data breaches third most common behind adverse weather. Respondents also considered IT outages and cyber attacks the top supply chain threat, both for the coming year and for the next five years.

Ken Katz, Travelers’ national property risk control director, added that intellectual property (IP) is an increasingly important business interruption risk. “If IP is lost and obtained by a competitor, that is a threat to business too.”

He advised companies to consider building legal non-disclosure agreements into contracts and to ensure they fully understand who in their supply chains has access to sensitive information and what processes they have in place to ensure its security.

It is important to note, however, that unless physical damage occurs as a result of a cyber attack, cyber incidents are not covered under typical BI policies.

According to Duncan Ellis, Marsh’s U.S. property practice leader, the number of insurers including ‘computer systems non-physical damage’ or ‘data programs and software’ as sublimits within their property policies grew in 2017 and 2018.

However, the industry had a “change of heart” late in 2018 and many insurers reduced limits and introduced applicable aggregates, waiting periods and deductibles in alignment with standalone cyber policies, he explained.

Ellis strongly urged companies whose supply chains are exposed to cyber risk to buy standalone cyber cover — and to ensure that the cyber policy explicitly covers contingent BI to include suppliers and recipients beyond the first tier in the supply chain.

Adverse weather is another increasing BI concern — and was the second biggest cause of supply chain disruption in 2018, according to BCI. Companies consider extreme weather an increasing threat over the long term, ranking it the fourth biggest future threat in the next 12 months but third over the next five years.

Whether this is having a meaningful impact on individual companies’ insurance coverage or premiums is up for debate, however, with Ellis saying he has yet to see weather concerns affecting policies.

“People know a hurricane causes wind and flood damage, but there is less thought about the effect on telecoms or the inability of people to get to places in the aftermath.” — Ken Katz, national property risk control director, Travelers

“The cascading impacts of some risks are still often misunderstood,” added Katz. “People know a hurricane causes wind and flood damage, but there is less thought about the effect on telecoms or the inability of people to get to places in the aftermath, which also can affect businesses.”

Meanwhile, despite the resurgence of protectionism across the globe, supply chains remain global, making overseas political risk a constant threat. And with uncertainty still shrouding the U.S. trade relationship with China, many U.S. sectors could face supply chain disruption if there is a sudden shift in that dynamic.

Standalone political risk and trade credit policies cover specific scenarios in which assets or monies owed are withheld from the insured, though there is no coverage against disruption stemming from a general breakdown in international relations or trade deals.

“There are supply chain policies in the market that would cover a company if an overseas supplier went bankrupt or was prohibited from shipping its goods. But as useful as we think supply chain insurance is, it has not really caught on. I know of very few clients that have actually bought it,” noted Ellis.

Supply Chain Assessment

Ultimately, tackling each of these BI risks requires a deep understanding of supply chains — not just the risks facing direct suppliers and recipients but those in second, third and subsequent tiers.

“You can’t be complacent and assume your suppliers have got everything under control,” said Katz. “You have to build relationships to find out what you can about your suppliers, and even their suppliers if they are providing a mission-critical product or service.”

Valuable information can include a supplier’s reliance on single source suppliers, direct and indirect exposure to adverse weather and what business continuity plans they have in place.

“Scratch deeper and find out where you fit into their business continuity plans. If they are reduced to 50 percent output, for example, will they supply you or prioritize another of their clients first?” Katz added.

Most respondents to BCI’s supply chain survey said they ask new and existing suppliers about their business continuity arrangements, and almost half of respondents said more than 60 percent of their suppliers have arrangements in place to deal with disruptions.

However, many gaps remain, and getting suppliers or recipients to reveal their risk management due diligence, cyber security measures or pinch points in their own supply chains is no easy task.

Duncan Ellis, U.S. property practice leader, Marsh

“Most companies still don’t examine their exposure down to the second or third levels of their supply chains, and many insurers understandably seek to avoid writing these risks,” said Ellis.

This does not mean contingent BI risks cannot be adequately covered, though. Carriers that do use the word ‘direct’ or ‘primary’ to limit coverage are willing to write coverage/sublimits on suppliers deeper in the chain if the insured provides sufficient information on those companies, he explained.

Insurers often offer $25 to $50 million of CBI cover embedded in their property all risk forms, but if a client wants a higher limit, the onus is on the client to provide the insurer with more detail on the specific suppliers it wants covered and the justification for such limits — such as them being a single source supplier, for example.

“The insurer will then check internally whether it is already writing these risks directly to avoid being too exposed in the aggregate as well as if it is necessary to conduct basic underwriting assessments on those facilities,” Ellis explained.

But according to Kocsis, there is still a long way to go, even between insureds and their direct insurers, with the BI information shared being often basic and the potential impact of BI on profits or revenues underestimated. He called for the sharing of standardized BI exposure information to become market best practice to improve transparency in risk transfer.

“We do not want to hunt for more data, but for correct data. Loss estimates for both material damage and business interruption elements, as we have them today, but also including a reliable estimate of interdependencies, would be helpful.”

Risk Assessment

In an environment where total visibility appears a pipe dream, it is prudent for risk managers to focus on the essentials, starting with identifying their most mission-critical products, suppliers and recipients, developing business continuity plans and communication strategies, and building in redundancies where possible.

This could include finding alternative suppliers or even alternative methods of production, though in today’s ‘lean manufacturing’ era, fewer companies can justify maintaining spare inventory or alternative locations in case of disruption. “Procurement departments are focused on making production leaner and more efficient – but driving costs down often increases risks,” said Kocsis.

Katz advised companies to consider which products and services have the biggest impact on key performance factors, such as growth potential, revenues and profit margin, and to conduct a business impact analysis to establish the potential fallout from individual supplier failures both in isolation or in combination.

These processes should all be revisited regularly. Kocsis said that with internal and external value chains becoming not just more complex but also more dynamic, even annual audits of risk exposures may be too infrequent: “As a way forward, resilience should not be managed after the supply chain design phase, but simultaneously.”

Tools exist to help companies map a matrix of their supply chain risk. Business standards consultant BSI, for example, offers a dedicated supply chain risk management service including web-based monitoring technology, while modelling powerhouse Verisk offers real-time scenario planning; site-specific evaluation, network optimization modeling and process-impact analysis, plus analytics to help companies assess, monitor and forecast worldwide risks including geopolitical and societal risks.

Insurers and brokers too are busy developing proprietary technology to help them and their clients get a better grip on their exposures.

BCI found that 38 percent of companies use technology such as risk analytics indicators to predict, monitor, record, measure and report on performance-affecting supply chain disruption, automated communication and notification systems, business continuity software and incident management platforms. However, SMEs currently prioritize social media platforms over business continuity software, BCI found.

Kocsis believes business continuity tools should be designed not solely for risk and insurance managers but more holistically, with procurement and the C-suite in mind.

“They are the ones who design the production process and value. To gain a competitive edge, an organization must manage cost, innovation and also risk. Cost and risk need to be read together. But there are currently no tools that demonstrate the link of cost and resilience in a simplistic way and support the organizational change.”

As justifying the expense of external tools is often difficult for risk manager and business continuity teams, collaboration between functions is vital.

“Teams must break through functional and information siloes to work together using a common operating picture of the threats to the organization, and the key assets like people, buildings, IT systems and brand protection, with a unified response team and plan,” commented BCI continuity survey co-author Owen Miles, technical director of enterprise safety solutions provider Everbridge.

With 83 percent of respondents now possessing dedicated business continuity staff, progress is being made. &