Companies don’t have adequate mitigation plans for natural catastrophes: survey

While companies recognize potential risks posed by natural catastrophes, many have insufficient mitigation plans in place, according to global survey results from Zurich Insurance Group.

There is a widespread perception that natural catastrophes are becoming not only more frequent, but more severe. Companies are assigning adequate importance to assessing and mitigating the associated risks, the research confirmed.

The study, Natural catastrophes: business risks and preparedness, which polled 170 executives from medium and large companies around the world, was conducted in January by the Economist Intelligence Unit and sponsored by Zurich.

While business disruption from a natural catastrophe would encompass multiple aspects of the enterprise, the most severe threat would be to continuity of IT support, business-critical function, and supply-chain logistics, survey respondents said.

Combining the top two most severe ratings on a scale of five puts continuity of IT support as the most severe disruption (46%), followed by a business-critical functions and supply-chain logistics (both 44%), according to Zurich.

Generally outside of an organization’s immediate control and often affecting a variety of critical infrastructure, supply chain logistics are difficult to address in the face of a natural catastrophe. This reinforces the need for preparation and a full understanding of exposures.

There is significant room for improvement in planning and continuity endeavours, the research shows. This rings true for business-critical functions, but is a serious concern for IT functions in particular, according to Zurich.

“Although most companies surveyed have taken some steps to mitigate associated threats to IT systems, the adoption of systemic integrated approaches to risk management is surprisingly low,” Zurich notes. “The findings suggest that while businesses are aware of the challenges they face, most have not yet developed a holistic approach to protect themselves from these risks.”

There is a hopeful finding, in that security of sensitive data is associated with a lower perceived risk of disruption, which might be a sign that companies are taking steps to protect their core IT assets.

Less than half (45%) of those surveyed use some form of scenario analysis to assess the risk of natural catastrophe, while another 16% use third-party risk assessments. However, 27% do not systematically assess business risks related to natural catastrophes, and nearly half of those who do not use scenario analysis do not systemically assess risks of natural catastrophes at all, the research shows.

“This means that many companies are unprepared for natural disasters despite being aware of their severity,” Zurich notes. Based on the results of the survey, inadequate budgets and a lack of technical risk-management skills seem to the main hurdles.

When it comes to mitigating IT risks related to natural catastrophes, 19% of companies have not adopted any strategy. Roughly one-third of those surveyed said their company has adopted at least one of three purely hardware-oriented strategies for mitigating threats to IT systems in the event of a natural disaster. These include locating IT infrastructure away from high-risk regions, hardening IT infrastructure against physical disruption and adopting early-warning tools for back-up or fail-over systems, Zurich reports.

Only 5% of businesses are employing the full array of robust risk-mitigation tools available to them, with only 31% of companies transferring risk through insurance, frequently to bolster their own enterprise risk management (ERM) endeavours.

While a full integration of risk management across the enterprise hasn’t been achieved, the survey shows that progress, while slow, has been made in recognizing risks from natural catastrophes. Nearly one-quarter (24%) of respondents note that failure to incorporate the full range of risks into the business continuity plan is the biggest weakness in the strategy for managing IT risks from natural catastrophes, with 22% citing lack of clear ownership of the organizational risk management functions.

Considerably more effort will be required before the risks of natural catastrophes are adequately controlled. Nearly 80% of those surveyed say their organization has adopted at least one hardware-oriented and at least one employee-oriented IT risk-management strategy related to natural catastrophes, with 60% say that these initiatives have been largely successful, shows that important progress has been achieved in the area of IT risk-mitigation strategies.

“Yet efforts to address the interconnectivity of risk clusters through integrated risk management remain incomplete, as only a minority of business has developed a comprehensive risk profile for senior management,” Zurich points out.

Many of those surveyed lacked the ability to present a compelling business case for risk management initiatives.

“A lack of resources and technical know-how are the most common reasons for organizational failure to develop and implement more efficient risk-management processes,” Axel P. Lehmann, chief risk officer at Zurich, said.

“But, while in-depth analysis may provide clearer data for decision-makers, it is incumbent on chief executive officers and risk officers to develop appropriate risk strategies to ensure their companies are better prepared.”