The success of a company depends on its ability to identify and manage successfully the risks associated with running its operations. These risks—which can be grouped under the heading operational risk—refer to any type of risk a company faces that is neither financial nor market-related in nature. For example, this category might include risks associated with the supply chain, IT systems or business processes.
In the past few years, business continuity management has emerged as one of the key tools that companies use to manage operational risk. At the same time, the discipline has evolved from being one that is focused on the way in which companies respond to an unforeseen event, to one that is used to increase their preparedness and overall resilience. In this report we look at areas of operations in which executives say they feel most threatened, explore some of the tools that they use to mitigate these risks, and highlight areas of particular strength and weakness in companies' consideration of operational risk management and business continuity.
Key findings from this research include the following:
Data are the key concern. Our survey of 181 risk executives underlines the importance of information technology (IT) to the smooth running of the organisation. When asked what they considered to be the most important threat in their consideration of operational risk management, 36% selected loss of data and 31% selected systems failure. Human error, another key concern for operational risk managers, was cited by 35% of respondents.
A day is all it takes. Just under half of all respondents—47%—said that they could endure less than a day of downtime from their IT systems before the disruption became serious enough to jeopardise the survival of the entire company. This finding is corroborated by other surveys: according to the US National Archives and Records Administration, 25% of the companies that experienced an IT outage of two to six days went bankrupt immediately.
Commitment to a business-wide approach. There is widespread acknowledgement that operational risk and business continuity issues should not be confined to individual functions or departments. Seventy-six percent of respondents agreed that operational risk should be an issue that involves all business units, and 69% took a similar view about business continuity planning.
Strengths and weaknesses of communication. Respondents are reasonably confident about the processes they use to identify risks and to ensure that the board is made aware of significant problems, with 61% saying that they conduct risk assessment successfully, and 52% giving themselves a similar rating for reporting on key risks to the board. Communication with employees, and with the extended enterprise, tends to be less successful, however. Only 31% of respondents say that they communicate successfully on operational risk issues with employees, and just 19% give themselves a similar rating for their communication with the extended enterprise.
Stakeholders pile on the pressure. Although many companies will doubtless recognise the need for robust business continuity plans for their own benefit, pressure to strengthen planning also comes from a variety of external sources. When questioned about the influence that stakeholders have on decisions about business continuity, 59% cited customers as being a significant source, 58% cited regulators and 50% cited investors.
Putting plans into action. Evidence for the importance of business continuity comes from the variety of incidents that have caused respondents to put their plans into action. A total of 27% said that they had implemented business continuity plans because of power outage, 23% because of an attack from a virus or worm, and 21% as a result of supply chain disruption.
Reputation is the biggest concern. Failure to put in place robust business continuity plans can have a variety of negative impacts, including loss of revenue and decline in shareholder value. But among respondents questioned for this survey, damage to their reputation is seen as the biggest threat, with 43% of respondents saying that this is their greatest concern.
Small companies lag behind larger peers. Respondents from companies with annual revenue of less than US$500m were much less likely than larger companies to consider themselves successful at specific aspects of operational risk management. For example, just 18% consider themselves to be successful at actively testing business continuity plans, compared with 31% of companies with revenue in excess of US$1bn.