As a new or growing business faced with multiple pressures and priorities, maintaining an up-to-date risk register is imperative.
As geo-political issues intensify around the globe, and tensions relating to climate change and the cost-of-living crisis continue to escalate, organisations should be more focused on malicious risks and how they may impact operations.
The consequences of globalisation, coupled with developments in technology, have exposed businesses to a far greater array of malicious risks - whatever their size, wherever they're located. This includes risks relating to political violence, terrorism, civil unrest, and hostile cyber activity, for example.
Incidents in one country or region can have an impact on diverse businesses across the world, even when seemingly unrelated. Equally, we've seen how organisations that operate domestically, even locally, still feel the impact of supply chain interruption, inflationary pressure, and travel disruption; whether it's an increase in energy prices caused by the Russia/Ukraine conflict, or insecurity in African states contributing to disruption in mineral extraction.
Below, we share insights into two areas of malicious risk that have become increasingly relevant to nearly every business.
Cyberattacks
For years, ‘cyber' has been recognised as an area with significant disruptive capabilities. While notable and damaging cyberattacks have occurred in the past, the number and scale of those identified in the last year has increased.
Cyberattacks on infrastructure and commercial entities have become more common. For example, the Port of Los Angeles, Royal Mail and Microsoft have all been targeted. These examples demonstrate how cyber is increasingly being used as a weapon. And we have seen that any business can now be a target, whatever their size or location. Given the rapidly growing cyber threat globally, organisations should be thinking ‘when' and not ‘if' when it comes to a potential cyberattack.
When reviewing cyber risk, organisations are encouraged to think in-depth about the processes, policies and procedures they have in place as well as their relevant insurance policies. The approach should be just as robust as for a physical threat such as an act of terrorism or a fire.
By way of example, if a fire broke out all staff members would be expected to know how to respond, with most organisations having well-rehearsed drills in place. Cybersecurity is no less important, so consider whether employees would know how to recognise and deal with a cyberattack. Organisations should also think about how an attack might impact their clients and partners, and make sure they have a considered communication plan in place. Getting this wrong could have a catastrophic reputational impact.
Activism and civil unrest
Until recently, riots and episodes of civil commotion were seen as rare issues in the UK. These types of events were far more common in unstable regions. Climate change and the cost-of-living crisis have rapidly changed this. Incidents of strikes, riots and civil commotion are now on the increase across the globe.
Even well-established industries in entrenched democracies must be prepared for heavily disruptive civil unrest, which may become more frequent and potentially more extreme. This isn't just a risk for businesses operating in high-risk geographies.
- In the UK, groups like Just Stop Oil, Extinction Rebellion, and Animal Rebellion have halted traffic on bridges and motorways, both in London and across the country. Strikes in the transport sector are also bringing parts of the country to a standstill. This is having a negative effect on a number of sectors, particularly hospitality.
- In the Netherlands, there have been regular demonstrations by livestock farmers against government policies to address the environmental impact of the agricultural sector. Tens of thousands of farmers have blocked highways and railway lines causing enormous disruption to many businesses, including those in the tourism and travel sector.
In this environment, all businesses should take steps to understand the issues and consider how they might be impacted. For instance, while business sites might not be directly affected, they might be in the
vicinity of other businesses that could be. This might then have a knock-on effect on operations - for example, business interruption, a reduction in footfall or loss of attraction. Are there robust plans in place to ensure employees and clients are adequately protected in case of activism or civil unrest?
Supply chains
In an increasingly connected world, organisations should be paying close attention to the risks and vulnerabilities within their own supply chains. Added to this they should also be considering the broad supply chains they themselves are part of and whether these expose them to greater risk of malicious activity.
Looking beyond their own operations allows organisations to understand the broader context and potential longer-term impacts of business interruption. Areas to consider would include:
- Globalisation: The global economy has increasingly led to the concentration of expertise in certain countries. For example, Taiwan is, by some distance, the world's leader in advanced semiconductor production. This means there are more single points of failure for many critical components.
- Complexity: The more moving parts there are in an organisation's supply chain, the more vulnerabilities there are. If one part of a supply chain suffers, it all suffers.
- Lean operations: Growing businesses generally have leaner workforces and often choose to outsource expertise, which can have an impact on crisis and risk planning and therefore overall business resilience should malicious incident occur.
Some of the steps businesses can take to mitigate these risks include conducting due diligence throughout their supply chains, remembering to pay particular attention to cyber resilience of critical partners or suppliers. It's important to identify single-source materials in the supply chain that could be a vulnerability, then establish alternative procurement and sourcing routes where possible. The more layers of resilience, the better.
Interdependent risks
In this environment of growing and changing risk, all businesses should make continuity management a priority and plan for scenarios they may not have previously considered. Better understanding of the complex web of malicious risks is crucial to understanding how you could be affected, to ensure that you can identify the most effective mitigation measures to put in place and protect the future of your business.
Alex Theodosiou is a Senior Associate at CHC Global, a team of strategic malicious risk advisors helping to protect people, assets, and operations from the impact and consequences of hostile actions. Alex is the co-author of The Annual Malicious Risk Report