Managing risk and exposure in today’s world

Managing risk and exposure in today’s world
For decades, insurance brokers, insurers, reinsurers, and risk management consultants have advised organisations on their exposure to the risk of business interruption. And in light of the impact of the Covid-19 pandemic on business around the world, how this type of risk exposure is managed going forwards needs to evolve.
It is often said that humans, and the organisations, businesses and institutions they lead, mostly learn from making mistakes. A case in point is the global financial (mortgage) crisis of 2008 when many businesses not only suffered from significant economic losses due to the interruption of their businesses, but also saw their capacity for resilience reduced. This lesson was however apparently forgotten too quickly.

Operational interruption is a very generic term and refers to any interruption of a process that causes the interruption of an operation. However, not every operational interruption automatically generates a business interruption. So, what is the difference between business interruption and just disruption?
According to the international standards body, the ISO1 . disruption is defined as an "event, whether anticipated or unanticipated, that causes an unplanned, negative deviation from the expected delivery of products or services according to an organisation’s objectives”. So, for an operational interruption to be a business interruption, the operational interruption must additionally generate a negative deviation (reduction) of the expected delivery of an organisation’s products and/or services. This reduction should exceed any planned delivery tolerance levels within the operation’s business model. because a business interruption event may not always result in any operational interruption of internal processes.

To assess if an operational interruption will generate a business interruption an organisation should undertake a Business Impact Analysis (BIA). This can identify which products and/or services would be most impacted from a decrease in delivery to customers and/or beneficiaries and would have the potential to negatively impact the organisation’s objectives. The BIA entails identifying the specific and essential processes that are directly related to production and are critical to its operations. Once the BIA is completed, a business can be clear as to which of its processes are critical, and what operational interruption across all its critical processes has the potential to result in a business interruption loss.

Many larger organisations use a Business Continuity Management System to help them manage business interruption events. Business continuity is defined as "the capability of an organisation to continue the delivery of products or services at acceptable predefined levels following a disruption”.
For business continuity to be of benefit and to provide a reasonable guarantee of protecting the delivery of products and or services, it must be embedded within an organisation’s culture and the concept fully embraced during its development, implementation, and operation. Business Continuity Management itself is defined3 . as a "holistic management process that identifies potential threats to an organisation and the impact those threats, if realised, can cause on business operations, and provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of key interested parties, reputation, brand and value-creating activities”.
A well-structured Business Continuity Management System should have the following components:
 a. A policy. 
b. People with defined responsibilities. 
c. Management processes relating to 1) policy; 2) planning; 3) implementation and operation; 4) performance assessment; 5) management review and 6) improvement. 
d. Documentation providing auditable evidence; and e. Any business continuity management processes relevant to the organization.

To manage business interruption risks, organisations should establish, implement, and continuously maintain a formal and documented process of business continuity risk management. This systematic approach enables a business to analyse, evaluate, treat, and monitor all the business interruption risks and exposures it could face. Crucially business continuity risk management should not be undertaken in isolation but should fit within the framework of the organisation’s Enterprise Risk Management (ERM) programme. Some of the business continuity risks identified within the framework will require action to a) reduce the probability of interruption events occurring; b) reduce the period of interruption and c) to limit the impact of any interruption on critical products and services. Any action taken will however need to fit with the organisation’s overall risk tolerance and risk appetite.

BUSINESS CONTINUITY PLAN (BCP) The most popular way of addressing business continuity risks is through the development of Business Continuity Plans (BCP’s) defined 5 as "documented procedures that guide an organisation to respond, recover, resume and restore itself to a pre-defined level of operation following a disruption (typically this covers resources, services and activities required to ensure the continuity of critical business functions).
There are however many different types of BCP’s covering a broad spectrum of risks from people, processes, technology through to corporate governance. Solutions can range from the use of mirror Datacentres to reduce downtime associated with technology platform issues, through to l personnel succession plans for key staff and roles.
CONCLUSION There is no doubt that as organisations’ mature they have more insight into the strategic, tactical, and operational importance of business continuity management. And in an increasingly complex and global world, with technology advancing at exponential speed, with supply chains with matrix components and customers anywhere in the world, the need for an efficient and reliable business continuity management approach is as high as ever. With the development of increasingly complex business architectures the role of risk management and business continuity professionals has never been so important. 

Alessandro De Felice is Chief Risk Officer of Prysmian S.p.A, responsible for implementing risk reporting to the Chief Executive Officer and the Board of Directors, assessing the risk appetite and the risk culture throughout the organization, supervising risk analysis activities, guaranteeing and verifying the adequacy of the applied methodologies and the operational effectiveness of the ERM model. He previously worked in the Pirelli Group Risk Management structure, and in insurance brokerage in Marsh and Sedgwick. He is President of ANRA (Italian Risk and Insurance Managers Association), and he has been Vice President of FERMA. and General Secretary of IFRIMA (International Federation of Risk Management Associations).

Jorge Luzzi, CEO of RCG and Executive Director at HighDome, began his career in the insurance market with Marsh, and Risk Management with Ciba Geigy. In 1988 he joined Pirelli and, in 2005, became the group Global Risk Management Director, staying until 2013. Jorge Luzzi’s track record shows a sustained contribution toward the development of new skills in Risk Management, as skill development is key to grow the profession at a global scale. His involvement with sectorial associations began in Brazil, where he led the Brazilian and South-American Risk Management Associations. He also presided over IFRIMA — International Federation of Risk and Insurance Management Associations; and, between October 2011 and October 2013, FERMA — Federation of European Risk Management Associations. Jorge Luzzi holds a degree in Administration from the University of Belgrano, a BA from ECEA, a postgraduate diploma from Saint Gallen and is a fellow at the National Academy for Insurance and Welfare in Brazil. He completed specialization courses at Mapfre and the Milan Polytechnic. He is chairman of Apogeris, the Portuguese Association of Risk Management.

Discover MDS World