Top five business continuity risks for 2014: is extreme part of your thinking?

At the beginning of 2013, ContinuitySA warned that business risks were becoming more complex and intertwined, and so much harder to predict and plan for. But this year, they are also becoming more extreme.

"As the world becomes more interconnected, issues faced in other parts of the globe can create risks here in South Africa. For example, the unprecedented cold weather in the United States and severe storms in the United Kingdom should be prompting businesses to start thinking about the extreme nature of the risks they face," says Michael Davies, CEO of ContinuitySA.

"The global business environment has created a web of interdependencies so that any untoward event has a set of knock-on effects. Directors and executive management, who have a duty to ensure the company is able to stay in business, must have a comprehensive business continuity plan in place."

Davies and his team have identified five current categories of risk for 2014 that should be featuring in business continuity planning:

1. IT and data risk is growing. IT is strategic and, to a greater or lesser degree, every business is a digital business. However, a key risk is that internal IT departments are failing to keep pace with changing needs, in turn prompting massive use of private mobile devices to access corporate systems and the unplanned use of cloud-based services like Dropbox. Another related IT risk is "server sprawl", creating complex environments that are difficult and expensive to manage, and hard to recover in the event of a disaster.

"The information on a company's systems is increasingly valuable as advances in analytics make it more useful - its loss now represents a considerable risk," Davies observes. "A lot of this data is client-sensitive and so is protected by law."

In parallel, cyber crime appears to be on upward trend, with cyber criminals threatening precious (and often legally protected) data. Denial-of-service attacks can also cause systems to collapse, creating another business continuity risk. While estimates of cyber crime prevalence vary dramatically, it's clear that it is both significant and under-reported.

2. The macroeconomic climate remains problematic. Slow and inconsistent global recovery and a volatile currency are obvious risks that most businesses consider, but often from a purely financial perspective. "But the impacts on your business's viability may be much more subtle; for example, decreased economic activity could reduce tax receipts and so construction of infrastructure on which your business depends," Davies points out.

3. Long supply chains expose companies to a wider range of risk. Locally, Gauteng e-tolling has emerged as a proxy for political dissatisfaction (and a rare unifying issue) for both the middle and working classes. It's possible that continued protests could disrupt supply chains, and will certainly raise costs in the short term.

"Looking more broadly, I think the combination of ever longer supply chains and the just-in-time mentality is creating a huge risk that many businesses do not properly factor into their business continuity planning," Davies says. "The strike by component manufacturers in our local automotive industry is one good example, but think of the effect of extreme weather on manufacturers in Japan and Thailand in past years, which all but crippled international car and electronics supply chains. A comprehensive business continuity management plan for the entire supply chain is now mandatory."

4. Environmental degradation and climate change are too easy to ignore. Aside from the obvious macro risks of violent climactic events and a compromised environment, South African business needs to pay particular attention to water. Our water resources are limited and yet are becoming ever more polluted. Acid mine drainage is, if the scientists are to be believed, a ticking time bomb, although, as is so often the case, experts seem prone to getting the timing of natural processes wrong.

5. Societal risks are escalating in scale and seriousness. As 2014 is an election year, political risk has to feature on business continuity plans. Electioneering raises the stakes and could make industrial action even more bitter, while marches that get out of hand could disrupt operations.South Africa is not the only country with forthcoming elections, and organisations should consider in which countries their products and services are being delivered and from where their supplies come. Generally, too, international political developments could derail the slow economic recovery; Iran and North Korea are only two of many countries that could spark a new crisis.

Following on from the attack on Westgate Mall in Nairobi, extremist violence must be a consideration particularly for companies with pan-African operations.

Another key societal risk to business continuity is the "new normal" of violent and protracted strike action. This unwelcome state of affairs is part of a widespread dynamic of social discontent and instability. Violent and disruptive service delivery protests are one example, but so are growing rates of alcohol and drug abuse, not to forget anxiety and depression. All of these factors have an impact on absenteeism and productivity.

All of these five categories of risk carry the subsidiary, but highly dangerous, risk of reputational damage. Warren Buffet has rightly said: "It takes 20 years to build a reputation and only five minutes to destroy it" - and an unmitigated disaster is one way to achieve that destruction.

In conclusion, Davies warns that business continuity - the process for identifying and mitigating these and other risks, remains widely misunderstood. Too many businesses continue to imagine that if they have a plan in place for IT disaster recovery, their business continuity is assured.

"Strategic as it is, IT isn't the whole business. Business continuity planning and management must cover all the risks the business faces and put in place contingency plans to keep the entire enterprise operating," says Davies. "The call centre and work-area recovery requirements for a business need to be considered, and the company must understand the risks its supply chain faces. One's business is now dependent on entities outside of the corporation: is each of them adequately protected?"