Prepared for uncertainty Businesses that are supple enough to cope with risk will be better placed to counter even the most unexpected threats Cyber incidents, business interruption and climate change were rated among the biggest threats to businesses in 2020. Then the pandemic arrived… In economic terms, business closures have become the defining characteristic of the lockdown. Very few companies would have been able to foresee the scale of disruption. Neels Kornelius, head of risk management at Willis Towers Watson, says that before January 2020, the main risks facing South Africa included governance failures and ill-conceived government policy; economic risks such as high unemployment and lack of electricity; and social risks stemming from high levels of inequality. Newer emerging risks, including cybercrime and real-world impacts of climate change, were also manifesting themselves. However, COVID-19 has dominated the risk landscape in the past few months, he says. Cybercrime in the COVID-19 era shot skywards, with criminals picking holes in the security systems of companies that had to contend with entire workforces operating from home. Hackers bombed Zoom calls in which sensitive information was being shared. The South African government also fell prey to one of these Zoom crashers. The Allianz Risk Barometer 2020 for the first time highlighted cybercrime as the top threat to companies. Based on insights from 2 700 risk experts across the globe, cybercrime was at the top of the list for risk experts in many countries, South Africa among them. Business interruption was rated second, and changes to legislation and regulation was ranked third. It is noteworthy that seven years ago cybercrime ranked only 15th. ‘Cyber risk and climate change are two significant challenges that companies need to watch closely in the new decade,’ says Joachim Müller, CEO of Allianz Global Corporate & Specialty (AGCS). ‘Of course, there are many other damage and disruption scenarios to contend with, but if corporate boards and risk managers fail to address cyber and climate-change risks, this will likely have a critical impact on their companies’ operational performance, financial results and reputation with key stakeholders,’ he says. These digital crimes pose risks beyond financial damages. The Allianz report notes that data breaches have not only increased but have also grown in scale. Add to that the prospect of privacy fines and litigation after the event, and these data breaches can be crippling to companies large and small. A mega data breach – in which more than 1 million records are compromised – now costs on average US$42 million, states the Allianz report. ‘Incidents are becoming more damaging, increasingly targeting large companies with sophisticated attacks and hefty extortion demands. Five years ago, a typical ransomware demand would have been in the tens of thousands of dollars. Now they can be in the millions,’ says Marek Stanislawski, deputy global head of cyber at AGCS. ‘Many incidents are the results of human error and can be mitigated by staff awareness trainings, which are not yet a routine practice across companies,’ he adds. The Institute of Risk Management South Africa (IRMSA) echoes the Barometer’s findings in its 2020 Risk report. This year, the IRMSA highlighted risks that included a lack of unified and ethical leadership; changes in legislation and regulation; failure to develop, attract and retain talent; cybercrime; and disruptive technologies. In the report, IRMSA CEO Gillian le Cordeur writes that ‘risk management should be involved before decisions are made. Once issues become evident, it is already too late’. Of these risks climate change is the most pertinent, says the WEF Global Risk Report 2020, both in terms of its likelihood to increase in severity and the general impact it may have on society and business. In fact, in the section of the report that lists and rates the likelihood of risks to increase in severity, positions 1 to 5 are all occupied by climate change and human-related natural disasters. The WEF ranks data fraud and theft, and cybercrime at 6 and 7, respectively. ‘We note with grave concern the consequences of continued environmental degradation, including the record pace of species decline,’ says WEF president Børge Brende. ‘Respondents to our Global Risks Perception Survey are also sounding the alarm, ranking climate change and related environmental issues as the top five risks in terms of likelihood – the first time in the survey’s history that one category has occupied all five of the top spots.’ Brende adds that, despite these obvious warnings, many nations are not on course to meet the commitments signed under the Paris Agreement on climate change. Many of the risks identified overlap and exacerbate the other. Global geopolitical and economic strains, for instance, could compromise efforts to curb climate change. ‘Failure of climate-change mitigation and adaption is this year’s number one long-term risk by impact and number two by likelihood, according to survey respondents,’ the WEF report warns. The fallout from climate change could be cataclysmic. Loss of life, stress on ecosystems, food and water crises, increased migration, an increase in geopolitical tensions, economic impacts and capital market risks… A general collapse of life as we know it. Alize le Roux, senior researcher at the Council for Scientific and Industrial Research, says in the IRMSA report that hydro-meteorological disasters have cost the South African economy in excess of ZAR74 billion since 1978. Recent events – such as the Western Cape drought, the Knysna fires in 2017 and floods in KwaZulu-Natal, Eastern Cape and Free State last year – serve as stark reminders of the costly impact of these disasters. ‘It showed just how susceptible and vulnerable our cities and towns are to these hazards,’ she says. Hydro-meteorological disasters, and our capacity to deal with them, have intensified in the past few years, with more than 80 noticeable weather-related emergencies in the last four decades. ‘There is also strong evidence that the projected climate-change scenarios will amplify these trends in South Africa, in particular weather-related events, such as heatwaves, floods, droughts, wildfires and storm surges,’ as noted in the Risk Report. The hurdles in dealing with these types of disasters are complex and varied. Municipalities must contend with other immediate pressures, which leads to inadequate land-use planning necessary for these regions to withstand natural disasters and expected climate shifts. Rapid urbanisation and a growing population have also added to the already difficult situation. The drought in the Western Cape is a case in point of how challenging it is for governments to keep up with weather patterns and plan for the unexpected. The IRMSA recommends collaboration between sectors within government to focus on disaster risk reduction and climate-change adaptation. High-risk cities must adapt and introduce systems to become climate resilient. Climate change and human-related natural disasters are among the risks expected to increase the most in terms of severity Commenting in March in the early stages of the spread of COVID-19, Vanessa Thurlwell, senior risk consultant at Mondial Risk and Business Consultants, warned that we need to look at the medium- and longer-term impacts on our organisations and the global economy. ‘When looking to mitigate risks, organisations need to attempt to prevent risks first, and then have controls in place that will reduce impacts if the risk were to happen.’ Thurlwell explains that to effectively mitigate risks directly related to the pandemic, we need to separate extreme risks and crisis situations from everyday risks. They should be dealt with differently, in a more agile and efficient manner, as the time frames are significantly shorter. ‘A traditional governance structure that works well during normal operations becomes too slow and inefficient in a crisis situation,’ she says. As part of a business continuity management and crisis management framework, businesses must have in place a level of crisis governance and mechanisms for decision-making and cascading actions through the organisation, with effective control, communication and feedback. ‘This governance should be designed, approved and set up well before an extreme risk event emerges,’ says Thurlwell. Le Cordeur’s statement on risk management again. ‘Risk management should be involved before decisions are made. Once issues become evident, it is already too late.’ The COVID-19 pandemic has shown many creases in the fabric that weren’t dealt with adequately before the outbreak. Companies that had risk-mitigation systems in place were better prepared for the unpreparable. By Sven Hugo Images: Gallo/Getty Images