Managing Threats and Business Risk

Very much in fashion, business resilience describes an organization's ability to respond to sudden disruptions that could threaten its operations, brand, or reputation.

But what of the threats and business risks themselves? Those are the potential events that can disrupt or halt a company’s operations. And as we’ve seen with Covid, the supply-chain crisis, cyber threat, and more, managing threats and business risk is becoming integral to running a successful business.

But how? First by identification. This article, therefore, lays out some of the top business risks organizations are facing today before offering strategies and tools, e.g., investigations and case management software, needed to ensure those threats are identified and tracked.

What is business risk?

So, what is risk?

Simply put, risk is the effect – any deviation from the expected – of uncertainty on objectives. Risk tends to be expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of that event happening.

What about objectives?

Objectives themselves can have different aspects. For instance, they can be financial, health and safety, and environmental goals.

Objectives can also apply at different levels, e.g., strategic, organization-wide, project, product, and process.

What’s more, an objective can be expressed in other ways, for instance, as an intended outcome, a purpose, an operational criterion, as a business continuity objective, or by the use of other words with similar meaning (e.g. aim, goal, or target).

Risks that contribute to business disruption

The challenge with mitigating business risk is that it takes so many forms. What are some the principal types of business risk? They include the following:

Supply chain snarls

A major effect of the pandemic has been the interruption in flow of goods. However, supply chains haven’t gotten back on track even with Covid’s ending.

For instance, vital Red Sea shipping lanes began 2024 deeply ensnarled, as attacks by Houthi rebels in Yemen on commercial vessels effectively closed the critical shipping lane to trade.

Hundreds of vessels have since been rerouted around southern Africa, a detour of some 4000 miles. It’s estimated that this far longer trade route around the Horn of Africa adds an additional USD 1 million in fuel costs to the round-trip fare.^[i]

That increase in transit times is driving up shipping rates. For instance, earlier this year, aggregate measures of container shipping costs are now two-and-a-half to three times of their December levels; and ocean spot rates have soared, as well.^[ii]    

The Red Sea isn’t the only supply-chain crisis flashpoint. The Panama Canal is, too. Although cut through tropical jungle, the Panama Canal Zone has been plagued by drought.

In fact, the Canal, through which 40% of all U.S. container traffic travels, has become so dry that ships are having to idle or sail entire continent(s) out of the way to get through more passable waterways.

Cyber attack

The kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself has been on the rise for some time now. And managing this business risk will only become more important.

Just ask the companies who have suffered cyber attacks this year; the list runs the gamut from Beirut International Airport to mortgage loan firm loanDepot and UnitedHealth’s Change Healthcare.

The Change Healthcare attack, however, isn’t the only high-profile cyber incident in the healthcare space. There have been hits on Lurie Children’s Hospital, one of the largest pediatric healthcare organizations in the Midwest, as well as more recently, the St. Louis-based Ascension health system.

Third-party risk

Often these attacks play up a major vulnerability, i.e., vendor’s systems which are then used to gain access to the data stored by organizations reliant on the vendor.

Already last year, a staggering 98% of organizations^[iii] reported now having a relationship with a vendor that experienced a breach within the last two years, attesting to the need for stricter third-party risk management protections.

To highlight the point that more needs to be done, the Basel Committee on Banking cited third-party risk management in its incomplete report card to banks for lagging in adopting Committee principles on operational resilience and operational risk.

Physical security

Most compilations of business risk acknowledge the cyber security threat. Less likely to be considered, though, is the reality that cyber threats exacerbate human threats.

Corporate security budgets were slashed at the beginning of the pandemic. Commercial building security funding has also atrophied with less demand for tenancy, exacerbating physical security risk.

Corporate security teams, as such, are expected to perform their function with fewer resources, even though fewer workers in offices only increase the relative level of risk to the lone workers left behind.

Just like lone workers, (more) isolated physical assets are more challenging to secure, as well.

Severe weather

Another major business threat is severe weather. 2024, for instance, got underway with a magnitude 7.6 earthquake in Japan on New Year’s Day.

The earthquake, which left more than a hundred people dead, dozens missing, and over a thousand displaced, was an instant reminder of the persistence of severe weather as a business threat.^[iv]

Nor have conditions improved. For a period in the middle of February, the entire population of California was under flood alert, as the state faced an unprecedented deluge.^[v]

Indeed, on the business risk front, 2024 seems to be racing to match 2023, when the U.S. alone experienced a staggering 28 weather/climate disaster events with individual losses exceeding $1 billion.^[vi]

That figure was up eight from the year before. However, it was a staggering increase of 20 from the 1980-2022 yearly average, suggesting a deteriorating risk environment.

Business analysts, for their part, are predicting much of the same. In its Global Risk Report for the year, the World Economic Forum (WEF) is counting extreme weather events and critical change to Earth systems as the greatest concerns facing the world over the next decade.

Compliance

In response to the accumulation of such threats, major regulators are acting, introducing another font of business risk.

The deteriorating cyber risk environment alone has prompted aggressive action from policymakers and regulators. From the Digital Operational Resilience Act in the EU to APRA CPS 234 in Australia, regulatory regimes are expanding precipitously.

Indeed, if forecasts bear out, we are likely to see two thirds of the world’s population covered by data privacy regulations.^[vii]

In 2023, for instance, five states rolled out comprehensive consumer privacy laws.^[viii] The previous year, at least 40 states and Puerto Rico introduced or considered more than 250 bills or resolutions that deal significantly with cybersecurity, according to the National Conference of State Legislatures.^[ix] Of those, 24 states enacted at least 41 bills in 2022.

National regulators like the Securities and Exchange Commission (SEC) are increasingly proposing new disclosure requirements on regulated entities, as well, requiring publicly traded companies to report material cybersecurity incidents within four business days of determining materiality. ^[x] 

By targeting Solar Winds CISO, the SEC is also signaling that it’s ready to impose legal liability on named security leaders within organizations it considers deficient.

Healthcare regulators are also ramping up protections. The U.S. Department of Health and Human Services (HHS) is set to establish voluntary cybersecurity performance goals for the sector.

Meanwhile, the Centers for Medicare and Medicaid Services will propose new cybersecurity requirements for hospitals, and the HHS Office of Civil Rights has announced that it will update the HIPPAA Security Rule to include new cybersecurity requirements.Under the aegis of the cyber security strategy to 2030, the U.K. is also ramping up security protections in the healthcare sector.

Software to help minimize business disruption risk

What about digital technology to help minimize business disruption risk? Investigations and case management software like Noggin’s helps organizations ensure potential threats are identified and tracked, and all relevant information and findings from investigations is consolidated, to ensure better understanding of drivers and causes.

Our investigation management functionality allows teams to conduct incident investigations to understand the causes and learn from disruptions, capture facts, evidence, and statements, and identify options to prevent reoccurrence and be better prepared to respond in the future.

But don’t just take our word for it. Request a demonstration to see Noggin in action for yourself.

 Sources

[i] Noah Berman, Council on Foreign Relations: How Houthi Attacks in the Red Sea Threaten Global Shipping. Available at https://www.cfr.org/in-brief/how-houthi-attacks-red-sea-threaten-global-shipping.

[ii] J.P. Morgan: What are the impacts of the Red Sea shipping crisis? Available at https://www.jpmorgan.com/insights/global-research/supply-chain/red-sea-shipping#:~:text=Audio%20Descriptive%20On-,What%20are%20the%20impacts%20of%20the%20Red%20Sea%20shipping%20crisis,to%20surge%20nearly%20five%2Dfold.

[iii] Professor Stuard E. Madnick, Ph.D., Apple News: The Continued Threat to Personal Data: Key Factors Behind the 2023 Increase. Available at https://www.apple.com/newsroom/pdfs/The-Continued-Threat-to-Personal-Data-Key-Factors-Behind-the-2023-Increase.pdf.

[iv] Hiro Komae et al, AP News: Thousands forced from homes by a deadly Japan earthquake on New Year’s face stress and exhaustion. Available at https://apnews.com/article/japan-earthquake-ishikawa-disaster-evacuation-rescue-snow-c09c02361314860712ca5a5e9f52d3a5.

[v] Steve Almasy and Mary Gilbert, CNN: Nearly the entire population of California is under flood alerts as rain drenches the state. Available at https://www.cnn.com/2024/02/19/weather/california-storm-rain-flooding-monday/index.html.

[vi] National Centers for Environmental Information: Billion-Dollar Weather and Climate Disasters. Available at https://www.ncei.noaa.gov/access/billions/.

[vii] Gartner: Gartner Says By 2023, 65% of the World’s Population Will Have Its Personal Data Covered Under Modern Privacy Regulations. Available at https://www.gartner.com/en/newsroom/press-releases/2020-09-14-gartner-says-by-2023--65--of-the-world-s-population-w.

[viii] Gary Kibel, Reuters: New privacy laws in 2023 — considering draft regulations. Available at https://www.reuters.com/legal/legalindustry/new-privacy-laws-2023-considering-draft-regulations-2022-11-16/#:~:text=November%2016%2C%202022%20%2D%20There%20are,%2C%20Colorado%2C%20Utah%20and%20Connecticut.

[ix] National Conference of State Legislatures: Cybersecurity Legislation 2022. Available at https://www.ncsl.org/technology-and-communication/cybersecurity-legislation-2022.

[x] U.S. Securities and Exchange Commission, SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies. Available at https://www.sec.gov/news/press-release/2022-39.