Ready or not, here it comes. That might as well be the credo of senior finance executives at almost any large U.S. company. “It” refers to any potent threat, ranging from a data breach to a natural disaster, that could affect a company’s core operations. The responsibility for mitigating such risks, by identifying and addressing the company’s exposures, has grown ever more challenging, in a world where bad news travels fast and bad actors are filling up the “cloud.” With the instantaneous spread of information, a company that finds itself confronting the impact of a serious risk needs a proactive plan for managing the consequences and regaining its strategic footing.
For CFOs, the responsibility for anticipating, prioritizing, and fortifying the enterprise against the consequences of such risk impacts isn’t merely a theoretical exercise. In a recent survey of CFO-level executives, 86% say that over the next two years, their company needs to be better prepared for disruptions to operations. Fewer than half of respondents, 46%, report having either developed or tested formal loss-recovery plans, putting strategies in place for minimizing downtime or data loss.
The survey, conducted by CFO Research in collaboration with FM Global, drew 101 responses from CFOs (or their equivalents) at companies with more than $500 million in annual revenue.
Evaluating their company’s resilience in recovering from a range of listed hazards, few survey respondents rank their businesses as being very well prepared to rebound from any such perils. Of the six types of high-risk events considered by survey takers, only two—equipment failure and natural disasters—garnered as much as a third of respondents (34% and 33%, respectively) who give their employers the highest grade of being “very well prepared” (see Figure 1, below).
When it comes to utter lack of readiness, however, 8% of survey takers admit that they are not prepared to endure geopolitical disruption, which includes government intervention and terrorism. That’s more than twice the number of respondents who judge their companies as being wholly unprepared for a data breach or an equipment failure.
The distinct absence of urgency may be at least somewhat understandable, as 56% of respondents report that geopolitical disruption has not emerged as a problem for their businesses. The same proportion also say they haven’t had any problems with supply chain disruption or failure.
In terms of modeling worst-case scenarios for high-risk events, only 31% claim to have done so in anticipation of geopolitical disruption, the lowest number by far for any of the six high-risk events listed. (The second-lowest choice, data breach or cyber attack, has been modeled by about 54% of respondents, the survey found.)
CFOs’ experience with such damage-causing dangers is, for the most part, not first-hand. Just 25% of respondents cite having had a natural disaster cause substantial harm to their company. Two-thirds of respondents report that equipment failure has caused at least some harm to their business, while a slightly smaller proportion, 59%, say a data breach or cyber attack caused at least some harm.
That said, finance executives tend to be keenly aware of the operational impact such adverse events have had on industry counterparts in recent years. More than two-thirds of respondents say they’ve seen the damage wrought by occurrences ranging from natural disasters (71%) to data breaches and cyber-attacks (69%), while nearly two-thirds have witnessed the effect of equipment failure on their peers.
High-profile catastrophes, such as Hurricane Sandy in 2012, have left their imprint on finance executives. The 2015 hacking of the U.S. government’s Office of Personnel Management “was a wake-up call for our organization on managing the risk of exposing information about our employees,” writes one CFO. Another says that the data breach at discount-retailer Target in late 2013 “has made our company more aware of the need to increase security in accessing client data.”
An awareness of the need to manage risk isn’t sufficient, however. Finance executives need to integrate the practice into the planning process.
That requires identifying key vulnerabilities, ranking threats according to the likelihood of their occurrence and the estimated damages they could cause, and working with relevant stakeholders to make plans for safeguarding key assets. Using data analytics tools, finance executives can collect and evaluate timely metrics, using them as raw material from which to build risk models and forecasts. In many cases, they also have the flexibility to integrate real-time information about changing market conditions. And adjustments can be made based on regular risk audits, enabling CFOs to continually re-prioritize the risks that require managing.
In contrast to their cost-cutting focus of recent years, CFOs now see the need to direct investments toward bolstering resilience, outfitting their companies with tools that can help them prevent or reduce losses. As with any expenses, CFOs must prioritize their resilience-building budgets, embedding disruption-defying strategies into the corporate DNA. In the wake of a crisis, a company’s continued ability to accommodate customers and keep employees on the payroll can seem like an incalculably valuable payoff.
When it comes to calculating the effect a loss event would have at one of their company’s facilities or locations, nearly half of survey respondents, 47%, say the most serious impact would be damage to customer service and relationships. The second-highest area of concern, “threat to employees’ health and well-being,” is cited by 43% of respondents (see Figure 2, above).
Asked to name the most serious threat they face, both now and in the future, respondents frequently point to cyber attacks, perhaps because there have been so many headline-generating hacks. Such attacks can inflict damage on several fronts simultaneously, whether exposing valuable and closely held intellectual property, inflicting deep reputational wounds, or disrupting operations. The loss of digital property, such as third-party data, can also trigger costly lawsuits, as well as require substantial investments in reputation rebuilding.
No matter what scenarios they construct, finance executives can’t help but be haunted by a daunting question: How can they possibly prepare for risks that have no precedent? So-called “black swan” events, like the 2011 tsunami that submerged Japan’s nuclear power industry, can threaten not just companies but also entire industries.
That prospect, no matter how remote, could be enough to make a level-headed CFO consult an astrologer. But by striving to build a highly adaptive company that excels at risk management and demonstrates resilience, even when taken by surprise, finance executives are shaping organizations that can weather a disruptive economy. In doing so, they are assuming a risk—that is, making a bet—that’s bound to pay off.