We live in uncertain times: Uncertainty is the new certainty! Many experts even consider this to be the dawning of a new era. Whether they view it as a cause for concern or a turning point, this change represents both a risk and an opportunity for companies. There are many different risks to consider, from cyber risks to geopolitical issues. But the changes are also opening new doors and presenting new opportunities, as developments give rise to new digital solutions and innovations. For all the pros and cons, companies should be aware of their risks and prepare for them accordingly. Or as commercial property insurer FM Global says: Resilience happens before a loss occurs.
In October 2019, an automation technology company fell victim to a cyber attack. The media response was huge, and the consequences of the attack even greater. Company servers and communication systems failed worldwide and production ground to a halt. An international fashion company also succumbed to a similar attack in the fall of this year. The cyber attackers targeted IT and communication systems. Despite having an internal IT security strategy, the company said that it had been unable to prevent the attack. It took days to get the IT systems up and running again. According to media reports, "core systems" were still gradually being brought back online over a week after the cyber attack had taken place. Two cases, one issue: cyber attacks. Besides the financial loss they incurred, both companies also suffered a blow to their reputation.
The growing number of cyber attacks on companies shows that these worst-case scenarios are not isolated cases, and have not been for a long time. According to a recent study by digital association Bitkom, cyber attacks cost German companies over 100 billion euro every year. This means that losses incurred by German companies have increased by around 50 percent since the last Bitkom survey in 2017. The fact that most attacks are launched from within the organization itself is also alarming. Tiago Dias, Assistant Vice President, Cyber Security Consultant, FM Global, has come to this realization. "Some attacks were purely opportunistic in the past, but today they are much more effective and the number of incidents is growing rapidly," says Dias.
What's more, the number of unreported cyber attacks is likely to be much higher, according to Bitkom. The association estimates that 13 percent of companies have been the victim of hardware theft, social engineering, espionage, or simply analog sabotage.
Status Quo, Risk Accounting, Failing to Look to the Future
Although cyber attacks and the associated losses are clearly increasing, many companies do not have a preventive risk management system in place, as demonstrated by a survey of 100 CFOs and other financial managers recently conducted by FM Global. According to this survey, seven in ten respondents assume that most or even all losses are covered by their insurance. This is a false assumption, as a glance at their insurance policies would show. A lot of the losses that could be incurred; such as damage to reputation, a drop in sales, or a decline in the company's share price; are not covered by insurance.
Insurance deals with the effects of an event and essentially "mitigates" the financial pain by providing compensation. Preventive risk management should always focus on measures to limit exposure or help to prevent a risk from occurring.
To define preventive measures, companies need to "learn from the future". In particular, this includes the ability to anticipate potential scenarios and implement preventive measures.
Cyber Risk Assessment as Active Risk Management
Organizations need to analyze their potential risks and stress scenarios and use them to define an overall risk management strategy. Dias explains how the FM Global Cyber Risk Assessment works: "We take a technical and risk-based approach to identifying cyber risks. The Cyber Risk Assessment is a tool that enables clients to assess their information security and supports them in this process." In addition: "The Cyber Risk Assessment is supported by on-site inspections that assess physical security and industrial control and automation systems."
Essentially, FM Global's approach is to assess as a hazard any cyber risks that could result in physical damage in the event of an incident. "We try to prevent such losses from occurring by assessing and understanding the risk." According to Dias, only then can the appropriate security measures be put in place. Tiago Dias goes on: "We advise our clients to prioritize cyber-related issues in order to develop targeted protection against cyber risks."
This active management of risks is an approach that Mike Lebovitz, Senior Vice President, Innovation, at FM Global, is also focusing on: "The world of technology is evolving at a rapid and ever-increasing pace. Companies need to recognize the signs of the attendant changes in order to understand the implications for their organization." Risk managers also need to understand the change processes within and outside their company and find where they fit into the risk map for the overall organization. Lebovitz: "A risk manager should be an important voice in the company during this process."
Limit Loss—With the Aid of Research and Data Analyses
The fact is that a lot of losses can be avoided. Decision-makers and risk managers should focus more on the possibility of prevention. According to research by FM Global, 70 percent of all losses incurred in the industry are the result of a machine failure. That equates to losses of approximately one billion euro due to turbine failures alone and over 223 million euro caused by generators failing. Sofia Teljevik, Vice President, Branch Manager, FM Global, talks about major losses in this area. According to Teljevik, the industrial property insurer recorded 230 cases of major losses in 2018 alone. She reports that one third of these major losses were caused by the failure of machines. "In certain industries, such as mining, chemicals, and energy production, this figure even rises to two thirds," says the Branch Manager, emphasizing the point.
When asked how risk managers can identify and minimize potential losses due to failure, Teljevik says: "Companies should have many more engineers working on the machines so that they have a better understanding of the overall process." She adds: "We have around 250 engineers working at FM Global who are specially trained and work with large machines such as boilers, transformers, chemical storage tanks and turbines." Teljevik also believes that it is important to work with clients to understand and minimize the risk.
FM Global invests heavily in research and development with the clear aim of preventing loss. "We give our clients recommendations for action based on scientific facts in combination with our insurance products," Teljevik explains.
Data analysis is another important aspect. FM Global uses predictive analytics to incorporate findings from the many on-site visits made to clients and combines this data with its own loss statistics. This enables the company to make predictions as to when and where losses could occur. Predictive analytics is also being used to update classic business intelligence solutions in order to answer the question: What will happen? For companies like FM Global, it is an indispensable tool that enables them to make more accurate predictions regarding potential loss events and ultimately help clients to take loss prevention measures before an incident occurs.
Another benefit of these analyses is that they help risk managers to efficiently allocate resources where they are needed. This is where the advantages of preventive, effective risk management and the new analysis options provided by predictive analytics really come to the fore. Loïc Le Dréau also highlights this added value. The Operations Senior Vice President at FM Global considers the clear picture that it gives companies: "Advanced technologies such as predictive analytics can give risk managers a very clear picture of the risk and indicate how to prioritize risk improvement measures. "According to Le Dréau, this includes identifying machines that require repairs and locations that are prone to loss. "Predictive analytics gives risk managers a much better overview of the risks that will pose a threat to their business sooner or later." By monitoring this data, risk managers can maintain an accurate overview of the current risk and identify defects before they cause a loss.
People and Sharing Knowledge
All technical solutions and risk analyses ultimately depend on a change in behavior and culture within the organization. After all, in the end, it is the people within the company who determine the success of an improvement in risk management and ultimately the success of loss prevention measures across the organization as a whole. It is therefore vital to implement programs for improving the risk and error culture within organizations, to teach employees the value of machines and data to the company. Increasing this awareness is important if companies want to prevent internal losses, as is sharing knowledge.
This means that employees need to be trained in machine operation and maintenance, processes, and emergency response plans. Essentially, everyone needs to know what to do both during normal operation and also if a machine failure occurs.
To train clients in risk management, FM Global offers a range of classroom-based and online training sessions. The aim of sharing this knowledge is to help risk managers, engineers, and other employees of the client to prepare for unexpected scenarios and make sure that the business keeps running.
FM Global has developed a special learning center to promote creativity and collaboration. The commercial property insurer provides specific training modules in this learning center hosted by experienced trainers using the latest technology.
All of these measures are being taken to keep up with the digital connected world of today and tomorrow, to maintain an overview of the risk landscape and to ultimately limit loss. Taken altogether, these measures provided by FM Global constitute a recipe for prevention: for identifying risks, limiting loss, and ultimately building and improving clients' resilience. After all, resilience is a choice and resilient companies have a clear competitive advantage in uncertain times.