Take responsibility and build a culture of crisis resilience

The nature of terrorism is changing and man-made attacks are on the rise. For businesses, ignorance is not an option. Paul Bassett (pictured) and Justin Priestley of Arthur J. Gallagher urge risk managers to take action.

In today’s uncertain geopolitical climate, the potential crises faced by businesses are constantly evolving. New security threats are fast emerging and developing, meaning traditional acts of terrorism aimed primarily at causing maximum property damage and disruption are no longer the primary concern.

This shift is borne out in the figures. In 2015, traditional terrorism insurance represented only $1.3bn of the $8.1bn political risk and crisis management insurance market, with KPMG estimating that product recall, kidnap & ransom and cyber product lines made up the largest contribution at $4.8bn.

But insurance alone will never be enough. No insurance policy ever saved a life nor did it prevent a risk from arising in the first place. Businesses must now be both resilient and adaptable to best protect themselves and their people from the dynamic nature of today’s complex security threats — and switch their focus from pure risk transfer to proactive risk management.

Whether it is becoming a victim of product tampering or being inadvertently caught up in a mass casualty terrorist attack, such as an active shooter situation or one perpetrated by a lone suicide bomber, the evidence strongly suggests these man-made attacks will increase.

Organisations must therefore become more conscious of the risks they face, understand their duty of care to employees, implement robust risk management procedures, explore insurance solutions and embed a culture of crisis resilience throughout the company. Ignorance is not an option. Firms need to learn how to anticipate, prevent, respond and recover.

As the nature of business becomes more global and digital, the range of risks can stretch from assault, blackmail and civil commotion to hostage situations, stalking and even cyber extortion. By way of illustration, the company network of a client in Glasgow was recently breached, where the perpetrators made copies of sensitive data. They demanded £50,000 or this data would be released online; an extreme breach of security and a crisis in every sense of the word. This highlights the extent of the risks that businesses face and the need to be properly prepared to manage them.  

Contrary to popular belief, such security threats are neither isolated to city centres or large corporations, nor are they limited to traditionally hostile geographic environments. Locations in mainland Europe, where employees travel for business or holidays, are increasingly being targeted and whatever your type of business, size or geographic location, your legal obligation to safeguard those in your care remains the same.

Product tampering is one example of a threat that is both serious and growing. Another client, a key supplier to a global pet food company, was subject to a threat that poison would be added to their product unless they ceased to supply that customer, which they claimed was involved in animal experimentation. This situation posed a huge risk to the brand and reputation of both companies. They were prepared, but this type of threat — if successfully carried out — could cause irreparable damage to any business.

The dynamic and increasingly pervasive nature of these threats means that boards need to be alert and aware. Risk managers should conduct a full risk assessment to understand where their business and employees are most vulnerable.

Every industry in the country has a responsibility to ensure they have robust resilience capabilities. If every business in the UK improved their preparedness and procedures, even by a small amount, the net effect would significantly bolster the country’s resilience as a whole.

Paul Bassett is Managing Director and Justin Priestley a Director of Crisis Management, both at Arthur J. Gallagher.