What security leaders need to prioritize to keep ahead in 2023

In the past few years, global risk has become more complex and more frequent. From deadly weather patterns to record heat waves, increasing gun violence, war and civil unrest, the risk landscape is increasingly extreme and uncertain.

Disasters like Hurricane Ian, for example, are no longer a once-every-few-years occurrence. Today we live in a world where crises happen every year and every season. According to the 2022 Global Risk Impact Report, analyzing approximately 14 million unique physical threats between 2020 and 2021, reports of blizzards and avalanches tripled, while tsunamis doubled--even in places that are not used to experiencing this kind of weather. At the same time, mass shootings, arson and assault rose by up to 200%. Even seemingly mundane accidents on the roads and rails increased significantly, with car crashes up 168% and railway incidents up 91%.

To keep ahead in 2023, security leaders need to understand the cascading impact of physical threats across their people and operations – and how to mitigate the effects.

The Butterfly Effect: The Impact of Physical Threats Across Industries

The “butterfly effect”: A delicate name with serious implications. The effects from one physical threat can create ripples across an organization’s operations. 

Emergencies are rarely isolated incidents. This is the concept of “dynamic risks” – a risk in which the ultimate harm is different than initially expected. Supply chain disruptions, climate change and even cyberattacks are all good examples of how a single critical event can create severe, lasting impacts on companies and even entire industries or regions. The following are all recent examples of dynamic risks:

• The “Ever Given” container ship blocked the Suez Canal for almost a week in March 2021, impacting 12% of global trade. Experts estimated the daily cost of the jam was over $10 billion in delayed cargo alone. Even once the ship had been freed, it took months for the supply chain to rebound from the delays.
• A major airline faced unexpected consequences when a tornado hit a nearby town. Although they were prepared for the effects on flight schedules and physical locations, they didn’t anticipate the impact on personnel. Flight attendants, baggage handlers and other employees living locally were unable to report to work due to power outages, gas main breaks and evacuations, causing a week-long labor shortage and extended flight delays.
• In today’s world, digital attacks can also have physical consequences. When Russian ransomware hackers breached the networks of JBS Foods, the world’s largest beef supplier, the company was forced to halt operations in the United States, Canada and Australia. After a day of shutdowns, they chose to pay $11 million in ransom and were able to restore their systems from backups. Cybersecurity experts predicted a prolonged closure could have affected global meat prices.

Even risks that don’t make the top headlines in the United States have a similar cascading effect on businesses.

Historic flooding in China may not be breaking news stateside, but factory shutdowns and road closures disrupted global manufacturing and supply chains and caused $10 billion in direct losses. Similarly, we might not be up to date on the deadly mass protests over farming reform in India, but the agricultural impacts affected American production lines and were reflected in grocery store prices.

How Can We Measure the Cost of Physical Threats on Businesses?

It can be difficult to calculate the true effects of physical threats on a business but measuring the cost of security investments is critical in order for leaders to act.

The reputational damage, customer churn, employee turnover and shifted operational resources caused by threats can be difficult to quantify. However, there are ways to estimate what we at OnSolve refer to as the Average Lost Revenue (ALR)[1] from the direct impact of a crisis or threat.

Imagine a severe tornado touches down on a distribution center responsible for just 5% of revenue, forcing it to close for 20 days. If a company earns $2 billion annually, the ALR from the direct impact of the tornado would be $5.5 million.   

That’s a big hit on revenue. But it doesn’t even account for the additional costs of physical damage and repairs; loss of assets, products, customers or employees; or harm to your reputation—or all the costs of response. If you’re not prepared to manage the butterfly effects of a single crisis, the negative impact on your organization could be long-lasting and severe.

A New Normal: No Longer If, but When

We are living in a world where crises happen every day – and in areas previously thought to be stable. Security and Business Continuity leaders can’t afford to overlook the impact physical threats will have across their businesses and industry. This is especially true for asset-heavy organizations without an established Global Security Operations Center (GSOC).

More than 50% of leaders say their risk mitigation and response plans have been less than effective, according to 450 risk and security professionals surveyed by Forrester Consulting. While you can’t avoid all risk, you can have programs in place to get ahead of threats and mitigate their impact.

So, what do security leaders need to prioritize for 2023?

To anticipate crises and minimize their cascading effects in the coming year, security leaders should take the following steps:

• Create and update operational risk plans. Identify your operation’s most critical areas and the risks that threaten them, as well as reflect on how they have been threatened in the past.

Review how growing physical threats including gun violence, protests, climate change, fires, transportation accidents and logistic disruptions might impact your locations. Identify their effects on your business and how you could mitigate those consequences.

Colleagues from your security and operational teams can help you assess the risks you face, identifying vulnerabilities and strengths in your response plan. Together, ask yourselves:

            o   What are the immediate impacts of this event on the organization? What are additional threats that could arise as a result?

            o   What are outside events that could impact our operations? For example, if a node in a vendor supply chain were to break down, would our production                 be  able to continue?

            o   Where are our bottlenecks? Does disruption to a single process or location inhibit all operations?

            o   How has our current plan served us when managing and responding to past threats? Are there gaps or misalignments in the plan?

            o   What role does each team play when responding to risk and managing the aftereffects?

            o   How can we communicate and align our priorities with the executive team to effectively implement our operational risk plan?

• Establish a solid data framework. Security leaders are stretched thin as it is, with high expectations coming down from the C-suite. It’s impossible to manually monitor every single physical threat that could potentially impact your organization. However, automation makes it possible to stay on top of relevant risks.

Risk management technology with artificial intelligence (AI) monitors big data, automating the task of real-time risk detection and analysis. It combines companies’ internal data, such as employee location, offices, fleet traffic and even power lines, with data gathered around external physical threats like severe weather, cyberattacks and civil unrest to capture millions of potential risks.

With Machine Learning, this information can be filtered across an organization’s people and operations, and alert security leaders to the events most likely to impact the assets they are monitoring. This lets the professionals focus on managing the real dangers to their people, operations and assets, instead of sifting through global threat data to determine which ones are relevant.

You can use this to make informed decisions about how to prepare for and react to crises before they even happen – days, or even weeks, in advance. Leveraging technology in this way allows you to focus on honing your response strategy for quick and decisive action in the moment.

Effective crisis management is more than just keeping your people and property safe during an active emergency. The right reaction strategy, based on accurate data, prepares your business to survive and thrive in the aftermath.

• Recognize the importance of communications. Once you’ve created a comprehensive risk plan and gathered intelligence about potential threats, you need an effective system of communications to keep your organization safe and informed. Moreover, teams need to be clear on who owns what when a crisis happens.

When you learn about a threat, how quickly can you reach the people who need to react? Do you have alternate ways to contact your team if you lose power or suffer a cyberattack?

Effective communications not only maintain business continuity but also strengthens organizational resilience and ultimately, save lives.

A customer from OnSolve, a private insurance company with call center operations in the Philippines, experienced a threat that illustrates perfectly how effective critical communications help organizations anticipate and survive emergencies.

In December 2021, their risk intelligence solution alerted them to the incoming Typhoon Rai days before the storm hit, while other businesses in the area had only hours to prepare. They were able to give advance notice to team members, relocating those affected and transferring essential services to another center in Manila.

Thanks to their early warning and successful communications efforts, Venerable was able to maintain normal business operations, avoiding devastating financial losses for themselves and their customers. They also mobilized supplies and provided housing to employees in the path of the storm, protecting their people from the worst of the typhoon.

Looking Ahead

Physical threats to business will not abate anytime soon. If 2023 continues the pattern of the past few years, organizations will be faced with more frequent and complicated risk scenarios. Increasing business disruption, fueled by climate change, is driving transformation for security leaders. A big question every business leader should be asking is: Is your business capable of handling the threats brought on by these issues?

In a world where a single critical event can set off a chain reaction of consequences, a collaborative and informed risk response can make the difference between operational devastation and organizational resilience.

Is your business capable of handling physical threats and their consequences? Now is the time to evaluate and prepare. Make sure your critical event management technology empowers you to prioritize physical threats, respond effectively and mitigate their consequences.