With supply chain disruption, civil unrest, gun violence, global pandemics, catastrophic weather, war, inflation, and fear of recession, we’re in a new era of risk. Organizations have never faced a more extreme or uncertain threat environment. Business leaders should stop asking if they’ll face a crisis and get prepared for when.
Most businesses are already doing this in the area of cybersecurity — which they view as the top business risk, according to recent data from PwC’s Pulse Survey.
Now, CEOs need to apply the same rigor to physical security as they do to cybersecurity. Business leaders need to implement new operational strategies and cultivate new skills to protect their organizations. Specifically, this means creating new risk frameworks and implementing well-defined crisis plans to protect their organizations proactively. In short: Prepare now, or be caught unawares when the next crisis hits.
Threats Have Been Increasing
Leaders should start by assessing today’s risk landscape and identifying the threats most likely to impact their business — especially as threats spike to unprecedented levels. The OnSolve Global Risk Impact Report provides a glimpse into today’s threat environment.
For instance, we found that in the U.S., two of the three most common risk events are related to homicides and gun violence. Growth rates in other categories were also high: From mid-2020 to mid-2022, transportation-related threats rose 179%, fire threats were up 150%, infrastructure and technology risks jumped 142%, and extreme weather risks grew by 61%.
Not only are threats occurring with more frequency, they’re also becoming more costly. The National Oceanic and Atmospheric Administration reported that weather and climate disasters caused billions of dollars in damages and countless hours of downtime — levels unseen since 1980. Most recently, Hurricane Ian’s destruction cost an estimated $67 billion.
Executives have a fiduciary responsibility to ensure their organizations are prepared to respond to unfolding events in real time and keep employees safe. Unfortunately, according to PwC, less than one-third of leaders are preparing for supply chain bottlenecks, extreme weather events, critical infrastructure attacks, and public health crises — all of which have derailed many businesses in the past few years and continue to do so.
Every threat can become a cascading, dynamic risk. Learn how making the shift from risk prevention to resilience management can help organizations navigate the unexpected impacts of physical threats and strengthen preparedness.2024 Global Risk Impact Report
The Case for Prioritizing Physical Security
Protecting an organization’s people, places, or assets from physical threats is often overlooked, and physical risk mitigation is often under-resourced. Yet the consequences of physical threats are severe. These include unplanned operational downtime, product loss, customer churn, brand reputation damage, broken vendor or supplier relationships, and loss of investor confidence. The risks can even include human injury or loss of life.
At a time when the national discourse remains focused on a possible recession, many businesses are taking another look at their P&Ls. As they contemplate current budgets and possible future expenses, investment in physical security is likely to come into question. But threats to physical assets don’t stop because of an economic downturn. The hurricane approaching your coastal HQ doesn’t care that there’s a recession looming.
It can help to view investment in physical security as more than just a cost center. Instead, it can actually be a strategic advantage. Companies that are proactive in the face of uncertainty create a culture that is more agile and resilient in all conditions, according to PwC. With this in mind, the business leader who proactively addresses physical threats might not only make their employees and operations safer, they might make their company more recession-resistant and able to outperform underprepared competitors.
Understanding Dynamic Risk
Another aspect of creating organizational resilience is the ability to see dynamic risk: the possibility that one crisis can cascade into another. When organizations fail to account for cascading threats, crises can lead to unexpected costs or damage. Let’s look at a couple examples.
In 2021, when the massive container ship Ever Given ran aground and blocked the Suez Canal for six days, there were obvious effects to the ship, its owners, and to the normal functioning of the canal. However, when there’s a significant impact to a major thoroughfare in the global supply chain, the effects extend far beyond the canal and ship itself. As a result of this incident, there were global repercussions from which certain companies and markets are still recovering more than a year later.
On a much smaller scale, a U.S. grocery store franchise faced flooding issues in one of their stores. This created cascading effects: There was excess water in the store and flood damage to the store itself, but the water also destroyed inventory. Thus, the unexpected costs of fixing the leak and the store were made worse because the store also lost revenue.
These examples underscore the importance of proactive planning. Business leaders should work with stakeholders to regularly evaluate the top threats to their organizations. This could include analysis of historical events in employees’ communities, crises faced by similar organizations, or spikes in threats in certain geographies. It’s important to get as granular in the analysis as possible. Then stakeholders will be able to see the various effects that occurred, both direct and indirect, as a result of a particular threat.
When a threat does occur, business leaders have a dual obligation: First to care for their people, then to look after their operations.
Plan Now to Avoid Pain Later
To ensure your company can stay strong during a crisis, sufficient preparation is of the utmost importance. Each employee must trust that every person, from leadership to entry level, will know what to do when a crisis hits.
First, try to determine which physical risks are most pertinent to your operations. Identify the five biggest threats to the organization and then rank them based on severity and probability. These risks are dictated by the company’s industry and operational complexity. For example, if you’re a trucking company or distributor, a tornado or heavy snowstorm that affects warehouses and major highways may be at the top of your list. If your company is headquartered in Los Angeles, wildfires may be something to prioritize. If you’re a manufacturer or financial company with call centers or factories in the Philippines, you’d consider prioritizing severe weather, protests, or even landslides local to that area. Identifying these threats will provide a framework in which businesses can analyze threats cross functionally — that is, account for how one threat may affect different parts of the business in different ways.
After you’ve assessed potential threats, it’s time to create a risk-mitigation plan. Your plan may include roles and responsibilities during a crisis, travel protocols, and methods of communication. The plan should also promote alignment on crisis response to mitigate confusion if a threat materializes and take into account every possible impact the threat could have across the business. Although risk mitigation plans should include stakeholders from multiple departments, there should be one person who has clear ownership of physical security, with an easy way to monitor threats as they unfold. After you’ve identified this team member, establish a reporting structure to minimize confusion about who’s in charge if a threat becomes real.
Plans should also include the formation of crisis-management teams. These individuals should be able to communicate where to go, what to say, and what to do should certain events occur during the threat. To help crisis-management teams perform quickly in a crisis, business leaders may also want to remove procedural friction points so that an emergency response can run smoothly. This could mean, for example, providing quick access to emergency funds or preauthorizing overtime for employees.
Remember to regularly update mitigation plans as risks unfold and make those plans accessible company wide. It may help to implement a tech solution that can sort new risk data faster and help ensure plans remain current and relevant. Additionally, AI can help automate updates and minimize errors in the face of a crisis. It can detect threats by processing millions of data points, so organizations can make smart, quick decisions when every minute counts.
Also, remember that practice makes perfect. In preparation for a crisis, it’s vital to run tabletop exercises to practice responses. This ensures plans work and stakeholders are prepared when a real event happens.
After a crisis, debrief and hear from all stakeholders about their experience. This will help to avoid potential mistakes in the future. It’s also important to remember work operations may have to change for a period after the threat passes, giving people time to recover and return to work. This will show employees that their well-being is the company’s top priority.
Benefiting From Organizational Resilience
It’s impossible to avoid all risk. But businesses can leverage organizational structures, processes, and technology to create organizational resilience in the face of unprecedented threats. According to a study from Bain, successful companies find profitability even in the midst of an economic downturn. In other words, achieving resilience does in fact generate a return.
Originally published in Harvard Business Review, February 2023