If nothing else, 2017 provided proof positive that the unexpected does happen.
South Africa’s political and economic crisis entered a new phase with the GuptaLeaks revelations, Kenya had to rerun its elections and the seemingly indomitable Robert Mugabe was forced from office in disgrace.
Although the election of Cyril Ramaphosa as ANC President has could be seen as reducing risk, his ability to stem corruption, rebuild social cohesion and reignite the economy remains unclear, at best.
The ongoing GuptaLeaks saga has already compromised the reputations of several international firms, with more likely to be affected. GuptaLeaks is just another reminder that the risk landscape continues to develop in often unexpected ways, and it is no longer viable to see risks as discrete and separate incidents.
Risk identification is not enough
The materialisation of one risk is more than likely to affect the organisation’s entire risk profile, and the effects will be felt along the entire supply chain. Disasters are also coming from left field.
For all these reasons, identifying and mitigating individual risks is not sufficient—organisations must build business resilience into their DNA in order to be able to adapt to changing circumstances, protect themselves against threats, withstand attack and, ultimately, recover quickly from any disaster.
Do you have a plan?
According to the ContinuitySA and IT Web Business Resilience Survey 2017, a substantial proportion of respondents (41 percent) still have no business continuity or disaster recovery plans, and only one-third indicated that they were very confident that their organisation would be able to continue functioning with negligible disruption in the event of a disaster.
This is even though most executives would concur on the necessity of having business continuity or disaster recovery plans.
Our experience is that the picture is even worse across Africa as a whole. However, certain African countries, among them Kenya, Mauritius, Botswana and Ghana, are starting to make some headway in ensuring that their business continuity management plans are fit for purpose.
Business continuity management, which is key to building organisational resilience, is gaining traction but more needs to be done. As we continue to integrate into global supply chains, current and potential business partners will see resilience as a key criterion. We must build a risk culture within organisations, with the Chief Risk Officer occupying a seat on the board, and a proactive attitude towards risk.
Six risks have been identified that should be top of mind within an overall drive towards building business resilience:
Cyber risk remains the most likely and most feared risk.
Business, and increasingly government, is now more dependent than ever on IT systems, and the data they contain. IT and data outages thus represent a pervasive risk. Recent research indicates that 79 percent of senior IT managers in the public sector, and 85 percent of those in the financial services sector, consider data and system security the top priority. The risk is exacerbated by the emergence of sophisticated, well-resourced cyber-criminal networks.
The ongoing march of technology must be seen as a great contributor to the cyber risk all organisations face. Mobility, cloud computing and ubiquitous connectivity within the Internet of Things all introduce new risks that must be confronted.
Cloud introduces a hidden but very serious risk: the assumption that cloud adoption will suffice as a disaster recovery plan and the abdication of accountability for business continuity to cloud providers. Without establishing what the cloud provider’s own business continuity plan is, and its commitment to its clients, IT services (especially continuity of data) and overall resilience cannot be assured.
Brand and reputational risk
This is not a new risk, but one that is growing in importance in the Social Media Age.
From the perspective of business continuity, a crisis communication plan is essential to recovering with a reputation and brand that are intact, or even enhanced. Several examples in the past year, among them BA’s IT outage, have shown the impact a tarnished reputation can have on the share price and bottom line.
Compromised state capacity
South Africa is one the many African countries where state capacity to provide utilities and other basic infrastructure continues to be a risk. Water is currently top of mind, but power and other public services can never be taken for granted.
Extreme weather risk
Whatever the causes and longer term trends, extreme weather events seem to be becoming more severe and frequent within the current cycle.
The direct risks are harm and injury to people, as well as physical denial of access to workplaces, but the indirect risks of shortages of clean water, power outages and so on also impact business continuity.
Coming on the heels of Ebola in West Africa, the outbreak of bubonic plague in Madagascar reminds us that Africa’s uneven health infrastructure makes us particularly vulnerable to pandemics that could affect business.
Geopolitical and labour risks
Most organisations recognise that geopolitical risks seem heightened at present, from North Korea and the Middle East to political instability and insurrection on our own continent. The threat of labour disruption is increasingly tied to political volatility, especially as various parties contest the basic economic model of society.
All of these are risk flashpoints, but the real point is that the risk landscape is highly volatile and interconnected.
Organisations must put their main focus on building resilience to ensure they can adapt to, and recover from, disruptions, retain their reputations and thus confirm their places in the global economy.