Remember the story of Hans Brinker, the little Dutch boy who stuck his finger in the dike? He recognized that a small hole left untended could grow larger, ultimately weakening the dike and allowing the sea to come crashing through. He stayed at his post all night, suffering fear, hunger and cold, until help finally arrived. The adults then set about repairing the dike, praising young Hans for saving the countryside from flooding.
In some ways, Hans might be considered a role model for business risk mitigation. Keep an eye out for small problems and plug any holes until a stronger fix can be applied. The problem, of course, is that sooner or later you’re going to run out of fingers. Given the growing complexity of modern-day threats, there aren’t enough kids in all of the Netherlands to prevent a full-scale disaster.
In my last post, I discussed the top three business risks cited in the sixth annual Allianz Risk Barometer. Business interruption topped the list for the fifth year in a row, followed by market volatility and cybersecurity threats. Together, these risks were cited by 98 percent of survey respondents.
Obviously, there are many wide-ranging threats that fall under those three broad categories. Business interruption could stem from a wide-scale weather event, pandemic or supply chain disruption. Market volatility continues to increase in a climate of geopolitical uncertainty and constant technological change. Cybersecurity threats include ransomware attacks, digital denial of service (DDoS) attacks and data breaches, and can result in business interruption and loss of market share.
Given the scope and reach of business risks, a piecemeal approach to mitigation will not suffice. Organizations need a well-thought-out strategy for risk management that considers today’s business realities and future requirements.
The first step is to identify what most needs protection. This will vary from organization to organization just as the top threats vary. Some businesses will view their intellectual property as their most strategic asset, while others might focus on data or expertise. By identifying what’s most important, you can focus your risk management efforts.
Next, you need to determine the threats to those assets. Experts recommend hiring an outside consultant to assist in this assessment given that familiarity bias can cause organizations to overlook significant vulnerabilities. For example, are you doing enough to enforce your intellectual property rights? Are your data protection measures adequate? Are you at risk of losing key personnel?
The consultant can also help you establish policies and procedures for managing risk, as well as metrics for evaluating those practices. Risk management should be outcome-driven, not activity-driven. It should also be revisited periodically as business requirements and market conditions change.
The worst thing you can do is assume you lack the time or budget to develop a comprehensive risk management strategy. Remember, it was only through luck that Hans heard the water trickling and spotted the small hole in the dike. Without constant attention, your defenses can easily give way to a flood of business threats.