In observing the global impact of the Microsoft-CrowdStrike ICT disruption that occurred on July 19, 2024, what resonates above all else is that this has become the rule rather than the exception.
With cyberattacks, both fraudulent and politically motivated, ICT failures, climate change-driven catastrophic weather events, pandemic, war, geopolitical upheaval, assassinations (and attempts), and civil unrest, we are in a current period of frequent disruptions to the rhythm of everyday business. We are experiencing what we used to call a “paradigm shift.” And in this case, it’s not good news.
This is important to business leaders for two reasons. First, businesses have become as important as nation states. Apple’s market capitalization at $2.9 trillion is comparable to the size of the entire UK economy. Microsoft is roughly equivalent to the annual economic output of India.
Second, most business leaders have neither the skills nor the awareness of the impact of disruptive events on their operating models. In some cases, they are dismissive of the potential impact of the disruptions’ effects, and singularly uncurious regarding their responsibility in the face of that.
However, risk professionals don’t have to predict specific events to be successful. On the contrary. An “all hazards” awareness of potential disruptions with a focus on material exposures is the best approach. Indeed, all initial indications on the morning of July 19 were of a massive cyberattack against Microsoft, CrowdStrike or both. Fortunately, the root cause was something much less pernicious, but no less disruptive to those businesses affected – especially banks, airlines and hospitals.
But as in matters of the law, ignorance of exposure is rarely an acceptable excuse for not being able to be resilient in the face of a disruption when one does occur. This point of view is so pervasive that it’s worth exploring to make the case that disruptive risks can and should be identified, assessed, measured, managed, communicated, and reported just like any other risk.
There are several tangible arguments to support why managing disruptive risk needs more attention from senior leaders:
1. Geographic risk factors are responsible for a large percentage of business disruptions. When geographic risk events do occur, they tend to be severe. Risk teams who do not already monitor for geographic-related risks must do so if they are looking to get ahead of the threats that can have adverse effects on their organizations from across the world.
2. Risk of disruption must be understood and appreciated both in terms of near-term events, and longer-term trends. High-impact events like the massive Microsoft outage often capture widespread attention. Disciplined risk management requires Monitoring disruption alerts in real time, while simultaneously monitoring for the deterioration of a location’s risk profile over time and across risk categories is key for disciplined risk management. Firms that do this are taking the first steps toward predicting the highest probability events and focusing on mitigation measures, compensating controls, or replacement of a problematic third-party.
3. Not to assess and quantify the risk is tacit risk acceptance. Being unaware of risk exposure does not mean that it will have little impact – it can be just as detrimental. Risk should not be inadvertently accepted on behalf of the entire firm as a result of inadequate risk assessment.
4. Take into account shareholder expectations. Organizations should be providing context around risk awareness, even when the risk of an event is low. Share what measures are in place to ensure that staff, premises, supply chain and balance sheets are resilient to possible risk scenarios.
5. Business is being conducted in real time, so risk and disruption must be managed in real time too. It has become axiomatic that business is being done in real time. And society’s expectation is that services be available literally 24/7. Microsoft’s outage clearly demonstrated the need to have contingency plans in place. The technology that allows us to manage risk in real time is now at our fingertips. The firms that decide consciously or not to manage risk every quarter or on an annual basis while their business operates 24/7 are at a decided disadvantage to those that have aligned their risk management to the tempo of their business.
The key point here is that business resilience is an organizational challenge that requires leadership to successfully address. This starts with the necessary resolve that a resilient enterprise is both necessary and achievable. Arguably the most important question is the first one. And it starts with some deep introspection amongst the most senior leaders in the firm, who need to be asking themselves, “What outcome do my stakeholders expect and deserve and how will I deliver it?”