It takes more than one swallow to make a summer. Or: Top management commitment still low.

In November 2015, the Business Continuity Institute (BCI) and Zurich published the 'Supply Chain Resilience Report 2015'. This report, which is available via the BCI's website www.thebci.org, shows some positive trends in supply chain risk management. However, it also reveals that top management commitment is still on a low level.

Figure 1: Top management commitment to supply chain resilience (source: Business Continuity Institute/Zurich: Supply Chain Resilience Report 2015, Caversham.)

Figure 1 shows, that in comparison to the results of the 2014 survey, top management commitment to managing supply chain risks increased by 4 percentage points - which is for sure a positive trend. However, still only one third of the respondents see a high impact of top management commitment. If we follow the arguments of the reports, top management commitment is seen as an enabler of supply chain visibility, the percentage of high impact commitment is relatively low. Nevertheless, the percentage of respondents who see a low or no impact at all is reduced to 25 %.

Figure 2: Consequences of supply chain risks (source: Business Continuity Institute/Zurich: Supply Chain Resilience Report 2015, Caversham.)

One of the top question in risk management is 'what will be the consequences if risks do happen'? Figure 2 shows the consequences reported by the respondents of the survey. Not surprisingly, the loss of productivity is the type of consequence mentioned most. However, this type of consequence is an internal consequence, whereas the next important outcome are customer complaints, mentioned by 2 out of 5 respondents. Here, we can see, that consequences of risks are visible to and perceived by external parties.

Figure 3: Cumulative financial impact of supply chain interruptions (source: Business Continuity Institute/Zurich: Supply Chain Resilience Report 2015, Caversham.)

As figure 3 reveals, the cumulative cost of risks (assessed over a period of 12 month) show, that more than half of the risks have a slightly low impact. (Of course, this number should be seen in relation to the financial size of the company.) On the other hand, every 7th company realized cumulative cost of 1 million EUR or more. If we look at the cost of the most significant incident (a graphic that is accessible in the original report), we see that every 11th organization had a single incident with risk-related cost of 1 million EUR or more.

Figure 4: Predominant sources of risks with a supply chain (Business Continuity Institute/Zurich: Supply Chain Resilience Report 2015, Caversham.)

When we talk about supply chain risks, we should see the total supply chain. 'Supply chain visibility' is a key term - but has not been implemented widely yet. Figure 4 shows, that almost one third of the respondents does not (or is not able to) trace supply chain risks within the supply chain. Additionally, the diagram is also misleading, because it mixes exclusive and non-exclusive answers. The values for the first three bars should have been calculated on the basis of the 69 % of the respondents who do analyze the full supply chain. When we update those number we realize that

1. 72 % of the companies who analyze the full supply chain, identified the predominant source of interruption on 1st tier,
2. 30 % of those companies identified the main source on tier 2, and
3. some 11 % see the predominant source of the risk on a lower level.

Source: Business Continuity Institute/Zurich: Supply Chain Resilience Report 2015, Caversham. The full report, which contains much more information than shown in this short review, is available as a download from the BCI's website: http://www.thebci.org/index.php/bci-supply-chain-resilience-2015

'Business interruption' still THE hottest risk

The Allianz Risk Barometer - Top Business Risks 2016, the fifth annual survey focusing on corporate risks, has been published recently by Allianz SE and Allianz Global Corporate & Specialty SE (AGCS). It gives an overview on corporate risks, seen from the perspective of managers of AGCS and local Allianz entities. Overall, 824 respondents from 44 countries participated in the survey.

Figure 1: Top risks (Source: Allianz SE/Allianz Global Corporate & Specialty SE: Allianz Risk Barometer 2016 Appendix, 2016, p. 1)

A first look at the summary (see figure 1) does not reflect any surprises - and on the other hand leads to stop for a second: Two risks are new, they seem to be 'rising stars', since they were not existing in the previous study from 2015. Market development, which comprises volatility, intensified competition, and market stagnation, and macroeconomic development (i.e. austerity programs, commodity price increase, inflation/deflation) seem to be new. However, in former reports the individual risks of market respectively macoeconomic development had been ranked seperately - and are now ranked collectively. This leads to a shift in the top 10 list, and makes it difficult to compare the current results with the findings from 2015.

Besides that, the top 10 risks do not bear, as said, any surprises. Business interruption is still the 'hottest' risk. (We will look at some details in a minute.) The aforementioned market development is seen as second important risk. Cyber incidents are of growing concern: After 12 % in 2014 and 17 % in 2015, now 28 % of the respondents see cyber incidents as an important risk. The growth rate of those risks is alarming. (We will get back to cyber risks later in this article.) Both natural catastrophes and fire/explosion are seen to lose importance in relation to other risks. Changes in legislation and regulation also seems to be of lower significance, because it is ranked lower than in 2015. This, however, is a pitfall of the newly 'created' (i.e. compiled) risks - indeed the percentage of experts seeing changes in legislation and regulation as a risk, has risen from 18 % up to 24 %. Thus, the 'trend' shown in the rightmost column is a misleading and not fully correct information for some of the risks.

Figure 2: Geopolitical risks (Source: Allianz SE/Allianz Global Corporate & Specialty SE: Allianz Risk Barometer - Top Business Risks 2016, 2016, p. 5)

A second critical remark must be made about the classification of risk. Of course, an exact classification that avoids any grey or fuzzy areas is almost impossible. There are numerous schemes for classification, but almost non of them allows for a selective clustering of risks. In the 2016 risk barometer we can observe the problems of non-selective risk groups. Although there is one risk category 'business interruption' (THE no 1 risk), there are other classes of risks, that integrate or at least lead to some portions of business interruption. For example, when looking at details of political risks, we can see the cause effect relationship of those risks with business interruptions. When asked what risks within the context of geopolitical instability businesses were most worried about, more than half of the respondents mentioned impact on supply chains (see figure 2). Also, other risks, such as natural catastrophes, fire and explosion, and cyber incidents can lead to severe business interruptions (see figure 3). Thus, due to the fuzzy classification and some implicit cause effect relationships within the top risks, the ranking of the risks is not fully explicable.

Figure 3: Major causes of business interrpution (Source: Allianz SE/Allianz Global Corporate & Specialty SE: Allianz Risk Barometer - Top Business Risks 2016, 2016, p. 6)

Besides nat cat's and fires or explosions, business interruption risks are created within a supply chain: As figure 3 shows, also supplier failure is one of the top 3 causes of business interruptions that companies fear most.

In the future, cyber incidents are seen as heavily increase the threat of business interruptions: 59 % of the respondents see cyber incidents as major future threat.

Figure 4: Causes of economic loss after cyber incidents (Source: Allianz SE/Allianz Global Corporate & Specialty SE: Allianz Risk Barometer - Top Business Risks 2016, 2016, p.11)

Cyber incidents are not only cyber attacks (or cyber crime in general), but also data breaches and general IT failures. Industry 4.0 (or the 'Internet of Things') and its underlying trend of continuing and accelerating digitalization is a development that - besides increased effectiveness and efficiency - lead to new and more risks. Those possible negative impacts that companies fear most are shown in figure 4. As can be seen from figure 5, cyber incidents can lead to economic losses due to different reasons. Reputational loss is the most important cause for economic losses, followed by business interruptions.

Figure 5: Impacts of ongoing digitalization (Source: Allianz SE/Allianz Global Corporate & Specialty SE: Allianz Risk Barometer - Top Business Risks 2016, 2016, p.12)

If companies look into the long-term future, i.e. 10 years or later, cyber incidents are seen as the top emerging risk: 33 % of the experts see such cyber incidents as the most important future risk. This fits to the result mentioned earlier which described the rise of cyber risks as top current risks. Behind cyber incidents, managers see business interruptions (11 %) and terrorism (9 %) as emerging risks in the far future.

The study results (Allianz Risk Barometer - Top Business Risks 2016 and Allianz Risk Barometer 2016 Appendix) can be downloaded from AGCS' website: http://www.agcs.allianz.com/insights/white-papers-and-case-studies/allianz-risk-barometer-2016/