Misfortune never comes alone. This age-old adage that dates back to at least Roman times is still very true today. A cybersecurity breach, a case of internal fraud, or a supply chain disruption: on their own incidents like these already pose a great danger.
Managed poorly, they could snowball into an existential threat, warns Tobias Jaeger. He conducts the program Mastering Operational Risk, Resilience, and Crisis Management at the Amsterdam Institute of Finance.
Navigating multiple fronts
Throughout his career he has been helping businesses navigate crises. Money laundering, theft, extortion, attempted kidnapping, Jaeger has seen it all. In his experience, the common denominator is that companies find themselves fighting on different fronts at the same time. There is the initial crisis, then there is the fallout, followed by the cleanup and restoration.
He gives an example. “Say an employee stole money or a supplier defrauded the company. Fraud cases like that will by themselves already be substantial, but when the response is very poor, all of a sudden they could find themselves in a perfect storm with customers refusing to do further business or the best employees quitting because of their disappointment in the company’s response. Then it quickly snowballs into something that is much more difficult to contain and manage.”
“That’s similar to not buying an extra lock… I find that baffling, given how simple an extra layer of prevention would have been.”Tobias Jaeger, Founder & CEO Falcone International
While businesses are increasingly aware they have to take steps to prevent risks like these from materializing, Jaeger still sees a lot of complacency, particularly in continental Europe.
“That’s similar to not buying an extra lock, while someone broke into your neighbor’s apartment. In a hundred percent of the cases, that lock is not as pricey as having to call the police, deal with the insurance company, and restore the ransacked apartment. I find that baffling, given how simple an extra layer of prevention would have been. Now imagine the lock is an additional firewall for a network, an additional background check for a key employee, or a deeper pre-investment due diligence on an important deal. The mechanism stays the same.”
Smaller companies, big risks
Many smaller companies operate under the false belief that because of their limited size and scope they won’t be an interesting target. This applies in particular to cybersecurity. What they forget is that they might be an attacker’s way into one of their larger customers’ networks, Jaeger explains. “Say you are a marketing agency that works for Heineken, or you’re a subcontractor of that marketing agency. The attackers will try to go through you as you are a tier one or tier two supplier. So, yes, you might not be a prime target yourself, but you could still be a target because of the commercial relationships you have with others.”
“Everyone is a target all the time… You should get a 360-degree overview of what the risks are that you face.”
This also works the other way around. Larger companies that are diligent about their own networks, should be looking out for potential vulnerabilities coming through their suppliers. “I would say everyone is a target all the time. That’s the reality until you sit down, take stock of where you stand, and check what your exposures are. You should get a 360 degree overview of what the risks are that you face.”
Mapping risks properly
Broadly speaking, all risks fall into one of five major categories. These are strategic risk, information risk, financial risk, operational risk, and external risk. Mapping all these different areas and potential sources of risk, is a first step in proper risk management, says Jaeger. Next is determining what risks should be paid attention to.
Of course, context is everything, Jaeger adds. Where a business is located, what its activities entail, who its people are – it matters a lot. “Say you’re a manufacturer, and your company’s success depends on access to a steady stream of natural resources. Obviously, the risk is that you lose that access. If you’re an engineering firm, your biggest risk is probably industrial espionage, the theft of your intellectual property. For all categories, there are different levels of risks. You have to map all of that out and determine what’s out there, what you need to pay attention to, and then, plan for what you will do if something goes wrong.”
Prepare for major developments
What is in Jaeger’s experience the most overlooked risk category? “Because it’s so abstract, and seems so far away, it’s probably the external one, especially geopolitical risk”, he answers. He points out that companies have had a fair share of major external developments that impacted their business these past few years.
“Whether it’s the supply chain disruptions during and after Covid, or Russia’s war on Ukraine, or US- politics, what you see in these examples is that if you come prepared, you will do better. People tend to say that a problem of this size will affect everyone, and they’ll just have to deal with it when it happens. In this case, the antidote is developing strategic notice, which you can only generate if you actively monitor the world in which you operate. As a business, if you overlook this and then get surprised, you’ve failed in this risk category.”
Gain essential skills to manage operational risk and build operational resilience. Join the 3-day hands-on and interactive Mastering Operational Risk, Resilience, and Crisis Management program by Tobias Jaeger at AIF. Learn more & reserve your place here.