No more risky business

Is it the ‘Kiwi way’ to undervalue ourselves and our businesses?

Certainly that’s the view of Kerry Forde, GM of Triplejump, specialists in human capital risk management, and the other experts we spoke to for this feature.

 

“Kiwis are notorious for undervaluing their importance – that might be virtuous to a point –but is also a potential business and wealth killer. If you are looking for the main asset in your business – find a mirror. Yes, it is almost certain to be you, alongside your hand-picked key team members,” says Forde.
 

“Very seldom do we come across entities where the ‘you’ can walk out for 12 months, or permanently, at a moment’s notice and the business survives without a significant financial impact. This places the wealth created and likelihood of expected future wealth at risk. 

“Sadly, it’s not a scenario owners, who are generally optimists, consider or robustly plan for. They should, however, as the odds are higher than most would realise.”

New Zealand’s mortality and morbidity tables show that a business with three people (average age of 45) has a 48 percent probability of a death prior to 65. And the same business has a 29 percent probability of a disability (accident, or more likely, an illness) lasting six months 

or longer.
 

According to the NZ Centre for SME Research, 20 percent of SMEs will be forced to close within three months if an event occurs removing the owner. 

“Assessing risk likelihood is a key element in business planning and these numbers are too high to be ignored – human capital risk is very much present. So how big an issue is it and what [should you] do about it in your business?” says Forde.

“You need to work through a structured planning process to understand the impacts on both sides of your accounts:

Any reduction or loss of profitability flows through to all who are dependent on it, says Forde – financiers, creditors, security providers and personal income. The chain reaction can be quite rapid.

“Once the magnitude of the impact has been determined, you are then in a position to plan your response, including what risk you can retain and what you need to pass on to an insurer. The key factor is once you know what the implications of an adverse event are, you can take action. Not knowing does not take risk off the table. Human capital risk is ever present.”

So, how do you identify, measure and manage ‘human capital risk’ in your business? 

Forde again: “You must have a risk plan. This needs a genuine professional partner who is an expert in this area to develop and maintain it with you. Then you can keep focused on your specialist area – running your business with confidence towards what you set out to do, even in the face of the unexpected. You are valuable and you are important.  Recognise that and act on it.”

 

We’ve now taken care of the impact of a loss or temporary loss on the key personnel side. Who better than ‘Murphy’, then, to introduce us to the both similar and very different approach physical asset risk management needs to follow?

David Poninghaus is insurer QBE’s technical manager. “While you may be able to fund a small loss from your turnover or borrow from the bank, it is unlikely that you would be able to do this in the event of a major loss. 

“Consider the consequences of the building in which you manufacture your product being totally destroyed by fire. Result: no building, machinery, plant, stock, etcetera and, of course, no income. 
 

“Even worse, if the fire spread to your neighbour’s property, burning it down and you are held liable for their loss. Murphy’s Law is always lurking: ‘anything that can go wrong, will go wrong’.”

QBE’s strategy on risk management is ‘do it right first time’. And they are there to provide their experienced input to guide you to as close as you might get to Nirvana in this sometimes fraught and challenging exercise. 

Before you can make any decisions about what to do, you need to clearly understand where you have a possible exposure to loss. (“You can’t manage what you don’t know.”)  
 

The simplest way of doing this is to make a list of what your business consists of, such as:

That’s the easier part. Now you have to use your imagination or call in his team: they, after all, have seen and done it all. 

“Likely causes of loss,” says Poninghaus, “may include your building damaged by fire; stock lost in transit; a delivery truck written off in a motor accident; a watercraft hitting a submerged rock and sinking; a key staff member injured after a pallet fell on top of him; a faulty product resulting in a customer suffering a financial loss, which they hold you responsible for; your supplier has a major flood loss and can no longer supply you with raw material. The list is almost endless.”

 

If your brain is racing and your blood pressure soaring at this point, as 

you contemplate the quantum of 

your monthly insurance payments, 

take heart.
 

You now have to objectively assess your financial ‘tolerance’ to events like these and that will assist you to prioritise risk treatment options.

“First, you need to consider what steps you can take to reduce the frequency and/or severity of a loss. The likelihood of a loss can often be reduced by adopting sound risk management practices. To eliminate a loss can be achieved by ceasing a particular activity or disposing of the property at risk,” says QBE’s Poninghaus.

What he calls ‘risk treatment’ is minimising, avoiding or financing 

the risk.
 

“When it comes to risk financing, it is important to assume the worst will happen and insure accordingly, remembering:

1. Without well thought-out insurance, in the event of a major loss, it is possible your business will not recover. Your insurance programme must meet the specific needs of your business.

2. If you want to save on your insurance premium bill, it is not wise to underinsure. The wiser approach is to take higher excesses, appropriate for you. 

3. When it comes to the indemnity period of your business interruption policy, it is important the period selected covers you up until you reach your pre-loss turnover, which will invariably be after your property (building/plant and machinery/stock) has been reinstated.    

4. Never underestimate the importance of properly maintained assets.

5. Apply appropriate risk control measures to all facets of your operations.”

 

When you talk about ‘business continuity’, most people immediately think how their business may be impacted in the aftermath of a natural disaster, such as fire or earthquake. And the experience of Cantabrians is seared into the minds of all New Zealanders for good reason.

The recently appointed SME business practice head at Marsh Limited, David Croskery, takes a different and broader view.

“The reality is there are many other things that can happen outside of natural disasters to stop a business running. This can include anything from supplier failure, to a credit crisis, to pandemics. 
 

“SMEs not only need to be aware of these new and emerging risks, but also factor them into their Business Continuity Plan (BCP). For example, one of the new risks hitting companies around the world, to be factored into this equation, is cyber risk.

“Cyber-attacks against companies not only target fraud and the recovery of sensitive data, relating to intellectual property and corporate clients, but also the disruption of activity or sabotage of the production chain. SMEs are typically more vulnerable than larger enterprises, because they lack the resources bigger companies have to help protect their security.

“According to the American edition of PC World, last year roughly 60 percent of SMEs which suffered a breach went out of business within six months after the attack,” says Croskery.
 

New Zealand government statistics show local cyber-attacks have increased – with 134 in 2012 and 219 last year. About 70 percent were attacks on private sector entities and 30 percent on public sector systems.

If you are not prepared you face the following consequences, says Croskery:

Croskery says cyber risk exposures can be diverse and based on 

several components.

“If, for example, you take a real estate agent and a chemical manufacturer exposed to cyber risks, the former will have its exposure based on the amount of data (clients) gathered and stored, to run its business, while the manufacturer’s exposure is based on the dependency of its IT system to manufacture 

its products.
 

“But,” he warns, “the biggest hit can be to your brand and reputation. 

“Who wants to deal with an organisation that has allowed their personal details to be exposed or passed on a virus that takes down their network?”

The solution? Have a solid plan 

in place.

“The key point to highlight here, is not just to ensure that you have factored in cyber risks into your BCP plan but that you cover all new and emerging risks. Having an out-of-date plan is almost as bad as having no plan at all. Unfortunately, you may not realise it until something goes wrong,” Croskery says.

 

We asked one of the founders and CEO of computer services company, Evolution IT, Paul Draper, to scratch the surface of your average SME and point out what his experience showed him about Kiwi SMEs managing IT risks. The response echoed the theme of Kiwis ‘undervaluing’ their businesses, as well as themselves – too many take the cheapest solution and cross their fingers that disaster won’t strike.

“They seem to want to do everything on the cheap. You cannot seriously think that a firewall purchased from a chain-store, for $100 – fine for home use – is going to provide adequate protection and continuity for a production process the company is dependent on for its survival. There is no logic to it. It is the equivalent off putting a paper door as your front door,” he says.
 

“We’ve also come across a multimillion operation, using D-Link between offices and plant. Unbelievably, they’d hacked into it themselves to make it function; after a fashion. But it would go down twice a week for about four-to-five hours. There are massive hidden costs in that from client dissatisfaction to staff morale.” says Draper.

He reckons a proper firewall to sort that type of situation out would cost $1,500 to $2,000, with warranty, some configuration to suit and updates. He is also staggered at the number of relatively big organisations using Skype for teleconferencing, and discussing information of strategic value.

“It’s a public medium, on a communal system, dependent on offshore communications platforms, mainly in the US. Skype is great for keeping in touch with friends and family overseas, but it isn’t ever to be thought of as secure. Any SME worth its salt must have a secure VOIP system and use something like Cisco Telepresence, to avoid a disaster.” 
 

Draper is also appalled at the number of companies still having valuable data stored on, now unsupported, Windows XP-based computers – “What can they be thinking? Or, more to the point; they simply are not thinking.”

Not to mention that recruitment company with 12 years worth of its clients’ details and email addresses, in a database, not backed up, on an elderly (to put it mildly) computer with a $69 hard drive.

It’s clearly time to stop under valuing every aspect of your business.

 

Kevin Kevany is an Auckland-based freelance writer. 

Email [email protected]