On Business Continuity and War Risks
It’s easy to assume that you’re at peace. As far as you know, nobody has declared war on you. And (hopefully) your government hasn’t declared war on anybody else.
But even if you live in this happy period between wars, and there are no obvious wars on the horizon, you can still have war risks:
- Has any non-state organization declared war on your country, your industry, or your company?
- Are you a key part of a supply chain for a country that is currently at war, and are you therefore a possible target for clandestine attacks including sabotage?
- Are you a likely target for intelligence gathering, either for a current war or a future war?
- Are you physically (or logically) close to some other country or organization that is a potential target?
- Is one of your key suppliers, or one of your key customers, a potential target?
- Do any potential targets (e.g. people) visit you that that might be targeted by one of the parties at war?
Jut because there hasn’t been a formal declaration of war, doesn’t mean that you can avoid becoming involved.
But Doesn’t Our “All Risks” Insurance Cover All This?
One of the major problems with war risks is that we have to consider them for ourselves. They are generally excluded even from “All Risks” insurance polices. Read your policy and you will probably find a section like this:
War and Terrorism Exclusion Clause
This insurance does not cover loss, damage, cost, or expense of any kind directly or indirectly caused by, resulting from, or in connection with any of the following, regardless of any other cause or event contributing concurrently or in any sequence to the loss:
- War, declared or undeclared, civil war, revolution, rebellion, insurrection, or any hostile act by or against a belligerent power;
- Capture, seizure, arrest, restraint, or detainment (including piracy), except for actions taken under the lawful authority of a recognized government for customs or quarantine purposes;
- Use of any weapon of war employing atomic fission, fusion, radioactive force, or matter, including nuclear, chemical, or biological weapons;
- Terrorist acts, sabotage, or any act of persons acting from a political motive, including but not limited to acts of violence intended to influence a government or intimidate the public;
- Any consequence of any of the above, including but not limited to confiscation, nationalization, requisition, or destruction ordered or recommended by any government, public or local authority.
It is understood and agreed that this exclusion applies whether or not such events are foreseeable, occur during peacetime or wartime, and irrespective of whether the insured has any involvement in or connection to such events.
Note how broad that definition of war risks is. There’s no formal declaration of war required. The hostile acts may be committed by non-state actors, or even your own government. If you have deep pockets you may be able to argue in court against your insurance company that the losses should have been included (see, for example, the four-year long legal battles between Merck or Mondelez International and their insurers over damage caused by Russian NotPetya malware targeting Ukraine). Your insurer has undoubtedly updated their exclusion clauses to take those legal results into account.
Insurance companies like the risks they insure to be predictably unpredictable. War is unpredictably unpredictable. They can’t average risks between clients or use history as a guide. Enemies do things which nobody has ever considered. You can buy specific “War Risks” insurance but that is expensive. If you have an oil tanker that needs to navigate the Strait of Hormuz, for example, you might (depending upon the current outlook) be able to buy some very specific coverage. But don’t expect the policy to be cheap: you’re only buying this policy because you think there’s a high chance of you claiming against it, and the insurance company knows that just as well as you do. Your transit of the Strait may therefore prove unprofitable, even if it is uneventful.
But surely the government will offer compensation?
If history is any guide, government compensation will be partial, delayed, or non-existent. It might surprise you to learn how little civilian World War 2 damage was covered. The British brought in a compensation scheme for repair or replacement of “fixed assets” in October 1941. (That’s after the major bombing of London between September 1940 and May 1941). Many other countries did not have the luxury of time to bring in similar legislation, or did not consider it necessary to do so. There may be general compensation for “criminal acts” including terrorism, but don't assume it will be simple or automatic. Criminal compensation is typically aimed at personal injuries, not business losses.
So if you’re on your own, what are the risks, and what are the mitigation steps (other than taking out War Risks insurance) that you might consider?
The Risks
Are You a Target?
This is the first question to ask. It determines what the threats are, how likely they are, and what the possible consequences might be.
- Are you a target for one of the belligerents? Are you part of the supply chain for a weapon or a critical resource?
- Are you a target of opportunity? If, for some reason, a primary target could not be attacked, do you have something of value that might be attacked instead?
- Are you a strategic target? Might you be targeted for the indirect effects (disruption of economy, demoralization of civilian population, diversion of defensive forces) that attacking you would cause?
- Are you a proxy target? If the primary target is difficult or amorphous, would you serve as an alternative target for political or other aims? Is your brand symbolic of a country or an idea? For example, if it’s not possible for an attacker to directly attack the USA, would you serve as an acceptable substitute? If I wanted to attack (say) the meat processing industry, would that make you a potential target?
Are You Acceptable Collateral Damage?
- For terrorist, anti-terrorist, and quasi-terrorist campaigns, are there any people or vehicles that visit your location and might be targeted?
- If there a target located adjacent to you? Might an attack on the intended target also cause death or serious injury to your employees or damage to one of your locations?
Are the Supply Chains you are part of At Risk?
- Are parts of your supply chain potential targets? Do you rely on electric motors that are supplied by a company manufacturing drones, for example? If they are attacked, will they still supply you?
- Are some of your major customers potential targets? If your key customer is attacked, will they still need or want your products or services?
- Will government requisitions and direction of manufacture directly affect your suppliers or the market for your products or services?
- If the government introduces conscription, will this affect your staffing? Will staff volunteer or move to new higher-paying jobs elsewhere? Will you still have a skilled workforce?
- Will an increase in hostilities affect the market for your products?
- Will hostilities affect the availability or cost of key supplies? For example, the USA-Israel / Iran war and the blocking of the Strait of Hormuz affected not just the supply of various important grades of oil, but also the global supply of helium, fertilizer, and saffron! In addition, the diversion of ships increased the cost of shipping containers worldwide.
Mitigations
Unless you are in a very privileged position and have your own well-equipped military, the actions that you can take to mitigate risks are limited:
- Diversify supply. The greatest profits and greatest risks may come from single-sourcing components and other supplies. Using a single preferred supplier can decrease costs; familiarity and trust of existing vendors does not encourage exploration of new sources of supply. However, having alternate sources of supply (“second sources”) is one of the oldest mitigation techniques. (As an added benefit, it also protects against vendor lock-in and arbitrary price increases.)
- Diversify or consolidate locations. There’s an old saying that you should not keep all your eggs in one basket. There’s also an aphorism attributed to Andrew Carnegie: “Put all your eggs in one basket, and then watch that basket”. Depending upon your assessment of your ability to defend against possible threats, it may either be better to keep all your resources in a single location, or to spread your resources around so that damage to a single location would not be catastrophic. (If you’ve ever wondered how the British produced Spitfires when under sustained enemy attack during the first years of World War 2, the answer is that production was dispersed to many small facilities around Southampton. The two main factories were destroyed by bombing in September 1940).
- Don’t make intelligence gathering too easy. Open Source Intelligence (e.g. information available on the web, recruitment advertisements, network configurations) provides a lot of information that can be used for target selection and reconnaissance. While a lot of information disclosure is desirable in peacetime, don’t make life too easy for a poorly-resourced adversary. If I use a search engine to identify key suppliers for a piece of military kit, will I find you? Does your company website say where it is made? Does it remind everyone just how critical you are as part of its supply chain?
- Staff are targets. If I want to intimidate, assassinate, subvert, or blackmail your key staff, how easy is it for me to find them? Is there a convenient list on your website? Can I find them on LinkedIn? Can I find out where they hang out and who their families are on Facebook? Can I determine their movements far in advance from press releases? Is it easy to target their email with personalized phishing attacks impersonating other staff? Can I use published speeches and AI to clone their voice and ask your IT staff to reset their passwords? Your staff will always be a “soft” target. Briefing staff about potential attacks and limiting unnecessary external disclosures is probably all you can do except in obvious times of war.
- Decoys, Disguise and Camouflage. If a sign says “Product Research Facility” does it need to be true? If it says “Drone Engineering Plant 6” does it mean there are at least five others? There’s no reason the purpose and scope of each of your locations needs to be too easy to discover.
- Harden weak points. If there are no physical access controls, that’s a weakness. If there is no network segmentation and minimal access controls, that’s a weakness. If anyone can call in to IT and get their password reset remotely, that’s a weakness. Asking simply “how easy is it for an unauthorized person to access a location or to obtain access to our network?” or "how easy would it sabotage or arson be for an outsider?" may suggest some cheap and easy (but probably inconvenient) controls that could be put in place.
- Consider possible threats when choosing new locations. Assume a non-zero threat level when choosing or building a new location. Can access be controlled? Is access to adjacent areas controlled? Could a vehicle be parked nearby? Does the design of the building amplify or mitigate the effects of blast damage?
- Ensure IT protections against Ransomware and Malware are in place. War is no longer confined to armies or fields of battle. Anything that can be done to disrupt normal life or demoralize populations anywhere on the internet is fair game, especially if it can be done without attribution.
- Practice Emergency Procedures. While (hopefully) you’re current risks aren’t so great that you’re fortifying buildings with sandbags and adding plastic window film to guard against flying glass, it’s worth making sure your current emergency procedures are well-known and well-rehearsed. The aftermath of many possible attacks are not dissimilar to the existing risks of fire, explosion, active shooter etc. Do you have enough first-aiders? Is their first-aid training up to date? When was the last fire drill? Do you have (or need) a plan for shelter-in-place? Do your staff actually know what the plan is? What should they do if they don’t recognize someone, or if they see someone is acting suspiciously?
It’s easy to think that war is remote, and that things which happen elsewhere will never happen here. But times of total peace are a rarity. Even in times of peace, the ability of a small group to cause serious damage and casualties has never been greater.
The TL;DR
War Risks need to be considered, even in times of peace. Review your risks regularly, decide on appropriate risk mitigations, make sure your staff know what your emergency procedures are, and practice those procedures regularly.
(Unashamed product plug: if your staff are uncertain what they should do in an emergency, check out our product Plan424!)