In the year since Covid-19 forced much of the world into lockdown, organisations have learned hard-fought lessons about resilience and adaptability. The pandemic has shown that ‘once-in-a-generation’ global crises do happen – and that every risk is a technology risk. The experience will no doubt prompt many technology leaders to rethink their approach to megarisks, but what conclusions can be drawn from the Covid-19 pandemic and how should they prepare for the next, looming crisis?
Based on input from more than 600 business, government and societal leaders, the World Economic Forum (WEF) Global Risks Perception Survey scores the likelihood and potential impact of key global risks that could have a “significant negative impact” in the next decade. In the 2021 edition, the most likely crises were infectious diseases and climate risks. Two technology-related risks – digital inequality and digital power concentration – followed shortly after.
A year ago, if a technology executive looked at the WEF’s survey results, their eye might have gone straight to the tech-related risks. But Covid-19 has shown that all risks have implications for technology. Lockdowns forced companies to shift their operations online at a record rate, for example, and the pandemic has given rise to a fresh wave of cybersecurity threats. “Global risks, by definition, are seldom isolated, and this crisis is an example,” says Emilio Granados Franco, head of global risks and geopolitical agenda at WEF.
Franco is hopeful the experience of the last year will prompt organisations to take all global risks seriously – and not just infectious diseases. “It’s in our nature that we often respond when the crisis becomes our reality and not so much when it’s still five or ten years from now, even though the warning signs have been there,” he says. “But this crisis, I think, is going to drive fundamental action going forward. The cost of installing and maintaining sprinklers is always going to be lower than the damage of the entire house burning down. And I think that change in mindset is a reality now.”
Covid-19: Lessons in technology resilience
The pandemic certainly tested the resilience of organisations’ technology operations. Agile working methods proved especially valuable, says Andrew Radcliffe, founder of software development company Spyrosoft, as long-term planning became impossible.
Global risks, by definition, are seldom isolated, and this crisis is an example.
Emilio Granados Franco, World Economic Forum
“The principles of Agile working are about collaboration and transparency and getting stuff done, rather than planning and taking forever to make decisions,” he says. “And when you have a major issue like a pandemic and you need to get your workforce working remotely really quickly, before everything grinds to a halt, that sort of working really paid dividends for the companies that were much more Agile to begin with.”
Covid-19 made it especially clear that cybersecurity risk cannot be managed in isolation, says Stella Nunn, director of operational resilience and IT risk at PwC, as cybercriminals often exploit crises. She points to the case of TSB, the UK bank that encountered a seventyfold uptick in fraud attacks after a botched IT upgrade in 2018. “Because they were openly vulnerable, then they were being attacked, and it turned into a cyber incident, very quickly,” Nunn says.
The interconnected nature of risks can be a boon, though, Nunn adds. She advises an insurance company that, like many financial services companies, suffered an explosion in phishing attacks during the pandemic. But it also found that “more staff were reporting potential phishing anyway just naturally,” Nunn says. “The staff themselves took on a responsibility of managing risk because they had a heightened awareness of risk in the way they were working.”
A challenge that technology leaders face now, says Radcliffe, is balancing cybersecurity risk with the need to provide new, flexible and engaging ways of working. “A company has a responsibility to its people to find that balance, to keep them engaged and efficient,” he says. “If you’re forcing the wrong tools on people, they will naturally try to cut corners and there is a cyber risk in itself.”
Climate risk and technology
The impact of covid-19 will continue to be felt in numerous ways for years to come, says WEF’s Franco. “It started with a virus, but it’s not going to end with a vaccine,” he says. “More often than not, the medium- to long-term damage is actually more costly or more severe than the immediate impact.”
But an even greater crisis is looming: climate change. This, too, is intertwined with the pandemic. Governments are likely to address sustainability objectives in their post-pandemic initiatives, says Ellie Mulholland, director of the Commonwealth Climate and Law Initiative, and businesses should plan accordingly. If they don’t, they may find that new regulation, carbon taxes, or rising energy costs disrupt their recovery strategies.
We know that the effects of risks on people and businesses aren’t borne equally, and exposures and vulnerabilities are really uneven.
Ellie Mulholland, Commonwealth Climate and Law Initiative
They should also consider the unequal impact of global crises, and how climate change will affect some employees, customers and suppliers more than others. “We know that the effects of risks on people and businesses aren’t borne equally, and exposures and vulnerabilities are really uneven,” she says. “Covid has shown us that these shocks compound existing inequality. Businesses have to learn from these in terms of risk management, and have an opportunity to be part of the solution to address these risk multipliers.”
Many companies survived the pandemic thanks to digital technology and the hard work of their employees. But it is vital that companies don’t get complacent, warns PwC’s Nunn. Covid-19 was an unpredictable crisis; climate change is not. Customers will be less forgiving of technology disruptions resulting from the climate crisis, and employees – especially those in IT – will be less inclined to pull out the stops.
“People went way above and beyond what was expected of them,” says Nunn. “You can’t respond to every major incident in the same way. It would be exhausting, and it would cripple people. So, I think it’s about understanding what you can really plan, and what decisions you can make ahead of time.”