Climate change and its effects on the planet have been tracked for decades — and with evolving legislation around enterprise environmental, social & governance (ESG) measures, many organizations are or may be required to report climate risk data.
As the planet warms, the global population has seen an increase in the frequency and severity of severe weather and natural disasters, posing risks of damage and harm to people and assets involved in organizations. Enterprise security teams are turning to threat intelligence, emergency preparedness and risk-based continuity plans to secure their organizations against the rising threat of extreme weather and climate change.
Lana Djurkin-König, Head of Corporate Security at reinsurer Swiss Re, says that climate risk has become a corporate security issue.
“The climate crisis is a planetary and national security issue, and therefore a corporate security issue as well,” Djurkin-König says. “Security departments are responsible for protecting operations, assets and workforces, meaning that the climate crisis has direct and indirect impacts on the delivery of our programs. It demands an imminent and meaningful response where corporate security needs to begin to map, quantify, qualify and mitigate new risks stemming out of climate change.”
Determine the organizational climate threat profile
To mitigate the indirect and direct effects of climate change on organizations, security leaders should apply threat intelligence to their business environment to determine both the level of climate risk faced by an organization, as well as the amount of risk the business is willing to incur.
“It’s very important as a security leader to understand the organization’s climate threat profile, as well as their risk appetite. Assess risk from climate events and the enterprise risk appetite, and then tailor the security program to the organization,” Djurkin-König says.
Understanding the impact of climate change to the organization can help security teams work with operations teams and business leadership to ensure continuity of business, security and safety of employees, according to Djurkin-König.
“Corporate security departments without intelligence are blind, and intelligence is paramount if we want to do our business properly.” — Lana Djurkin-König, Head of Corporate Security at Swiss Re
By determining the climate change threat profile of an organization, security leaders can better communicate risk to their leadership and work together to decide on appropriate mitigation tactics, from severe weather damage prevention to emergency response. Philip Farina, Vice President, Corporate Loss Control and Loss Prevention at Aimbridge Hospitality, and his team monitor intelligence sources such as regional weather channels, the National Oceanic and Atmosphere Association (NOAA), and threat intelligence vendors to obtain accurate, real-time information about severe weather and natural disaster impacts to the business.
“We’re in prevention mode — my team and I want to be in the know before something affects our property,” Farina says. “Weather intelligence gives us the ability to mitigate the effects of some events. In some cases — like earthquakes, for instance — we can’t completely stop damage from occurring, but we can still put some elements in place to help mitigate that.”
Identify climate risk impacts
Once the security function has determined which climate risks pose significant threats to their enterprise, they can then calculate their impacts on the organization.
“When we talk about the impacts of climate change on corporate security or security programs, I see two types of consequences: direct and indirect,” Djurkin-König says. “For example, a direct impact happens when a natural disaster or catastrophe hits your workforce or site directly.”
In terms of direct risks, Farina and his team calculate potential impacts of climate risk to Aimbridge Hospitality’s over 1,600 properties across the U.S. The security function works to assess and mitigate climate risk to properties with varying levels of exposure to severe weather and natural disasters.
“Overall, climate impacts are something that myself and my team pay a lot of attention to, and we have developed different tools to help us find how organizations are impacted,” says Farina. “The impacts from a natural disaster can be total impacts, such as the destruction of an asset or damage to an asset, or it could be something as simple as losing business for a short period of time.”
Enterprise security teams must also identify and mitigate indirect impacts of climate change, says Djurkin-König. “The unforeseen impacts are the ones that are more difficult to anticipate and understand,” she says. For example, an enterprise may not have a location in a vulnerable region, but a business in their supply chain might — in that case, enterprise security teams must understand the physical footprint and risk level of their supply chain and plan for supply chain disruptions in the event of severe weather.
Another indirect climate risk impact are potential damages resulting from inaction, says Djurkin-König. “There is reputational and legal risk stemming from non-action in regards to climate risk. Companies that fail to act as ‘good citizens’ might become targeted by activists,” she says.
Organizations that fail to mitigate climate risk could also face legal ramifications regarding duty of care. “For example, when an employee travels into a region that is impacted by a natural disaster, we need to be able to maintain close contact with them, help evacuate and prevent harm if possible, because our company carries liability stemming out of duty of care principles or legislation,” says Djurkin-König. “From a duty of care perspective, we need to protect our employees. And let’s not forget the dimension of the hybrid or remote workforce. What is our duty of care when employees are working from home and they become impacted by a climate change event?”
“The impacts from a natural disaster can be total impacts, such as the destruction of an asset or damage to an asset, or it could be something as simple as losing business for a short period of time.” — Philip Farina, Vice President, Corporate Loss Control and Loss Prevention at Aimbridge Hospitality
To avoid liability and damage, enterprise security teams can rely on intelligence to determine next steps in climate risk mitigation.
“Corporate security departments without intelligence are blind, and intelligence is paramount if we want to do our business properly. Today, we see more frequent and intense extreme weather and climate-related events. And those are creating new and amplifying old risks,” says Djurkin-König. “So what are those risks, and how and where will they crystallize to impact our operations, processes and services, or our workforce? We need to determine how they will potentially impact our operations, workforce and company so we can prepare. All those answers can and should be given by intelligence.”
Contextualize climate-related threat intelligence
With an abundance of climate risk information sources, it’s critical that security teams rely on accurate data specific to their organization.
“One of the things that we have to be aware of is information overload,” says Farina. “When dealing with all these different sources, security has to filter through and disseminate the information that’s critical for us to know. You can become overwhelmed and overloaded by taking in too much information and not deciphering it to determine what’s really valuable for your organization.”
Keeping the threat profile and risk appetite of the organization top of mind while analyzing threat information can help security teams determine what risk intelligence is most important for the business. As enterprise organizations adapt to a changing environment with more severe natural disasters, security functions can lay the groundwork for future success by focusing on applying climate threat intelligence to their risk mitigation strategies and emergency planning.
“There’s still learning to be done by corporate security departments on how to utilize this data,” says Djurkin-König. “I would say the challenge is not the data itself. The challenge for corporate security departments is developing the ability to turn climate-related information into actionable intelligence and refine or redefine security programs accordingly, as well as to address the threat proactively, rather than reactively.”