Climate change and its effects on the planet have been tracked for decades — and with evolving legislation around enterprise environmental, social & governance (ESG) measures, many organizations are or may be required to report climate risk data.

As the planet warms, the global population has seen an increase in the frequency and severity of severe weather and natural disasters, posing risks of damage and harm to people and assets involved in organizations. Enterprise security teams are turning to threat intelligence, emergency preparedness and risk-based continuity plans to secure their organizations against the rising threat of extreme weather and climate change.

Lana Djurkin-König, Head of Corporate Security at reinsurer Swiss Re, says that climate risk has become a corporate security issue.

“The climate crisis is a planetary and national security issue, and therefore a corporate security issue as well,” Djurkin-König says. “Security departments are responsible for protecting operations, assets and workforces, meaning that the climate crisis has direct and indirect impacts on the delivery of our programs. It demands an imminent and meaningful response where corporate security needs to begin to map, quantify, qualify and mitigate new risks stemming out of climate change.”

Determine the Organizational Climate Threat Profile

To mitigate the indirect and direct effects of climate change on organizations, security leaders should apply threat intelligence to their business environment to determine both the level of climate risk faced by an organization, as well as the amount of risk the business is willing to incur.

“It’s very important as a security leader to understand the organization’s climate threat profile, as well as their risk appetite. Assess risk from climate events and the enterprise risk appetite, and then tailor the security program to the organization,” Djurkin-König says.

Understanding the impact of climate change to the organization can help security teams work with operations teams and business leadership to ensure continuity of business, security and safety of employees, according to Djurkin-König.

By determining the climate change threat profile of an organization, security leaders can better communicate risk to their leadership and work together to decide on appropriate mitigation tactics, from severe weather damage prevention to emergency response. Philip Farina, Vice President, Corporate Loss Control and Loss Prevention at Aimbridge Hospitality, and his team monitor intelligence sources such as regional weather channels, the National Oceanic and Atmosphere Association (NOAA), and threat intelligence vendors to obtain accurate, real-time information about severe weather and natural disaster impacts to the business.

“We’re in prevention mode — my team and I want to be in the know before something affects our property,” Farina says. “Weather intelligence gives us the ability to mitigate the effects of some events. In some cases — like earthquakes, for instance — we can’t completely stop damage from occurring, but we can still put some elements in place to help mitigate that.”

Identify Climate Risk Impacts

Once the security function has determined which climate risks pose significant threats to their enterprise, they can then calculate their impacts on the organization.

“When we talk about the impacts of climate change on corporate security or security programs, I see two types of consequences: direct and indirect,” Djurkin-König says. “For example, a direct impact happens when a natural disaster or catastrophe hits your workforce or site directly.”

In terms of direct risks, Farina and his team calculate potential impacts of climate risk to Aimbridge Hospitality’s over 1,600 properties across the U.S. The security function works to assess and mitigate climate risk to properties with varying levels of exposure to severe weather and natural disasters.

“Overall, climate impacts are something that myself and my team pay a lot of attention to, and we have developed different tools to help us find how organizations are impacted,” says Farina. “The impacts from a natural disaster can be total impacts, such as the destruction of an asset or damage to an asset, or it could be something as simple as losing business for a short period of time.”

Enterprise security teams must also identify and mitigate indirect impacts of climate change, says Djurkin-König. “The unforeseen impacts are the ones that are more difficult to anticipate and understand,” she says. For example, an enterprise may not have a location in a vulnerable region, but a business in their supply chain might — in that case, enterprise security teams must understand the physical footprint and risk level of their supply chain and plan for supply chain disruptions in the event of severe weather.

Another indirect climate risk impact are potential damages resulting from inaction, says Djurkin-König. “There is reputational and legal risk stemming from non-action in regards to climate risk. Companies that fail to act as ‘good citizens’ might become targeted by activists,” she says.

Organizations that fail to mitigate climate risk could also face legal ramifications regarding duty of care. “For example, when an employee travels into a region that is impacted by a natural disaster, we need to be able to maintain close contact with them, help evacuate and prevent harm if possible, because our company carries liability stemming out of duty of care principles or legislation,” says Djurkin-König. “From a duty of care perspective, we need to protect our employees. And let’s not forget the dimension of the hybrid or remote workforce. What is our duty of care when employees are working from home and they become impacted by a climate change event?”

To avoid liability and damage, enterprise security teams can rely on intelligence to determine next steps in climate risk mitigation.

“Corporate security departments without intelligence are blind, and intelligence is paramount if we want to do our business properly. Today, we see more frequent and intense extreme weather and climate-related events. And those are creating new and amplifying old risks,” says Djurkin-König. “So what are those risks, and how and where will they crystallize to impact our operations, processes and services, or our workforce? We need to determine how they will potentially impact our operations, workforce and company so we can prepare. All those answers can and should be given by intelligence.”

Contextualize Climate-Related Threat Intelligence

With an abundance of climate risk information sources, it’s critical that security teams rely on accurate data specific to their organization.

“One of the things that we have to be aware of is information overload,” says Farina. “When dealing with all these different sources, security has to filter through and disseminate the information that’s critical for us to know. You can become overwhelmed and overloaded by taking in too much information and not deciphering it to determine what’s really valuable for your organization.”

Keeping the threat profile and risk appetite of the organization top of mind while analyzing threat information can help security teams determine what risk intelligence is most important for the business. As enterprise organizations adapt to a changing environment with more severe natural disasters, security functions can lay the groundwork for future success by focusing on applying climate threat intelligence to their risk mitigation strategies and emergency planning.

“There’s still learning to be done by corporate security departments on how to utilize this data,” says Djurkin-König. “I would say the challenge is not the data itself. The challenge for corporate security departments is developing the ability to turn climate-related information into actionable intelligence and refine or redefine security programs accordingly, as well as to address the threat proactively, rather than reactively.”

Lana Djurkin-König and Philip Farina outlined a number of steps security leaders can take to identify, assess and mitigate the effects of climate risk on their organizations.

1. Forecast

The role of the security team is to monitor and prepare for climate change events before they affect the business. When it comes to natural disaster preparedness, “we’re going to start having these conversations early on, before the storm season necessarily starts. Contextualizing your threat research and associating timelines for different types of weather events with emergency planning is key,” says Farina.

2. Build Resilience Based on Intelligence

Centering intelligence in business resilience planning can help security program tailor their efforts to the threat profile of the organization. Important intelligence considerations can be location-based, such as tracking severe weather patterns in areas where the business is located, but it can also involve property-specific intelligence, such as the resilience and age of specific buildings. “First and foremost, having an understanding of where your properties are in relation to a natural disaster is critical. Secondly, having an understanding of the different types of facilities and their construction is the next phase in building resilience and emergency plans,” says Farina.

3. Plan for Disaster Recovery

Preparing and assessing risk is an important aspect of climate risk mitigation, but security leaders and their teams need to prepare their organizations to respond during and after severe weather as well. According to Farina, a focus on processes and training can help businesses keep their people safe during severe weather. “When the storm comes, we have our teams follow predetermined processes to secure each hotel,” and then train all employees on how to stay safe during a weather event. “You’ve got to start with a plan right from day one that provides the resources for properties to get what they need.” Farina recommends reviewing employee training and emergency response plans yearly to keep them up to date as the threat environment evolves.

4. Plan for Long-Term Continuity

The next step in mitigating climate risk is planning for long-term business resilience and continuity, as well as contingency planning — past the timeline of one storm and its effects on the business. “On the business continuity planning level, you have to plan and prepare for longer, more frequent and more severe disasters,” says Djurkin-König. Long-term planning can extend to supply chain risk mitigation, as well as business decisions about acquisitions, partnerships and new offices. “The organization may want to rethink opening an office or signing a contract with a third-party vendor located in an area that in five to 10 years will be heavily impacted by climate change events.”

5. Adopt Technology

To power the above steps and enhance climate risk mitigation efforts, Djurkin-König recommends relying on technology. “Look to incident preparedness, business continuity and crisis communication tools to support your risk mitigation plans. Ask yourself, ‘How is your technology suite helping you manage and build up climate resilience for your company?’”