The Small Business Administration (SBA) reports that 85% of small businesses that go through a disaster event never recover. Key to ensuring that businesses not go under is planning for business continuity. Ensuring that a company is resilient is crucial to protecting the company from failure. This is the first of four articles on preparing a small business for disaster. For this series, a small business is any establishment that has fewer than 200 employees, and/or an income of less than $25 million in earnings per year. However for any business,whether it is a micro-business, a medium-sized business, or a major corporation, these tips are practical and worth exploring.
The articles will cover the following areas:
- Protecting a Small Business from Disaster: A Different Approach
- Risk Analysis and Mitigation
- Creating and Executing a Business Continuity Plan
- Realistic BCP Exercises and Testing: Beyond DR
Business Continuity = RESILIENCY
Business continuity is not a project that ends when a document is created, signed by the Board, tested, and filed away. First, banish the word “recovery” from the company dictionary. The goal is not to recover from a disaster; it is to continuethrough the event without failing the company’s primary stakeholders: the employees, the customer, and the owners, whether shareholders or the company founder(s). A business owner should consider business resiliency as integral to their business operations. Each area of the organization should be built to continue if there is a disaster. Resiliency is as much a part of the bottom line of any business as location, information technology (IT) support, or a loan from the local bank.
Send a message: this is serious business
Do not look at continuity as an “add-on” duty. Take the approach of ensuring that the company’s existence depends on the ability to continuefunctioning no matter what happens. Continuity planning should be someone’s full time job. That person and their staff (if they have one) should report directly to the CEO or the COO. This makes it clear to everyone in the organization that continuity matters: resiliency is what will keep the organization flowing.
While the Business Continuity Manager may want to have a disaster recovery specialist on the team, the BCM manager should be someone who understands how businesses work and how resiliency can boost the bottom line. Focus on hiring someone who has the outlook that business continuity affects everyone from the janitor to the C-suite. If necessary, hire a consultant to help get the Business Continuity Management department started.
A steering committee should be formed that involves the managers or subject matter experts from throughout the organization. This may include the CEO/owner,COO, CFO/accountant, warehouse supervisor, head of retail management, or whatever is appropriate for the business. The steering committee will determine what the risks are to the organization, what the critical tasks/functions are, and what strategy to take for mitigation and continuous resiliency. The committee does not have to be static; people can be added or released as needed. But the top people in the company are permanent members. Again, this lets everyone know that resiliency is just as important to the organization as accounting, sales, and the fashion buyers.
Focus on Resiliency
Company management must be committed to looking at every area of the company and determining how to continue the business of business during a disaster.
The first issue is to expand the definition of the word “disaster” to this one, as defined in the Disaster Recovery Journal’s Glossary of BCP terms: “A sudden, unplanned catastrophic event causing unacceptable damage or loss.”
This definition is broad enough for the focus of this article. A sudden drop in stock prices that cuts the company’s cash reserves in half in an hour is a disaster because the loss is unacceptable. Has your company already secured credit that can be tapped during a sudden downturn? At reasonable rates? The head of Accounting, who is actually the entire Accounting department, survives a heart attack on Thursday and decides to retire. Immediately. Who is going to take over on Friday morning and get the payroll processed? A wild fire burns down your warehouse full of spring fashions on February 28, just as the sales circular is arriving at prospective customer’s houses. How quickly can stock be replenished?
Oh, and someone forgot to do the backups in the IT department for the last three days. So when the air conditioners go out and the servers crash from the heat (I have seen it happen), there is a good chance that the transactions for the last three days are not recoverable.
In traditional Business Continuity Plans, only the heart attack and the IT debacle are considered in planning. Challenge the BCP Steering Committee to create a list of all of the risks to the company. Do not worry about going overboard. Only colonization by Martians is off limits. Cutting the brainstorming list down to a reasonable and manageable number during a risk analysis will be discussed in the next article.
Finally, consider the day-to-day activities of the organization. What steps can be taken to ensure that, no matter what happens, the business continues to run? If the electricity goes out, do the cashiers have calculators? Do they know how to use them? If the price of gas goes up to $5 a gallon, have all of the landscapers been trained in fuel consumption, and do they use those procedures daily? If a fire breaks out at the charter school, have the students and teachers been trained in evacuation?
Resiliency requires the company management to create procedures that are not only efficient, saving money and time, but also resilient. Using laptops for every employee instead of desktops may allow the company to continue processing customer requests from the local coffee shop if the normal workspace is uninhabitable. Better yet, the company can save money on leasing office space by using telecommuters and increase the company’s resiliency by disbursing the staff to different geographical areas. If a tornado hits one area, the entire staff will not be affected, and work may be able to continue.
This article provides a general overview of what a resilient organization should look like. The next article, “Risk Analysis and Mitigation,” will provide an overview of how to determine the risks to a company and how to effectively mitigate them without breaking the bank.