The terms "risk management" and "business continuity" can cause some confusion for business owners. What's the difference? Should I spend more time on one than the other?
Many consider business continuity to be a part of risk management, so it makes sense to blend the two when creating a plan for your business.
What is Risk Management?
Wikipedia defines risk management this way:
"The identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities."
Let's break that down to simpler terms. Risk management involves identifying risks and putting systems or plans in place to try to prevent bad things from happening to your business, including monitoring for risks to try and stop them before they happen.
(Download Video Transcript)
What is Business Continuity?
Wikipedia defines business continuity as:
"The capability of an organization to continue the delivery of products or services at pre-defined acceptable levels following a disruptive incident."
In laymen's terms, business continuity is how a business reacts, or how they have prepared, when something bad happens that affects the company. This is not about preventing a risk from happening, but the planning for how a business recovers when it inevitably does happen.
Here is an example of both:
Ships at sea have radars and, in the old days, look-outs to help prevent them from running into anything. These systems identify risks (e.g., another ship, an iceberg, a reef, etc.) and allow the ship to steer clear of them. The process of identifying risks and taking steps to prevent them from happening is risk management.
Ships have plans for when disaster strikes. These plans include damage control techniques to repair the ship from damage and keep it from sinking, as well as continuously training the crew to react to risks when they happen so they can keep afloat. This is business continuity. When something bad happens, you have procedures in place to keep the damage to a minimum so you can keep your business (or ship!) in operation.
Hope for the Best; Plan for the Worst
While this saying is practiced by many, it should not be a mantra for business owners. Don't settle for hoping that only good things will happen. Instead, search out the risks to your business, whether it's potential IT problems, natural disasters, supply chain issues, or loss of utilities. Always ask yourself: If this happens, what would we do?
Identify Potential Threats (Analysis)
Threats to businesses usually include:
- Natural disasters (fire, flood, severe weather)
- IT problems (server crash, phone systems down, lost data, security breach)
- Utility outages (electricity, water, gas)
- Supply chain issues (supplier goes out of business, limited quantities, increase in prices)
Take the time to make a list of different scenarios where unforeseen circumstances could affect how your company operates. Here are a few questions to help guide your thinking:
- Do you have alternative suppliers you can buy from if your primary one goes out of business or has no products for you?
- Is your critical company and customer data backed up offsite in the event of a fire, flood, or server crash?
- If the power goes out for an extended period of time, do you have a backup power option such as a portable generator? This would be useful for companies needing to keep products cold or frozen.
- Does your company have essential employees whose absence would affect day-to-day operations?
No one likes to think of bad things happening, but the time spent identifying risks and threats will ultimately help you be prepared for when disaster strikes.
Decide What Steps Need to Be Taken (Decision)
Now that you've made your list of potential risks, you need to decide what steps should be taken when one or more of these risks happen to your business.
Start researching solutions to the identified risks:
- Look for alternate suppliers if your main one can't meet your needs.
- Find solutions to back up your company and customer data.
- If your company needs to keep products cold or frozen, look at alternate power solutions when the electricity goes out.
- Identify other employees to learn and train from critical employees to fill their shoes in their absence.
There will be costs associated with some of these solutions but determine your potential loss vs. the cost of the solution to see if it's worth the investment.
Take Your Solutions and Put Them in Place (Implementation)
After you have identified solutions for handling different risks, prioritize and start implementing them in your company. For solutions that require more significant monetary investments, schedule the implementation based on your budget.
- Start communicating with other suppliers so you are ready to order from them on short notice if the need arises.
- For data backup, you can either do this yourself or hire an IT consultant to set this up for you.
- Purchase a gas generator to have as a backup power source for when there is no power so you can keep your refrigerated and frozen products from spoiling.
- Create a cross-training program for your employees to help ensure smooth operations in the event of an extended absence of key personnel.
Some solutions will take less time to implement than others. Decide on the most important ones and start there.
Test Your Solutions Regularly (Validation)
This part of risk management and business continuity planning often falls through the cracks. Companies determine solutions and invest money in implementing them but often don't take the time to make sure they will work when they are needed.
- Order small amounts of products from secondary vendors you have identified to see how long their process takes and their products' quality. Identify those to order from when you can't get your product from your leading supplier.
- Conduct IT "disasters" regularly (off-hours would be ideal). Pretend the server you keep your payroll on just crashed and you need to pay your employees tomorrow. What is the process for getting up and running? Have your IT staff or hired consultant create detailed directions for starting a new server or accessing the data on the cloud so operations can continue. The stress of an IT disaster is bad enough with a plan but ten times worse without one.
- It's unnecessary to shut down power to your whole business to test a backup gas generator, but can it handle your refrigeration and freezer units? Isolate these and determine if the generator can handle the job. Better to know ahead of time.
- Run scenarios where your key employees are "out of the office". Can other employees step up and keep the business running optimally? This process will help you find areas that need additional training and identify new essential employees for the future.
Keep Your Head Out of the Sand
It's easy to ignore the risks and say "it won't happen to me/us," but rest assured something will happen when you least expect it. Be proactive in identifying the threats to your business, decide on what steps to take to counter these threats, implement the solutions you determined, and finally test these solutions regularly.
This process takes time, effort, and in most cases, money to achieve. Most businesses don't like to spend money on things they don't think they will need but imagine the amount of money lost if you can't meet the threats and keep your business running.
© 2021 SVA Certified Public Accountants