Depending
on the planning and investment in business plans and risk management, small
business can flourish or die if the impact of an event or incident directly
impacts on their operations or financial resilience.
Family
and micro businesses are especially vulnerable as even a small loss due to
repetitive incidents such as burglary, break and enter and shop stealing; or a
reduction in family or other employees needed to operate the business due to
injury, illness or death, will have a critical impact on cash flow and business
operations. A critical impact then can be broken down as any hard dollar or
reputational loss that could endanger the survival of the company.
The
loss of stock, through fire, can be mitigated through insurance but the loss of
customer/client information and listings through commercial espionage or loss
of stock and client electronic data through a cyber crime ransomware attack can
impact on your businesses reputation and operations.
Operations
may also be interrupted by natural events, damage or breakdown of machinery,
systems or equipment, power or gas outages, fuel delivery strikes, the failure
of a supplier of goods or services or delayed deliveries or absenteeism of
essential employees. There are many possible scenarios which should be
considered such as:
Some quantifiable impact categories for a small
retailer could include:
·
Inability to record sales
·
Inability to accept returns
·
Inability to process debit or credit
cards, cheques (checks), gift cards, certificates
·
Inability to replenish merchandise
·
Inability to move merchandise between
locations
·
Inability to respond to customer
communications
·
Inability to advertise
A manufacturing company may see quantifiable impact
categories as including:
·
Inability to order materials
·
Inability to receive materials
·
Inability to assemble materials
·
Inability to advertise products
·
Inability to process orders
·
Inability to ship products
·
Inability to collect payment[1]
It
is incumbent on all business owners to understand their risk tolerance and by identifying
and evaluating the impact of disasters on business, owners can establish the
basis for investment in recovery strategies as well as investment in prevention
and mitigation strategies. To do this you need to have developed a risk management
plan.
Once
you have developed a risk management plan, you should conduct a business impact
analysis to assess the likely impact of these risks on your business
operations. This is the preparedness step in the prevention, preparedness,
response and recovery (PPRR) model[2]
for developing a business continuity plan. A business impact analysis
identifies the activities in your business operations that are key to its
survival.
Business
owners should recognise that a business impact analysis (BIA) is a continuous
process that predicts the consequences of disruption of a business function and
process and gathers information needed to develop recovery strategies.
Potential loss scenarios should be identified during a risk assessment. It is
not a one-off process.
We
don’t conduct one BIA report then step back from it for a year or so. It needs
to be constantly monitored to take into consideration changes in the sales,
production or security environment. As crime changes and moves from areas of a
city or region, threats levels will change and as many small enterprises have
found, a series of break-ins, caused by displaced crime, can change the
financial state of a small business in a very short time and threaten its
continued viability.
The
first step in developing your analysis is to ask yourself some key questions:
·
What are the daily activities conducted in
each area of my business?
·
What are the long-term or ongoing
activities performed by each area of my business?
·
What are the potential losses if these
business activities could not be provided?
·
How long could each business activity be
unavailable for (either completely or partially) before my business would
suffer?
·
Do these activities depend on any outside
services or products?
·
How important are the activities to my
business?
As
the risks to your business change, so too will their potential impacts. When
you update your risk management plan, you will also need to conduct a new
business impact analysis.
Seek
advice from all levels of your business in order to identify all processes and
functions that go into making your business function, then, ask yourself these
questions:
·
what could occur if this function of my
business was unable to function for any reason?
·
where could critical financial impact
occur and what is the potential amount of the impact?
·
where could critical reputational impact
occur and what is the potential amount of the impact?
·
under what circumstances could a critical
impact occur? and
·
what is the effect of the impact over a
lifetime?
Let’s
look at an example of a small business that produces widgets for the mining
industry. The widgets are high use and replaced every week to be refurbished by
the manufacturer. If we have a crisis and are unable to supply the widgets,
mining companies will understand a delay of a few days by adjusting equipment
operation to reduce wear on existing widgets, but some may not be able tolerate
a delay and may be forced to reduce or cease operations until supply is
re-established. The cost to mining companies could be very high but the cost to
the small business could be catastrophic if its reputation is damaged by the
crisis that results in companies seeking alternate suppliers.
Business
continuity and business resilience that arise from BIA reports are critical in
ensuring you can weather a crisis and whilst bringing in expert consultants to
work with you to develop your report on the results of a BIA is a good practice,
you can assist by preparing BIA Worksheets that can greatly assist in bringing
critical functions to the fore and allowing you to understand the real impact
of events on your business.
A
business Impact Analysis Worksheet allows you to look at each function,
department or process and identify at which point in time, an interruption
would have the greatest impact. Each worksheet should be developed for each
department, function or process that you have identified. A simple example is
shown below:
Business
Impact Analysis Worksheet[3]
Department
/ Function / Process……………………………………………………………
Operational
& Financial Impacts
Timing/Duration
|
Operation Impact
|
Financial Impact
|
|
|
|
|
|
|
|
|
|
Timing:
Identify point in time when interruption would have greater impact (e.g.,
season, end of month/quarter, etc.)
Duration:
Identify the duration of the interruption or point in time when the
operational and or financial impact(s) will occur.
• < 1 hour
• >1 hr. < 8 hours
• > 8 hrs. <24 hours
• > 24 hrs. < 72 hrs.
• > 72 hrs.
• > 1 week
• > 1 month
|
Considerations
(customize for your business)
Operational
Impacts:
• Lost sales and Income
• Negative cash flow resulting from delayed sales or income
• Increased expenses (e.g. overtime,
outsourcing, expediting costs etc)
• Regulatory fines
• Contractual penalties or loss of
contractual bonuses
• Customer dissatisfaction or defection
• Delay executing business plan or strategic
initiative
|
Financial
Impact
Quantify
operational impacts in financial terms.
|
As
part of your business impact analysis, you should assign recovery time
objectives to each activity to help determine your basic recovery requirements.
The recovery time objective is the time from when an incident happens to the
time that the critical business activity must be fully operational in order to
avoid damage to your business.
By
identifying a time frame necessary to recover and financial amounts to measure
your risk appetite where you feel that the business can recover, you can add
the information to the table (such as in the above example) to provide better
context upon which to base your assessment of priorities for mitigation.
The
information resulting from the BIA can be used to bring some local clarity to
your consequence rating on your risk management matrix. The table based on
ISO31000:2009 below provides a simplified example of how the BIA could be used
when applied to business operations, creating your business impact level (BIL).
Minimal
BIL-1
|
Minor
BIL-2
|
Moderate
BIL-3
|
Major
BIL-4
|
Catastrophic
BIL-5
|
Impacts on business operations
|
Operational
capacity
|
|
· Minimal
impact on operations. Some reduction on function or process effectiveness but
can be dealt with by routine procedures in place.
|
· Minor
impact on operations. Some reduction on several functions or processes
effectiveness but can be dealt with by routine procedures in place.
|
· Significant
degradation in organisational capability to an extent and duration that,
while the business can perform its primary functions, the effectiveness of
the functions is noticeably reduced
|
· Severe
degradation in, or loss of, business capability to an extent and duration
that the business cannot perform one or more of its functions for an extended
time
|
· Severe
degradation in, or loss of, business capability to an extent and duration
that the business cannot perform any of its functions.
· Business
closure likely.
|
Business
Assets
|
|
· Low
or no damage to assets
|
· Some
damage to assets that will affect functions or processes whilst replacements
are obtained.
· Time
frame for replacement >3 months.
|
· Damage
to assets that result in multiple functions or processes that reduces
productivity until replacements can be obtained.
· Time
frame for replacement <3 – 6 months.
|
· Damage
to assets that results in long term harm to the business.
· Time
frame for replacement <6 months.
|
· Damage
to assets that are irreplaceable or beyond financial capacity to replace.
|
Business
Finances
|
|
· Low
or no financial loss
|
· Medium
financial loss that does not impact on the ability or capability to meet
financial obligations.
· $100,000
- $500,000
|
· Financial
losses are covered by insurance and recoverable within a short term but will
have a short-term effect on capability. Potential regulatory attention.
· >$500,000
- $800,000
|
· Substantial
financial loss leading to key activities being shelved and loss of
public/shareholder confidence. Likely regulatory attention.
· >$800,000
|
· Significant
financial loss leading to significant damage to the organisations 'brand' and
ability to operate. Significant regulatory attention.
· >1000,000
|
Note: Estimated financial losses
based on micro business model requiring a reliable cash flow.
The
information that arises can be used to:
·
evaluate whether the limits of insurance
are adequate. Are you underinsured?
·
compile an inventory of properties and
assets and determine whether insurable values reflect inflation costs over time,
and
·
allow a review of whether property, stock
and other insurance policies adequately cover actual cash value or replacement
cost.
It
can also provide you an overview of just where you need to improve your supply
chain to ensure stock, plant or equipment can be replaced within a minimal
timeframe to ensure business resilience.
The
BIA can assist in allowing you to properly determine just what your risk
tolerance level is. A small micro business (such as an on-line business or a
restaurant) may have a risk tolerance of BIL2 whilst a medium size business,
with a sound client base, good supply chain and regular cash flow may be able
to tolerate BIL-3. Each business differs, and each risk tolerance level will
differ.
Your
mitigation strategies and security investment will, in most cases, align with
your level of risk tolerance in which case second guessing would be a dangerous
strategy but undertaking a BIA to determine consequences and business impact
levels will provide you with quantifiable evidence upon which to make business
decisions. Your business impact analysis will also help you develop your
recovery plan, which will help you get your business running again if an
incident does happen.
Like
your Business Plan and Risk Management Plan, your Business Impact Analysis is a
tool that can provide you an element of certainty during periods of
crisis. As Benjamin Franklin stated in
his Philadelphia address on fire safety, “an ounce of prevention is worth a pound of
cure”.
It
is as true today as it was in 1736.
[1] https://www.ready.gov/business-impact-analysis
[2] https://www.business.qld.gov.au/running-business/protecting-business/risk-management/pprr-model
[3] https://www.ready.gov/business-impact-analysis
