Pages

Wednesday, 15 August 2018

Establishing Business Impact Levels and Risk Tolerance for your business.



Depending on the planning and investment in business plans and risk management, small business can flourish or die if the impact of an event or incident directly impacts on their operations or financial resilience.

Family and micro businesses are especially vulnerable as even a small loss due to repetitive incidents such as burglary, break and enter and shop stealing; or a reduction in family or other employees needed to operate the business due to injury, illness or death, will have a critical impact on cash flow and business operations. A critical impact then can be broken down as any hard dollar or reputational loss that could endanger the survival of the company.

The loss of stock, through fire, can be mitigated through insurance but the loss of customer/client information and listings through commercial espionage or loss of stock and client electronic data through a cyber crime ransomware attack can impact on your businesses reputation and operations.

Operations may also be interrupted by natural events, damage or breakdown of machinery, systems or equipment, power or gas outages, fuel delivery strikes, the failure of a supplier of goods or services or delayed deliveries or absenteeism of essential employees. There are many possible scenarios which should be considered such as:

Some quantifiable impact categories for a small retailer could include:

·         Inability to record sales

·         Inability to accept returns

·         Inability to process debit or credit cards, cheques (checks), gift cards, certificates

·         Inability to replenish merchandise

·         Inability to move merchandise between locations

·         Inability to respond to customer communications

·         Inability to advertise

A manufacturing company may see quantifiable impact categories as including:

·         Inability to order materials

·         Inability to receive materials

·         Inability to assemble materials

·         Inability to advertise products

·         Inability to process orders

·         Inability to ship products

·         Inability to collect payment[1]

 It is incumbent on all business owners to understand their risk tolerance and by identifying and evaluating the impact of disasters on business, owners can establish the basis for investment in recovery strategies as well as investment in prevention and mitigation strategies. To do this you need to have developed a risk management plan.

Once you have developed a risk management plan, you should conduct a business impact analysis to assess the likely impact of these risks on your business operations. This is the preparedness step in the prevention, preparedness, response and recovery (PPRR) model[2] for developing a business continuity plan. A business impact analysis identifies the activities in your business operations that are key to its survival.

Business owners should recognise that a business impact analysis (BIA) is a continuous process that predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies. Potential loss scenarios should be identified during a risk assessment. It is not a one-off process.

We don’t conduct one BIA report then step back from it for a year or so. It needs to be constantly monitored to take into consideration changes in the sales, production or security environment. As crime changes and moves from areas of a city or region, threats levels will change and as many small enterprises have found, a series of break-ins, caused by displaced crime, can change the financial state of a small business in a very short time and threaten its continued viability.

The first step in developing your analysis is to ask yourself some key questions:

·         What are the daily activities conducted in each area of my business?

·         What are the long-term or ongoing activities performed by each area of my business?

·         What are the potential losses if these business activities could not be provided?

·         How long could each business activity be unavailable for (either completely or partially) before my business would suffer?

·         Do these activities depend on any outside services or products?

·         How important are the activities to my business?

As the risks to your business change, so too will their potential impacts. When you update your risk management plan, you will also need to conduct a new business impact analysis.

Seek advice from all levels of your business in order to identify all processes and functions that go into making your business function, then, ask yourself these questions:

·         what could occur if this function of my business was unable to function for any reason?

·         where could critical financial impact occur and what is the potential amount of the impact?

·         where could critical reputational impact occur and what is the potential amount of the impact?

·         under what circumstances could a critical impact occur? and

·         what is the effect of the impact over a lifetime?

 Let’s look at an example of a small business that produces widgets for the mining industry. The widgets are high use and replaced every week to be refurbished by the manufacturer. If we have a crisis and are unable to supply the widgets, mining companies will understand a delay of a few days by adjusting equipment operation to reduce wear on existing widgets, but some may not be able tolerate a delay and may be forced to reduce or cease operations until supply is re-established. The cost to mining companies could be very high but the cost to the small business could be catastrophic if its reputation is damaged by the crisis that results in companies seeking alternate suppliers.

Business continuity and business resilience that arise from BIA reports are critical in ensuring you can weather a crisis and whilst bringing in expert consultants to work with you to develop your report on the results of a BIA is a good practice, you can assist by preparing BIA Worksheets that can greatly assist in bringing critical functions to the fore and allowing you to understand the real impact of events on your business.

A business Impact Analysis Worksheet allows you to look at each function, department or process and identify at which point in time, an interruption would have the greatest impact. Each worksheet should be developed for each department, function or process that you have identified. A simple example is shown below:

Business Impact Analysis Worksheet[3]

Department / Function / Process……………………………………………………………

Operational & Financial Impacts

Timing/Duration
Operation Impact
Financial Impact












Timing: Identify point in time when interruption would have greater impact (e.g., season, end of month/quarter, etc.)

Duration: Identify the duration of the interruption or point in time when the operational and or financial impact(s) will occur.
   < 1 hour
   >1 hr. < 8 hours
   > 8 hrs. <24 hours
   > 24 hrs. < 72 hrs.
   > 72 hrs.
   > 1 week
   > 1 month
Considerations (customize for your business)

Operational Impacts:
  Lost sales and Income
  Negative cash flow resulting    from delayed sales or income
   Increased expenses (e.g. overtime, outsourcing, expediting costs etc)
   Regulatory fines
  Contractual penalties or loss of contractual bonuses
   Customer dissatisfaction or defection
   Delay executing business plan or strategic initiative
Financial Impact

Quantify operational impacts in financial terms.



As part of your business impact analysis, you should assign recovery time objectives to each activity to help determine your basic recovery requirements. The recovery time objective is the time from when an incident happens to the time that the critical business activity must be fully operational in order to avoid damage to your business.

By identifying a time frame necessary to recover and financial amounts to measure your risk appetite where you feel that the business can recover, you can add the information to the table (such as in the above example) to provide better context upon which to base your assessment of priorities for mitigation.

The information resulting from the BIA can be used to bring some local clarity to your consequence rating on your risk management matrix. The table based on ISO31000:2009 below provides a simplified example of how the BIA could be used when applied to business operations, creating your business impact level (BIL).

Minimal
BIL-1
Minor
BIL-2
Moderate
BIL-3
Major
BIL-4
Catastrophic
BIL-5
Impacts on business operations
Operational capacity

·   Minimal impact on operations. Some reduction on function or process effectiveness but can be dealt with by routine procedures in place.
·   Minor impact on operations. Some reduction on several functions or processes effectiveness but can be dealt with by routine procedures in place.
·  Significant degradation in organisational capability to an extent and duration that, while the business can perform its primary functions, the effectiveness of the functions is noticeably reduced
·  Severe degradation in, or loss of, business capability to an extent and duration that the business cannot perform one or more of its functions for an extended time
·   Severe degradation in, or loss of, business capability to an extent and duration that the business cannot perform any of its functions.
·   Business closure likely.
Business Assets

·   Low or no damage to assets
·   Some damage to assets that will affect functions or processes whilst replacements are obtained.
·   Time frame for replacement >3 months.
· Damage to assets that result in multiple functions or processes that reduces productivity until replacements can be obtained.
· Time frame for replacement <3 – 6 months.
·  Damage to assets that results in long term harm to the business.
·  Time frame for replacement <6 months.
·   Damage to assets that are irreplaceable or beyond financial capacity to replace.
Business Finances

·   Low or no financial loss
·   Medium financial loss that does not impact on the ability or capability to meet financial obligations.
·   $100,000 - $500,000
·  Financial losses are covered by insurance and recoverable within a short term but will have a short-term effect on capability. Potential regulatory attention.
·  >$500,000 - $800,000
·  Substantial financial loss leading to key activities being shelved and loss of public/shareholder confidence. Likely regulatory attention.
·  >$800,000
·    Significant financial loss leading to significant damage to the organisations 'brand' and ability to operate. Significant regulatory attention.
·    >1000,000

Note: Estimated financial losses based on micro business model requiring a reliable cash flow.

The information that arises can be used to:

·         evaluate whether the limits of insurance are adequate. Are you underinsured?

·         compile an inventory of properties and assets and determine whether insurable values reflect inflation costs over time, and

·         allow a review of whether property, stock and other insurance policies adequately cover actual cash value or replacement cost.

It can also provide you an overview of just where you need to improve your supply chain to ensure stock, plant or equipment can be replaced within a minimal timeframe to ensure business resilience.

The BIA can assist in allowing you to properly determine just what your risk tolerance level is. A small micro business (such as an on-line business or a restaurant) may have a risk tolerance of BIL2 whilst a medium size business, with a sound client base, good supply chain and regular cash flow may be able to tolerate BIL-3. Each business differs, and each risk tolerance level will differ.

Your mitigation strategies and security investment will, in most cases, align with your level of risk tolerance in which case second guessing would be a dangerous strategy but undertaking a BIA to determine consequences and business impact levels will provide you with quantifiable evidence upon which to make business decisions. Your business impact analysis will also help you develop your recovery plan, which will help you get your business running again if an incident does happen.

Like your Business Plan and Risk Management Plan, your Business Impact Analysis is a tool that can provide you an element of certainty during periods of crisis.  As Benjamin Franklin stated in his Philadelphia address on fire safety, “an ounce of prevention is worth a pound of cure”.

It is as true today as it was in 1736.


[1] https://www.ready.gov/business-impact-analysis
[2] https://www.business.qld.gov.au/running-business/protecting-business/risk-management/pprr-model
[3] https://www.ready.gov/business-impact-analysis

No comments:

Post a Comment