The Importance Of Business Continuity Planning: Dealing With Inevitable Risk

Wednesday, May 15, 2013 - 09:10

Increased awareness of the need to prepare for risk and risk of disaster does not always translate into action. One of the reasons businesses choose not to become more actively involved in planning for increased preparedness is that they feel prior events are not likely to recur or that the effects if they were to occur would not be overly severe.[1] Interestingly, while the Asia-Pacific Economic Cooperation (APEC) region accounts for 40 percent of the world’s population and half of global gross domestic product, the area sustains almost 70 percent of the world’s natural disasters.[2] A 2011 survey among APEC member economies found that only 15.9 percent of small and medium-sized enterprises and 52 percent of large company respondents have a business continuity plan.

Risk can be limited to data security or be widened to encompass operational issues should a major disaster actually occur. While the costs of a complete disaster recovery plan will be much greater than a plan designed solely to protect lost data, the consequences of one versus the other should, at least, be considered by management. Humans do not like to consider catastrophic potentials, but history does teach that such events can and do occur. Some business strategies consider this risk better than others. Some people will look at events that have occurred, such as recent hurricanes or terrorist activities, and alter their perceptions. Others will choose to ignore such actual events. Losses will be dependent to a large degree on how business owners manage their perceptions, consider risk, and weigh the cost-benefit of continuity planning. This article explores ways to manage such risk.

Businesses manage risk in a variety of ways, typically in one or more of the following forms:

  • Buying insurance to cover various perils
  • Installing control systems
  • Monitoring control systems

The main drivers in the selection of available alternatives of risk management are likelihood of occurrence and relative cost of each alternative or combination. For example, a manufacturing business located in a low-lying area will doubtless seek ample flood insurance, although the cost and availability of adequate coverage can present a serious challenge. In less flood-prone areas, the same business would likely choose less coverage and more self-insurance.

As we all know, disaster often strikes without warning. Some events are costly, but recoverable, while others are cataclysmic and result in the complete loss of the business. The prudent owner considers all threats, even remote ones. For example, most businesses install lightning rods atop their buildings to protect their property from dangerous lightning strikes, despite the fact that the likelihood of a strike is unknown. While the emergence of cloud enterprises is increasing, many businesses will always need brick and mortar establishments and will have to protect their assets from physical harm.

Key point: Consideration of risk is necessary; however, not all risk can be fully avoided, and businesses may need to accept partial residual risks. Business continuity planning is the tool used to manage these residual risks. Using the data derived from the process of developing a risk management profile, business continuity planning takes the next step by assuming that a disastrous event will, in fact, occur in the future.

A business continuity plan promotes corporate resilience in the face of potential “game-over” scenarios. A robust plan will lead a company successfully through the steps required to continue operations. For example, the business continuity plan may include designation of alternate work sites and quick assemblage of necessary business infrastructure should the need suddenly arise. Included in this plan are backup data systems, communication protocols and an up-to-date roadmap to deal effectively with disaster. Whereas insurance may reimburse for loss, business continuity planning ensures future operational capability, leading to sustainability of the enterprise.

The specific steps necessary in order to recover from natural or man-made disasters or from threats carried out against the business (such as cyber attacks) must be understood; then planned; then eventually tested for effectiveness. Prevention of loss is always superior to recovery from loss, and the need or cost of certain types of insurance may be greatly reduced if certain preventative measures are taken. Thus, an analysis of threats and risks can be evaluated in terms of possible approaches to ameliorating concerns and avoiding costs.

Solution

Business managers should plan for the worst and commit to the development of a responsible strategic plan for minimizing the impact of harmful events, even unlikely ones. A side benefit of such analysis and planning is the discovery of potential improvements to business systems and of ways to reduce business costs. Thus, a look into the unforeseen future may result in improvements to operational efficiency in the near present.



[1] Executive Summary: Business Continuity and Disaster Preparedness Planning – Citizen Preparedness Review (CPR) Issue 7: http://tdl.citizencorps.fema.gov/downloads/pdf/ready/businesscpr.pdf. Retrieved May 7, 2013.

 

Eric A. Kreuter, Ph.D., CPA, CFE, is a Partner in the Litigation and Corporate Financial Advisory Services Group at Marks Paneth & Shron LLP. He specializes in litigation and forensic services including commercial damages and fraud investigations. His background also includes management, human resources and other consulting services, and he is a specialist in all facets of the construction industry.

Please email the author at ekreuter@markspaneth.com with questions about this article.