Business continuity
Natural disasters, extortion, politically motivated violence and criminal interference with business activities have had an impact on businesses in Australia and overseas in recent years. Many Australian businesses, however, still adopt a casual approach, and rely on the hope that "it will not happen to my business". The potential consequence of this mind-set is disastrous, yet business continuity could be ensured by some simple planning and forethought.
Business continuity planning includes disaster recovery, corporate governance and quality management. Importantly, it also relates to the identification of risks, and the implementation of a sound risk management approach to business activity.
(Adapted from Standards Australia/Standards New Zealand HB 221:2003 Business Continuity Management).
This page contains:
Events that may potentially disrupt your business
Natural Disasters
- Less sinister than criminal attacks, but they can be even more disruptive.
- Authorities will usually provide warning.
- By definition they are unpredictable.
- Criminals may take advantage of natural disasters to cover criminal activities (e.g. looters).
Economic Events
- Disruption to supplies
- Disruption to customers confidence
- Financial institution collapse
- Government policies
- Foreign trade treaties
- Stockmarket corrections
Politically Motivated Violence
- Protests and demonstrations.
- Bombs.
- Chemical, Biological and Radioactive incidents.
- Conflicts may have direct and indirect impacts.
- Disruption to supplies.
- Disruption to customer base.
- Physical threats.
- Political hindrance to trade. e.g. Embargoes.
Crime
- Extortion.
- Product tampering.
- Theft.
- Kidnapping (e.g. to facilitate a theft).
- Vandalism.
- External and Internal Fraud.
Risk management planning
Business continuity and risk management are closely linked. Applying the risk management principles outlined earlier will assist you in all your business endeavours. We tend to use them subconsciously, but it will be worthwhile making a brief risk assessment of your business. These principles can also be used to minimise the disruption to your life and business. Business Continuity helps us to treat any risks identified in our business. Risk Management and Business Continuity should be used together. A Business Continuity Checklist is provided overleaf to start your planning process. It provides basic guidance and encouragement.
It is vital you have a business continuity plan for your venture to be able to resume business operations. Your life and/or business may depend on your own unique plan. We all saw how quickly a natural disaster can suddenly threaten our lives, property and lifestyle.
- Redundancy: What critical functions need to have spare capacity?
- Evaluate risk: What are the risks to your business, why, and how to treat them?
- Safety: For you, your employees and clients.
- Unique: Your resumption plan is vital; write it down, consider if YOU are replaceable?
- Mitigation of hazards: Make the changes now.
- Emergency response plans: Keep them simple, train your staff.
The Business Continuity checklist provides further detail to assist your planning. The following practical guides will deal specifically with the identification of, and response to potential acts of extortion, politically motivated violence or criminal attack.
How to identify and assess your risks
Step 1: Identify your risks
In your business, what are the things that can go wrong?
- Assault of staff (self or employees)
- Theft of property from the business
- Vandalism to premises or equipment
- Fraud
- Arson
- Embezzlement of cash
- Abuse of privilege by staff
- Others
Step 2: Analyse your risks
For each risk you have identified, ask yourself three questions:
1. How can it happen?
External sources of risk:
- Criminals;
- Competitors;
- Customers; and
- Suppliers/providers.
Internal sources of risk:
- Employees.
2. How likely is it to occur?
- Cheque and credit card fraud are increasingly common
- Employee theft or embezzlement accounts for $1.5 billion per annum
- Seventy per cent of all fraud related losses are perpetrated by current or former employees
You can determine how likely something is to occur by applying the following table to your business's risks.
| Level | Descriptor | Description |
|---|---|---|
| A | Recurring | The incident will, or has, occurred more than once |
| B | Certain | The incident will, or has occurred |
| C | Probable | The incident is likely to, or likely to have occurred |
| D | Possible | The incident is unlikely to, or unlikely to have occurred |
| E | Rare | The incident may occur only under exceptional circumstances |
Example
You have identified that shopstealing is a risk you face. You have had several incidents of shopstealing in your business. According to the table, this is a RECURRING incident (it will, or has occurred more than once). Shopstealing is therefore assigned a Level A rating.
You have also identified that ram raids are a risk to your business. Your business has never been targeted for a ram raid before, but other "like" businesses in your area have. Using the table above, you might rate the risk of a ram raid as PROBABLE. Ram raids are therefore assigned a Level C rating.
3. What are the likely consequences?
Your list of consequences might include:
- stolen, embezzled or 'discounted' stock;
- loss of cash or securities;
- need for equipment replacement;
- loss of company funds or critical information;
- increased 'down time' due to business disruption;
- loss or damaged business reputation and custom; or
- increased insurance premiums.
Once you have a list of consequences that could occur, you can determine how significant that consequence is for your business using the following table.
| Significance | Injury | Finance | Publicity |
|---|---|---|---|
| 1. Insignificant | No Injuries, no impact on staff. | Minimal financial loss, no impact on overall program functional outcomes. | No adverse external criticism or publicity. |
| 2. Minor | Injuries - first aid required, minimal impact on staff, members or overall moral. | Small financial loss, small impact on overall program or functional outcomes. | Criticism by directly affected managers or customers. |
| 3. Moderate | Injuries - medical treatment required, Impact on staff noticeable, degree of change in moral. | Medium financial loss, substantial impact on overall program or functional outcomes. | Some external criticism directed at executive or Board, low key media. |
| 4. Major | Injuries - extensive medical treatment required, substantial impact on overall staff and moral with performance affected. Measurable increase in stress related issues. | High financial loss, products and services curtailed due to failure to deliver. | Serious external criticism, high profile media. |
| 5. Catastrophic | Death, impact on staff, members and moral severe. Extreme stress related issues. | Abolition of the business, dismissal of executive, significant irreparable impact on members' prospects due to mismanagement. | Impact on staff, members and moral severe. |
The above table is a general guide only. Your business may find a loss of $10,000 to be major. You may need to think about the dollar costs that would prove catastrophic, major, moderate, minor or insignificant to your business and adjust the table above appropriately.
Example
You are determining the possible consequences of a ram raid against your business. If it were to occur, thieves could obtain significant amounts of stock. You would also have to close down the business for up to two weeks. There would be costs associated with replacing the stock and repairing the damage caused to name a few. You may assign a consequence rating of MAJOR to this risk. While there may not be any injuries to people, the financial consequences are major for your business.
Step 3: Risk analysis and ratings
Once you have determined the likelihood and the consequence, you can come up with an overall risk rating for the incident using the following table.
| Likelihood | 1. Insignificant | 2. Minor | 3. Moderate | 4. Major | 5. Catastrophic |
|---|---|---|---|---|---|
| A Recurring | Low | Medium | High | Critical | Critical |
| B Certain | Very Low | Low | Medium | High | Critical |
| C Probable | Very Low | Low | Medium | Medium | High |
| D Possible | Very Low | Very Low | Low | Low | Medium |
| E Rare | Very Low | Very Low | Very Low | Very Low | Low |
Example
You are now ready to determine a risk rating for ram raids against your business. You know that a ram raid occurrence is PROBABLE (likelihood) and you know that the consequence is MAJOR (consequence). Using the above table, you will come up with an overall risk rating of MEDIUM for this sort of incident.
Step 4: Risk management
When you know the risks faced by your business you can begin to develop risk management strategies. Your strategies may include changes to your policies and procedures, or introducing some protective measures for your goods (such as dye tags).
There are also a number of strategies that can reduce the opportunities for crime to be committed against your business. Situational crime prevention strategies aim to make it harder for criminals to commit their crimes against your business. If you make it harder, or reduce the rewards criminals can obtain, you reduce the risk of crime.
Step 5: Rank risks and assign priorities
When developing a plan for reducing the risks to your business, you will need to consider:
- your most urgent needs - those risks that scored CRITICAL or HIGH should be addressed first;
- what is most feasible - some of your options may not be feasible because they are costly or because they are not permitted by local councils etc; and
- your timeframes - if there is an immediate risk to your business you should seek to address it as soon as possible.