Business Continuity for SMEs – Assessing business criticalityJune 10th, 2012 by BrightCloud
Our third and final blog in the series looks at the elements critical to your business, and the steps required to undertake a business impact analysis.
Your business and livelihood relies on a wide range of activities and assets. The essential components will include business processes, information systems, utility services, equipment, people and materials. Many of these will be related, and can be imagined as a hierarchy of dependencies. Every organisation is different, but the continued operation of processes that deliver products or services to customers will clearly be crucial to the profitability and survival of the company.
“I often find directors oversimplify the complexities of their own IT requirements, thinking that just because they have a backup tape they are protecting their business from a IT failure. The truth is that IT systems these days are becoming more complex than ever, but the great news is that our ability to protect these increasingly complex systems has improved dramatically and now we are more able to recover highly complex systems with much more ease and much lower cost than ever before.”
Duncan Little, BrightCloud Managing Director
Cash flow is also important to smaller enterprises with limited resources and lines of credit. In the event of a disaster, the most critical business processes and systems will generally be those whose continued operation is vital to:
- Satisfying customer commitments. Prevent cancellation of contracts or loss of future business by delivering orders and keeping customers satisfied.
- Maintaining production. Avoid halting production or supply of core products and services for customers.
- Protecting inward flows of money. Safeguard vital income and cash flow by maintaining sales, accounting and invoicing systems.
- Safeguarding investments. Valuables, investment opportunities and interests must be protected by maintaining physical security measures and banking facilities.
- Avoiding financial penalties. Stay legal and avoid charges and legal fees by maintaining essential compliance and accounting systems.
- Paying staff and contractors. Avoid potential hardships, contractual disputes and loss of credit by keeping up vital payments. Collectively, these key activities ensure that you safeguard your income, profit and reputation.
Assessing the Impacts of Incidents
No two incidents are the same. Each one creates a wide range of potential impacts which depend on the severity of the incident, the level of protective measures in place, the speed and effectiveness of your response and the management of your relationships with customers and other stakeholders.
Typical business impacts include:
- Lost business (current and future).
- Replacement costs for equipment and data.
- Recovery costs.
- Refurbishment costs.
- Temporary accommodation costs.
- Fall-back costs.
- Financial penalties and legal costs.
- Costs of additional controls.
- Damage to reputation and brands.
- Environmental damage.
To survive a disaster, you will need adequate funds and insurance to pay for the cost of repairs, and the hire of any temporary equipment, accommodation and staff that are needed to maintain business activities.
Identifying the full range of potential business impacts is best done as a team exercise. A group of people, as opposed to an individual, will be able to effectively generate ideas, spot as many requirements as possible, and identify possible preventative measures, ‘workarounds’ and mitigating actions. This type of activity is often referred to as a business impact analysis.
Many people assume that the larger the business is, the bigger the risks it faces. But often the opposite is true. A large enterprise can more easily ride out a local disaster affecting only a part of its business. Most disasters are local rather than enterprise-wide. An office fire might, for example, only affect a single retail outlet. Big companies also have deeper resource reserves and longer credit lines. Small businesses, however, are more likely to have most of their eggs in a single basket. Many operate out of a single building or store their stock in a single warehouse. Credit and cash flow are also much tighter.
A small business is much more likely than a larger enterprise to go out of business following a major disaster. Small enterprises have a greater need, therefore, to identify threats and take steps to minimize their impact. When considering threats, you should try to be as imaginative as possible. Many disasters come out of the blue. Unexpected threats can be the most deadly, as they would not have been addressed when planning ahead.
It does not matter if it is a fire, flood, avalanche, or even a tsunami, the main issue for most enterprises is the loss of vital premises or services needed to perform essential work functions.
This could also happen because of a police cordon to protect the public from an unexploded WW2 bomb, crime scene, gas leak, group of picketing students or any other cause. At the early stages of business continuity planning, it is helpful to ’think the unthinkable’. Try to capture every possible event, no matter how unlikely. Your ranking methodology can subsequently take care of unlikely events by assigning them a low score.
- Fire and flood. Two serious risks that require preventative and recovery controls.
- Earthquakes. Although unlikely in the UK, should still be dealt with in business continuity plans.
- Terrorist attacks. A high threat in Western cities that can cause serious damage to infrastructure and the mobility of employees.
- Cyber attacks. Any business can suffer from digital disruption caused by a cyber attack.
- Failures of equipment and services. A common threat to business operations. Fall-back options can be expensive, but impacts can be reduced by good advance planning.
- Accidents. Often the result of failings in process design, training, supervision and human behaviour. By studying their causes you can help prevent them.
- Sabotage and vandalism. Can be launched by vengeful employees or customers or just badly behaved members of the public. Such attacks are generally spontaneous, unpredictable gestures.
- Strikes. Disruptions from strikes are often foreseeable and can be mitigated by contingency planning.
- Site Location. Consider transportation risks for key buildings such as warehouses. These mistakes are difficult and expensive to correct.
- Leaks of toxic materials or radiation. Consider fall-back arrangements for industrial locations that might be vulnerable to such events.
- Pandemics. Make sure your business is prepared to minimise the effects of a pandemic, as there is a high probability of one occurring relatively soon. The impact of pandemics can be reduced by thoughtful office design, and contingency measures such as off-site working and alternative transport for key staff.
- Space Weather. This may seem extreme but the solar cycle is expected to peak between 2012 and 2015 causing interference to GPS systems, railway signals, power systems and mobile phones.
Get a Free Business Continuity Assessment
Whilst we won’t understand your business as well as you do, our decades of IT experience means we may well understand your IT better than you. BrightCloud can build you a realistic and workable IT continuity plan, so in the event of a disaster we’ll get your IT up and running as fast as possible.
Contact us today for your free business continuity assessment.