Business interruption insurance: business continuity plans
You’ve learned about the importance of identifying risks and income streams. Now, we turn our attention to business continuity plans.
Why do you need a business continuity plan?
Developing a business continuity plan is a practical way of getting your business up and running and staying operational, in the eventuality of an adverse event. No business is too small to have a business continuity plan in place. It could be the difference in a business recovering from an adverse event or not.
Proper risk management informs your business continuity. One of the key inputs is your risk register – you need to identify each risk and unpack it to compare them with the controls you have over those risks.
Risks are uncertainties in your business operations and operating environment. When an event occurs (i.e. the risk materialises), you fall back onto a business continuity management and disaster recovery plan. It is important to understand the context of your unique business and the internal and external uncertainties it faces.
- Identification, evaluation and treatment:
It is vitally important that risks are identified, evaluated against your risk appetite and treated to ensure the inherent risk exposure is reduced. Unfortunately, even the best controls fail. We cannot have controls in place for every eventuality, but we can be prepared for the vast majority of catastrophic events by remaining agile in our thinking, and ensuring we have adopted good business continuity practices in a robust business continuity plan.
- Treat, terminate, transfer, take:
There are four options:
- Treat the risk by reducing the impact or the likelihood of occurrence with controls. E.g. to mitigate the risk of fire, a business can install smoke detectors and fire extinguishers.
- Terminate the activity, if the risk is too high. The project or activity may be terminated to remove the risk. E.g. cancelling a risky project or product line because it exceeds the risk appetite of the organisation, is a common occurrence.
- Transfer the risk through insurance or outsource the activity to third party by setting up an outsourcing contract.
- Take the risk because the controls would be ineffective or cost/resource intensive to mitigate. E.g. the risk of an earthquake is real, but the cost of mitigating a natural catastrophe is significant for most organisations. Any risks that you might be unable to address in your business continuity plan, will become really high and you would need to consider if you want to take on those risks.
Managing your supply chain
There are risks across the entire supply chain. Depending on how much your business relies on your suppliers and clients, the risks that they face can have an impact on your business. For example, if you rely on 50% on Client A, you will lose half of your income if their business closes. You need to understand the business continuity plans of your suppliers and clients, in order to protect your business.
Consider cover for your key supplier and customers:
- Supplier extension:
If you have key suppliers, and they experience an insured event like a flood – which results in closure for several months – you may be protected from the impact this could have on your business.
- Customer extension:
If your biggest customer experiences an insured event like a fire, you may have protection against the loss of income on your business.
How resilient is your business?
In other words, how equipped is your business to handle adverse events? If you have a super resilient business with a continuity plan in place covering a multitude of eventuality and resource requirements, you will be able to adapt to any adverse event that materialises, activate your plan and get on with business.
- Disaster recovery plan:
Generally the disaster recovery plan (DRP) focuses on the continuity of information technology (IT). How quickly are you able to start up again, in terms of servers, data, etc.? Your business might still be standing, but will you be able to operate without your key operating system, communication infrastructure, and customer/supplier information? Cyber risks, like hacking and data extortion, increase the need for effective DRPs.
- People, time and resources:
Ask yourself the following:
- If there is a fire, what do you do?
- Scenario planning is an important tool
- Do you have a back-up site?
- Do you buy local or import?
- Do you have back-up equipment?
- How long will it take to get to the secondary site or import equipment?
- If there are delays, how soon will you be back up and running?
- How many people can work remotely
- Do you have sufficient time to recover?
- When an event occurs, you need to react as if you are uninsured and action your business continuity plan swiftly, so that you can get your business up and running.
- Consider insurable vs uninsurable risk carefully. You need an effective business continuity plan (BCP) for both insurable and uninsurable risks. Often your insurer will insist on an effective BCP, as this is key to reducing any downtime and reinstating normal operations as soon as possible. In the event that risks are uninsurable, it will be in your best interest to consider possible scenarios and how they will impact your business.
- Often, we think of recovery only in terms of having the business up and running, but we forget about the loss of market share and customers that will need to be converted back to your brand. This takes time.