It takes a lot of effort to grow and sustain a business. There are things that can be controlled but many that cannot. Contractors spend time focused on making current operations more efficient, gaining market share, developing new products and expanding by acquiring another business.
However, little effort goes into protecting their business from an impending disaster. It always seems to be at the bottom of the to-do list. This can be a costly mistake. Consider what happened in October 2012, as Hurricane Sandy ravaged the New Jersey shore, flooded New York City, damaged hundreds of thousands of homes and forced tens of thousands of survivors into shelters. The massive storm caused billions of dollars in damage to vital infrastructure systems including power transmission, transportation and water and sewage treatment facilities. As a direct result of the storm, 73 people in the U.S. lost their lives according to the Federal Emergency Management Agency (FEMA). They estimated 40 percent of the businesses affected by this storm never reopened. But how many were even ready for it?
It’s critical that contractors focus on what can happen to their business if hit with a power outage, hacker disruption, fire, earthquake or other disaster, where there is the potential to lose customers and employees to a competitor.
According to The Association of Records Managers and Administrators, 60 percent of all businesses impacted by a major disaster close within two years of the event. But it doesn’t take a major catastrophe to shut down a business. In fact, minor disruptions such as power failures, broken water pipes, and loss of computer data can often cause significant damage.
The first step in the risk management process is to identify risk. This is a fundamental step to developing a realistic, reliable plan to continue business when faced with a disaster. Risk will vary by region. There is no need to plan for a hurricane in Michigan or a snowstorm in Florida. But what if a major supplier is located in one of those regions? Consider what affects the company directly but also what can potentially disrupt the supply chain. Companies that take a heads-up approach on where such events might occur and how they might impact the bottom line are able to focus their planning efforts where needed.
Threats that may leave critical resources and operations vulnerable are not limited to just catastrophic events. Although natural disasters seem to be happening more frequently than ever, many business losses are actually caused by small events that are not widespread, such as IT service outage from a key supplier or a water main break that blocks a building entrance.
Business continuity planning requires a good risk management process because much of the risk cannot be financed with insurance. Therefore, a plan needs to designed and built for how businesses can prepare for, and continue to operate after, an incident or crisis. A business continuity plan will help identify and prevent risks where possible and prepare for risks that can’t be controlled, and be able to respond and recover if an incident or crisis does occur. A risk manager may not be able to predict every kind of incident that could threaten a business, but they can develop a plan that covers a range of potentially catastrophic events (e.g. natural disasters, computer problems, staffing issues). To get the most out of a business continuity plan, create a schedule for testing and updating it, making sure to take into account any changes to the business, industry, and/or the location where the company operates.
Businesses face many hazards: floods, tornadoes, earthquakes, even serious outbreaks such as Ebola or the H1N1 flu virus. There can also be “human hazards,” such as accidents and acts of violence and terrorism. Add in technology-related hazards like data breaches and the malfunction of equipment or software to know that the world is a very dangerous place for today’s businesses. But there is hope.
According to Ready Business, a free disaster-planning tool, there are five steps in developing a preparedness program:
- Program management – organize, develop and administer the preparedness plan;
- Planning – gather information about hazards and assess risks, conduct a business impact plan, examine ways to prevent hazards and reduce risks;
- Implementation – write a preparedness plan addressing key areas of resource management, emergency response, crisis communications, business continuity, information technology, employee assistance, incident management and training;
- Testing and exercises — test and evaluate the plan, define different types of exercises and learn how to conduct them, use exercise results to evaluate the effectiveness of the plan;
- Program improvement– identify when the preparedness program needs to be reviewed, discover methods to evaluate the program and then utilize the results to make necessary changes and improvements.
Every business, regardless of size, should have a crisis plan. The plan should outline step-by-step how a crisis will be managed. It should represent how an organization will deal with a crisis before, during and after an event. It will allow everyone to focus on what to do in advance instead of deciding what to do during a time of chaos. Businesses without preparedness plans are like flying a plane without the benefit of radar; a big storm could be coming and the contractor may never know it – until it’s too late.