When the Buncefield oil depot in Hertfordshire went up in flames in late 2005, it understandably made headlines for a week or so. But long after the blaze was brought under control and the smoke plume dissipated, businesses in the area have continued to feel the full financial force of the blast.

An economic study of the effects of the incident estimates that it has cost nearby firms over £70m. The study, commissioned by the East of England Development Agency (EEDA), reveals that 25 businesses were seriously affected by the blast. Of these, 16 have been forced to relocate their operations entirely, moving 1,422 jobs.

“The immediate impact on businesses at Buncefield has been considerable, but we are working hard with partners to redress this,” says David Marlow, chief executive of EEDA. “There is still a long way to go, but the business community on the affected Maylands industrial site can now face the future with a positive attitude.”

The problem for many small businesses is that they don’t feel they can afford to invest in business continuity planning, while at the same time they really cannot afford not to. This is especially true when it comes to protecting their data. A recent survey of firms suffering data loss conducted by the University of Texas showed that 43% never reopened, 51% closed within two years and only 6% survived.

On a smaller scale, every data security incident has a real cost. The Department of Trade and Industry’s 2004 information security breaches survey found that an average incident costs small companies between £5,000 and £10,000 and they lose an average of two days of business. “Companies need to get out of the mindset that back-up is a cost on the business,” urges Alan Moody, UK managing director of software provider Mamut. “Back-up can save your business and back-up tools can also improve ways of working and impact on profitability.”

Feeling the heat

Among the factors now pushing smaller operators to invest in business continuity planning is the pressure from both up and down the supply chain, with customers expecting suppliers to have robust business continuity plans in place and, conversely, businesses expecting their suppliers also to have planned for all eventualities. Secondly, trading regulations such as the Sarbanes-Oxley Act in the US and the Companies Act in the UK now require firms to show they have good governance procedures in place.

There are four generally accepted ways of dealing with risk: accept it as part and parcel of business; transfer it (usually via insurance); reduce or manage it; or eliminate it altogether. Traditionally, most risks, whether domestic or commercial, have been dealt with through insurance. Assuming that the correct type and level of cover has been purchased, losses will be fully compensated for. However, what this scenario often overlooks is the time lag between the incident and the settlement of the claim. This is why businesses now have a much greater focus upon managing the risks.

“Risk management is traditionally seen as the preserve of larger organisations and as a luxury cost for smaller firms which prefer to rely on their insurance policies to cover them in the event of any disruption. This is a mistake,” warns Rupert Reid from accountancy company Vantis. “There are a number of impact areas where the cost of disruption may not be covered by business insurance: lost time; sick pay; damage or loss of raw materials; repairs to plants and equipment; extra wages; overtime and temporary labour; production delays; investigation time; fines; loss of contracts; legal costs and loss of reputation.”

So where does the process begin? Well, effective risk management depends upon a thorough and honest assessment of the risks facing the business. These risks can be internal (accounting controls, cashflow and IT systems) or external (supply chain, utilities, market/regulatory changes).

Risk assessment

Every business should carry out a step-by-step risk evaluation, covering all aspects of the organisation including staff, premises and IT infrastructure. In its simplest form, there are three main stages to this process:

Identify the critical areas of the business and the potential threats they face. The core risk areas for smaller businesses are: people (duty of care to employees); IT (computer failure or data loss); market changes/sales downturn (emergence of a new competitor or a lack of product development); and damage to a company’s corporate reputation and brand impairment (such as adverse comments in the press).

These are followed by ‘second tier’ risks that can include: financial (such as poor management information); damage to credit (including poor credit control/the default of a major customer); fire/explosion (through poorly maintained power supplies); product liability (increasing product returns or a specific product-related incident); business interruption (failure of a major supplier or distribution problem); safety of employees (poorly maintained equipment or health and safety procedures); directors’ liability (for example, negligent oversight on acquisition) and security of property (including keeping out intruders). In reality, any one of the above could represent a serious incident for an unprepared business.

Consider and plan ways to overcome each obstacle. The purpose here is not simply to come up with a ‘plan B’ for each scenario. Many companies have made the mistake of building their business continuity strategy around ‘scenario-based’ planning, only to find that in reality the scenario is quite different to the one they had considered.

It is less a matter of addressing the question of ‘what if our premises suffered flooding?’ and more about ‘what if our premises were unusable for whatever reason?’ It is important to be clear on what happens in the immediate aftermath of a disaster. The next stage is to determine which critical business functions need to be resumed quickly and in what order. The plan will need to be detailed, and should identify key individuals who should be familiar with their duties under the plan.

Communicate the company’s plan to all stakeholders. Having a plan is only half of the story: ensuring that it is communicated to and understood by all those responsible for putting that plan into place is integral to its effectiveness. Crucially, this also means being clear with all appropriate staff on changes which may have been made as a result of periodic reviews.

Spreading the word

According to a study by the Chartered Management Institute, only one in 10 firms with business continuity plans share these with suppliers and shareholders, while just one in five communicate this information to customers, despite being cited as key drivers for creating plans in the first place. And only 7% require all suppliers to have a business continuity plan, with over a third (37%) of organisations only insisting that ‘business-critical’ suppliers have plans.

According to Jo Causon, director of marketing and corporate affairs at the Chartered Management Institute, it is disappointing that after seven years of conducting research in this area, companies are still failing to manage business continuity effectively. “There appears to be a mismatch between the perception of the need for business continuity and the reality of the little action to prepare and plan,” she says. “Unless appropriate and effective business continuity processes are thoroughly considered, organisations are leaving themselves wide open to a variety of threats and potential disruption.”

Keeping up with the times

Of course, carrying out a risk assessment and putting a business continuity plan in place is just one part of the picture. If you want such an exercise to be of any use further down the line then regular reviews to take account of any changing market conditions, new premises/assets, company expansion and so on are vital.

Research by the Institute of Chartered Accountants of England and Wales (ICAEW) reveals that 27% of small business managers discuss the risk profile of the business once a year or less, while 19% discuss specific risks annually or less often.

“Companies should regularly review the risk to their operations and profitability,” warns Bob Dulieu, operations director at Capcon. “Risks to today’s businesses are diverse: terrorism; personal security; a pandemic outbreak to business interruption; illness or a product recall. These affect all companies – regardless of size – and with the growth of health and safety concerns, firms not addressing risks to their employees could face legal action if such incidents do occur. The adage ‘fail to plan and you plan to fail’ is very apt for all companies, especially given the focus that the government is placing on this area,” adds Dulieu.

As any good boy scout knows, it is all a matter of being prepared. Almost a quarter of respondents in a recent survey by research group IDC revealed that no one in their organisation was specifically assigned to oversee business continuity. For a smaller business, responsibility begins and ends at the top, but ensuring that the organisation’s ‘plan B’ is widely understood by all is the key to determining its success or failure. And if you ever happen to be in the wrong place, such as Buncefield, at the wrong time you’ll consider it the best investment you’ve ever made.

Source: New Business Magazine

© Copyright 2002-2006 by newbusiness.co.uk