Avoiding Business Closed: Your ABCs of Keeping your Business Running During a Disaster

Avoiding Business Closed
Your ABCs of Keeping your Business Running During a Disaster

Your business could be closed tomorrow and it will not be due to the economy. As much as you would like to open, you may not be able to. The closure is not even due to something you did; it is what you did not do. The cause of your closure may be due to a neighboring business, your customers, suppliers, or even employees. It can come from severe weather, flood, sabotage, blackouts, or a loss of equipment. Whatever the cause, the failure to plan for situations can seriously cripple your ability to reopen your business after an unexpected interruption.

Statistics show that

• Businesses without a Business Continuity plan have less than 10% survival rate after a disaster (Touche Ross)


• 1 out of 5 companies reported having had a major business disruption within the last five years (Source CSA)


• Of companies that suffer a significant data loss, 93% are out of business within five years (U.S. Bureau of Labor)


• Of companies experiencing a catastrophe or extended system outage, 2 out of 5 never resume operations; and, of those that do, 1/3 go out of business within two years (Gartner Group)


• In the U.S., 43% of businesses never re-open after a disaster, and 29% (more) close within two years (University of Wisconsin)

So, how does your business avoid becoming a statistic? Follow the over-simplified process of plan, test, revise, and repeat to create your Disaster Recovery (DR) and Business Continuity (BC) plans. In the coming months, we will introduce these topics further. The whole process will create for you a Business Resiliency (BR) program that puts your business into the top 10% quartile for survivability.

Another part of this article series will address your questions. You can send questions to Planning@TPComps.com. Here are some of the more common questions with short answers to get us started.

1. Why should my business create a DR and BC plan?
   a. Excluding the risk of becoming a statistic, state and federal regulations and industry frameworks require planning. Companies also lose business when customers ask for proof of a plan or file suit when interruptions affect their ability to conduct business.


2. I have a backup of my data, isn’t that enough?
   a. Having a backup is part of DR and BC planning but it is not everything. The backup is like the color of paint when you want to paint a wall. Other items make a successful paint job like wall prep, paint type, roller or brush, etc.


3. I have insurance, isn’t that business continuity?
   a. No, an insurance policy or check is not business continuity. A check may allow you to cover the expenses associated with recovering, but the piece of paper will not tell you what to do and when to do it. Side note: some insurers may offer discounts when you create and test your plan.


4. Where can I get more information?
   a. There are many sources of information available through your business network, local associations, government agencies, and the Internet. Review your local Chamber of Commerce member directory for businesses that may provide you more information. To find other sources of information, ask your business contacts and IT support. Lastly, a Google (or other) search will provide many pages of links for information.


5. What should I look for in a planner?
   a. Aside from a good reputation and working relationship, several industry-recognized certifications may assist with finding a planner. Each of the following certifications require at least 5 years of relevant, proven, and verified experience along with passing an exam. The first is CBCP (Certified Business Continuity Planner) by DRII. Others include CISM (Certified Information Security Manger) by ISACA and CISSP (Certified Information Systems Security Professional) by (ISC)2.


6. What is the cost for a plan?
   a. Although there is an outflow of cash, this is really an investment in your business. There is not a fixed answer to this common question. The cost is usually determined by the scope and amount of work. To create business value, the plan cost should be less than the financial loss the business will experience. Depending on the chosen planner, it may be an hourly charge, a daily rate, or a fixed fee.


7. How long does it take to complete a plan?
   a. Just like the cost, there is no fixed date. A good planner will maximize your time to compress timeframes and reduce the overall project. The average smaller enterprise should expect a plan to take 1 month if all the resources are dedicated at all times. Since this is not practical, it may take upwards of 3 months with part-time efforts.


8. What makes a successful Business Resiliency plan?
   a. From a high-level, a successful BR plan has three parts: recovery, continuity, and security. Just like a three-legged stool, you can do one part (leg) without the others but, you will be always off balance and may eventually fall over.


9. What is the usual process to start a plan?
   a. The plan usually starts with a Business Impact Analysis (BIA). This is an evaluation of key areas of your business. A good BIA will cover points like emergency preparedness, functional impacts, personnel, vital records, applications, computers, operations, locations, security, and regulations. The BIA can show what factors are most critical to your business and then provide the order for planning.


10. We created a plan several years ago, do we still need to go through this process?
    a. Yes and No. If nothing has changed (same equipment, same neighbors, same address, same staff, same suppliers or customers, etc.) in your company since you created the plan, you probably do not need to worry. It is a good practice to review your plan annually to make sure that you’ve addressed all the potential impacts. If anything has changed (new equipment, new neighbors, new address, new staff, new suppliers or customers, etc.) then you probably need to revise your plan.


11. Are there any things to think about when starting a plan?
    a. There are three components of DR and BC. RTO is your Recovery Time Objective. This is the amount of time you can be without your ‘X’ (i.e. computers, paper files, office, building, etc.) before business is seriously impacted or recovery becomes impossible. Can you afford to be without ‘X’ for 3 hours, 3 days, or 3 weeks? RPO is your Recovery Point Objective. This is a measure of how old your recovered ‘X’ can be and still be useful to you. Once you get ‘X’ back, can it be 1 day, 1 week, or 1 month old? RCO is your Recovery Capacity Objective. This is some value of how much of ‘X’ to recover and who will be available to help you recover ‘X’. Do you need the whole office recovered and will the whole staff be available during the recovery?