PlanB Consulting

14/03/14 Business Impact Analyses

The following article was published on the Microsoft website and written by Nick Saalfeld of Wells Park Communications.

It’s been a sobering start to the year for many businesses.

Much of the Somerset Levels is under water. Great swathes of lowland Britain is soggy, making travel difficult. The gorgeous town of Dawlish has had its railway washed away – in the process cutting off the main link to a chunk of the South West. Aberystwyth University evacuated many of its students for the second time in two months as waves the size of three-storey houses batter the coastline. Some homes and businesses have been flooded two or even three times in the past year.

Small businesses invariably suffer the most from these shocks, too: they’re the least prepared, have the tightest resources, the fewest options and the shallowest pockets when things go wrong. So it might be a good time to revisit the idea of disaster recovery.

We’ve had a very useful guide to disaster recovery for a while now – it includes a complete strategy for assessing your risks and the sorts of things you should do to prepare, and you’ll find it here. Given the state of our weather, it’s a pretty good read.

Structure your days
However, there’s a subtle issue faced by many small businesses, and the psychology is interesting stuff. As humans, we’re programmed to be remarkably optimistic. It may not seem like it on a drizzly Thursday in February, but we tend to look on the bright side. It’s a good thing too- life can be a right old slog sometimes, and we need all the self-belief we can get. It’s this optimism in the face of real-life chances that means we smoke and drink without thinking about the future, or do silly things like play the lottery despite the infinitesimally small chances of winning.

That inbuilt optimism (or ostrich syndrome if you want to be less charitable about it…) means we’re lousy at assessing risks and their impacts. Indeed, the very terms themselves are different and easy to fudge:
A risk is a something bad which could happen. Floods and theft are common, meteorites aren’t. But they’re both risks, and may have identical or widely divergent impacts.

An impact is the result of a risk, in operational or financial disadvantage.

In both cases, we have to think about worst possible outcomes, and we’re lousy at it. And this means that even among the too few businesses who have put some effort into disaster recovery planning, many of them are the equivalent of ‘underinsured’.

Here’s how to get it right.
John Michael, CEO of iStorage, says, “It’s not the technology that matters, it’s the business. If a computer or hard drive is lost or stolen, for example, the value of it (which is what your insurer is interested in) may be £400. But the impact could vary from thousands of pounds in lost data and productivity to total failure of the organisation. Similarly, the function of each individual piece of equipment is negligible; rather it’s the ability of your business to work which must be valued. What if you lost your customer list, order book or all your financial information? Would your business survive? Even though technology may be the solution (secure USB sticks or a secure external hard drive and a solid backup regime), your assessment should be based on end-to-end business functions, not the financial value of individual bits of tech.”

Always consider the trickledown effect, too. Don’t consider a single application or service if there’s a bigger picture to consider. In techie terms this can become quite obscure, so let’s use a more real world example: “If we lose the keys to the van, it’s not just about cutting new keys; it’s the cost of not being able to do deliveries or visit potential new clients.” Similarly, in the tech world, think something like “if the server isn’t available, we can’t authenticate users. That means we can’t use our sales application or write proposals.” Most aspects of a business are connected; so nothing in disaster planning works in isolation.
Don’t just think about money. The cost of putting things right is certainly always financial; but the impact of crises is usually a lot more: remember to put value on inconvenience, reputation and goodwill. In any case, says Charlie Maclean-Bristol of business continuity consultants, PlanB Consulting, “Not all risk mitigation measures needs be expensive. Backing up your data nightly and taking the backup off site costs no more than periodically backing up your data when you get round to it. Remember, it’s a lot easier to recreate 24 hours worth of data than to attempt to reconstruct three months’ worth.”

When you’ve got a list together, get a second opinion. Even if you’re a one-man business, your suppliers may have useful advice, and your favourite customers will probably be impressed that this sort of thing is on your mind. The thing is, you will have an operational perspective on disaster recovery, whereas your suppliers and customers will have an external and more strategic viewpoint. You may think, for example, that your invoicing system is pretty crucial. But nobody outside the business cares, and so it may deserve a lower priority. If you don’t feel comfortable discussing the issue externally, at least take the opportunity in your impact analysis to assess things from all angles.

Finally, don’t ignore bad news. This comes back to the ‘optimism bias’ we mentioned above, and it’s typical of the underinsurance problem. Here’s how it works: You spot a vulnerability to the business worth £10,000, and realise that it will cost £1000 to implement adequate protections and preparations. But if you value the vulnerability at £7,500, it will only cost £500 to protect. So you cut corners and do the latter, even though you will actually be at a disadvantage in the long run. Chances are, you’ve underestimated the reparation costs, and your skimp will end up being short-termist at best, hopelessly inadequate at worst. We’re really good at persuading ourselves that a compromise will do; whereas in disaster planning, compromises generally underwhelm.

Even a compromise, though, is better than doing nothing. As PlanB’s Charlie Maclean-Bristol says, “It’s all about taking a little time now to address your risks, rather than knowing you should but not getting round to it.”

Link to the original article on Microsoft.com

About Charlie Maclean-Bristol

Charlie Maclean-Bristol is one of the Founders and Directors of PlanB Consulting. He is also the Training Director of Business Continuity Training Ltd., a UK-based training provider accredited by the Business Continuity Institute. Charlie is a former Business Continuity Institute board member and one of the very few Fellows of both the Emergency Planning Society and the Business Continuity Institute.

A former Infantry Captain in the British Army, Charlie held several emergency planning, business continuity and crisis management positions within the energy and utility industry before founding PlanB Consulting in 2007. Over the past twelve years, Charlie has delivered business continuity consultancy in 6 of the worlds 7 continents, frequently providing full business continuity roll-outs to organisations of all sizes and in all sectors.

Scroll to Top