Humpty Dumpty’s great fall: business continuity planning
According to the Institute for Business and Home Safety, an estimated 25% of businesses do not reopen following a major disaster. Gartner Inc., a leading information technology research and advisory company, further estimates that 43% of companies were immediately put out of business by a major loss of computer records, with another 51% ceasing operations within two years — for a staggering 6% survival rate after two years. How is a business owner to manage this “bet-the-company” risk? Through business continuity (BC) planning.
Fortunately, BC planning does not require “all the king’s horses and all the king’s men.” The financial services industry is ahead of the curve and provides helpful guidance on accepted practices in BC planning for all companies, whether financial or otherwise. In February 2015, the Federal Financial Institutions Examination Council (FFIEC) issued a Business Continuity Planning IT Examination Handbook. The handbook is freely available to the public through the Internet and is a must read for business owners and their executives.
The handbook provides guidance in several broad categories of BC planning. One such category focuses on obligations of the company’s board of directors and senior management. The FFIEC advises that the board and senior management are ultimately responsible for overseeing a proper business continuity planning process, and that this process be included in a written policy identifying how the company will manage and control BC risks.
Drafting a policy is the beginning — not the end — of the story. The FFIEC contends that a board of directors and senior management have a continuing obligation to maintain and periodically update the policy. Specifically, the FFIEC recommends that a company allocate knowledgeable personnel and sufficient financial resources in its annual budget for BC planning. Further, the FFIEC suggests that the company engage a third party to evaluate and test the BC plan on an annual basis. This recurring testing is recommended given that the operating environment of a typical company will change in significant ways over the course of a year and the BC plan must reflect these changes.
While a BC plan will not necessarily prevent the occurrence of a disaster or other significant adverse event, it will help the company manage through the event to minimize harm. To that end, a good BC plan should anticipate the need for a crisis management team. The team should include public relations, financial, and legal advisers.
The unexpected often occurs without rhyme or reason, so the time to implement a BC plan is now during a period of relative calm. If you wait until a crisis strikes, it may be too late to implement the mitigations that would have alleviated the harm resulting from the crisis. In short, it may be too late to put your company back together again.
Andrew Schlidt (aschlidt@whdlaw.com) is an attorney with Whyte Hirschboeck Dudek S.C. practicing corporate and technology law.
Click here to sign up for the free IB ezine – your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.
