<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=359300&amp;fmt=gif">

Fail to plan, plan to fail: why SMEs must have a business continuity plan in place

By Jodie Korber on 22/09/16 3:31 PM

Social-Networking-And-Cyber-Security.jpgBusiness continuity planning is critical to an organisation’s ability to sustain operations during a significant business disruption.

For small and medium sized businesses especially - a business continuity plan is essential. Larger enterprises can weather many storms, but it can take just one disruptive event to significantly damage a smaller organisation’s reputation and finances.

Yet in most SMEs, continuity planning is a neglected – if not omitted altogether – relegated to the bottom of the business priority list in order to make room for more ‘profitable’ activities. 

Cybercrime on the rise

It’s not just natural disasters and one-off events that cause disruption to a business. Other common risks include breakdown of machinery and equipment, power outages, and theft.

Now more than ever, cybercrime and data breaches are becoming the biggest threats to SMEs’ survival. According to the 2014-2015 Australian Federal Police annual report, SMEs are more likely to suffer cyber attacks and data breaches than larger companies who typically have robust IT security systems in place.

Last year there 3,500 data breaches on average in Australia each month, and the AFP predicts that this number will rise. Ransomware in particular has become a popular attack platform in Australia. In 2015, the Australian Competition and Consumer Commission (ACCC) received over 2,500 ransomware and malware complaints, with over $970,000 reported lost by SMEs and consumers.

The financial repercussions from these attacks aren’t just limited to the immediate theft or data loss. They also include compromise to private intercompany communications and customers, vendor contract details, confidential business information and reputation, which all have an impact on future income.

For many business leaders it comes down to risk and reward. CEOs and business owners are not likely to jump at the prospect of budgeting for a ‘just in case’ plan with no apparent ROI, preferring instead to see the cash reinvested in productivity and research and development, or other growth activities.

Assessing the business impact

In many cases however, CEOs are reluctant to invest in business continuity planning because the impact to the business of potential downtime is not known. In this scenario, a Business Impact Analysis (BIA) is required to predict the consequences of disruption of a business function and process and gather the information needed to develop recovery strategies.

The first step in this process is to identify the aspects of business operations that are critical to its survival. This can range from the records and documents required daily to major business processes such as payroll.

The second step in a BIA is to determine how long the business can survive without performing these critical business activities. This means identifying an organisation’s recovery capabilities should disaster strike, defined through Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs). These are determined by reference to the impact on the organisation of interruption of business processes (and loss of recently entered data).

If an organisation has an in-house IT department, it’s important to involve them in the BIA process, as the third step is to map the outputs to IT systems. Technology is what enables the RTOs and RPOs to be achieved. Alternatively, an external IT partner can manage the entire process. This will likely be at a lower cost of managing the planning in house and has the added benefit of consultation with experts.                                                      

Fail to plan, plan to fail

Every organisation must address the need for business continuity planning, but many SME leaders don’t view it as a worthwhile investment. However, whether it’s equipment failure, theft, cybercrime, environmental impacts, or just user error, without a strategy, it may be impossible to recover.

SMEs need to invest time and resources to determine which systems and business units are most crucial to the company, and decide which people are responsible for declaring a disruptive event and mitigating its effects.  

While more than anything it’s about people and processes, technology is a key component in ensuring business continuity strategies are effective. Whether engaging an IT partner or using in house resources, it’s important that business continuity challenges are faced head on to ensure the organisation is as prepared as it possibly can be.

To understand more about Business Continuity and how this differs to having a backup in place download the ebook, “Backup vs. Businesss Continuity.”