Contingency Planning & Risk Management

A contingency plan is a roadmap to help an organization prepare to return to normal business activity after the occurrence of a challenging or disruptive event.  In simpler terms, it is a plan to prepare for a worst-case scenario. Historically, companies have often referred to such plans as a disaster recovery plan, which generally referred to events in which computer systems failed.  Then the general concept of business contingency planning developed, which was broader and encompassed additional disruptive situations such as the loss of a building due to events like a fire, or events like 9/11, in which a building is no longer accessible.  

Many companies have avoided developing contingency plans due to the cost.  Many business owners have felt that the cost was too high for no return.  However, events like 9/11, damage from major hurricanes, and the COVID-19 pandemic have brought contingency planning to the forefront and are now part of many strategic planning processes. Many businesses do not recover from disasters, due in some situations from a lack of planning. Disasters relating to computer failure can often be avoided with adequate computer backups, including cloud-based software and storage.

Some disasters related to the environment or general business conditions may be anticipated, such as those that are weather or economically related. You can track the forecasts and prepare them to some degree. However, many disasters are completely unexpected, such as a global pandemic, for example, the COVID-19 pandemic.

It is critical to the future health of your business to be ready if the unexpected happens.  Further, the success of a contingency plan is directly related to the staff’s familiarity with the plan and preparedness.  For example, what systems need to be addressed immediately or within certain time frames if they go down?  Does the staff know what to do or where to go if the building is not accessible?  These are just a few of the many questions that the company’s staff will need to face in an emergency.  Rehearsing the steps necessary in a contingency plan is key to the success of the plan, and sometimes, to the survival of the business.

CFO Strategies is equipped to support businesses of all sizes to take the necessary steps to prepare for an emergency.

To learn more about the ways we are supporting our clients and can help prospective clients during the COVID-19 pandemic, including help with PPP & EIDL loan programs. To learn more about how we are supporting our clients and staying safe during this time, visit CFO Strategies Safety Protocols during the COVID-19 Pandemic.

Creating a Contingency Plan 

“Expect the Unexpected”

If your office were not accessible due to a natural disaster, would you and your staff know what to do to keep the business going?

If your computer system crashed today, do you know how to recover the data to get your business up and running again and how long it would take, and the cost to your business? 

If you lost a key employee unexpectedly, do you have a person ready to take over those key duties?

These are just a few examples of questions your business should be prepared to answer. 

It’s a tough sell in this economy to ask business owners to spend money to protect against events that may never happen. Yet, the consequences of not having disaster preparedness can be fatal.  The ideal situation with risk management and contingency planning is to not wait for a disaster to happen before taking action to protect your business. Rather, it is necessary to prepare for all reasonably possible contingencies and put in place the necessary steps to enable quick recovery so that your business can return to normal as quickly as possible and at as minimal a cost as possible.

People often describe contingency or disaster recovery planning in two ways and they mean different things. Many use the phrase “disaster recovery” to refer to a disaster involving the failure of technology systems (PCs, servers, computer networks). You may also hear the phrase, “contingency planning” or “business contingency (or continuity) planning.” These phrases refer to the plans associated with the effect of a disaster on the business in general, beyond just the technology systems. For example, this may include the inability to access your office due to a natural disaster, and it may also include protecting your employees from security threats.

Ideally, a business should have a broad contingency plan that considers all aspects of the business, its operations, and its people and key assets. The technology systems should be considered as a key component of that plan. Every business contingency plan should be documented and periodically updated. 

At a minimum, the contingency plan should include the following:

Designated Business Contingency Officer

The company should designate a person to be responsible for developing a written plan (including obtaining the involvement of key department heads, where appropriate) for keeping the plan updated and for ensuring that the implementation of the plan is effective.

Key Responsibilities

The plan should include the names of key individuals and the specific tasks they are responsible for once the plan is put in motion during a disaster. The plan should indicate the people to call and in what order to inform them as to the events are taking place. The plan should also indicate where each person should go and what action they should take when they get there if they are required to physically leave a space. Consideration should be given to arranging for back-up office space with appropriate levels of technology to be available so that key aspects of the business can continue to operate.

Document Backup

The plan should include how and where key company documents are backed-up and maintained. The use of optical imaging and off-site storage facilities should be considered. In addition, the location of off-site storage facilities needs to be considered. The facility needs to be far enough away that it is not subject to the same area if an earthquake or natural disaster occurred, but it needs to be accessible when needed.

Insurance

A comprehensive review of insurance policy coverage should be undertaken, identifying key locations, nature and extent of insurance coverage, and related deductibles, if any. Most companies have workers compensation, general liability and excess umbrella coverage. You should also ensure you have an appropriate amount of business interruption insurance and that it provides the coverage needed in a natural disaster.

It is important to know what is included and excluded in the event an insurance claim needs to be filed. Waiting until the middle of a disaster to find out you do not have the coverage can have major consequences on the stability of your business. an independent insurance consultant to review the adequacy of coverage and determine gaps in coverage and the risks and related costs of such gaps. On the other hand, you should also determine where excess coverage is in place that can be reduced so the costs of insurance may be reallocated to other insurable risks.

Security

The plan should consider steps to protect assets in various geographic locations, as well as factoring in the safety of employees. Consideration should be given to travel announcements from the government that cover travel restrictions to various overseas locations. Some companies put restrictions on how many employees may travel on the same flight to reduce the risk of losing key employees in an accident.

Technology Systems – Disaster Recovery

There are many critical steps in preparing for and protecting against a disaster-related to technology. Systems may crash at any time for any number of reasons. If your system crashed right now and key information was lost, or if the system failure prevented your employees from doing their jobs, the adverse effect on your business, cash, customer relationships and reputation could be devastating.

Whether you have a Chief Information Officer or outsource your technology service provider as many small businesses do, the following should be performed at a minimum:

  • An inventory of all technology hardware and software should be in place and kept up-to-date.
  •  A determination should be made as to what hardware and software should be redundant and be available for the off-site back-up site referred to above.
  • A “criticality” chart should be developed that shows the systems, programs, and computer files that are most critical down to those that are least. The chart should show the systems that need to get up and running immediately and those that can get back up later. The amount of time required for each system or program to be restored should also be estimated and any significant differences should be addressed to minimize the gaps.
  • A schedule showing how and when each system, program, or computer file is normally backed up should be included. 
  • Off-site back-up must be maintained and the plan should indicate the off-site storage procedures. Consideration should be given to moving key systems to the “cloud” where practical.

System redundancy both on-site and off-site should be considered and addressed. Cost considerations need to be factored into the plan. The key is to address the total cost of a loss versus the cost of the disaster recovery plan. Again, remember that the total cost of a loss includes not just the cash-related cost of the loss today, but the future loss of business from damage to your reputation and relationships, not to mention that some businesses may not recover timely or at all without an effective plan in place.

Testing the plan

You may develop a great plan but if it doesn’t work effectively when needed, it’s as good as not having a plan at all. Obvious, right? But then, again, we’ve all seen fire drills that are not taken seriously or staff losing productive work time because the computer systems are down. You can build the best controls to protect your business but how do you know they will be effective when needed?

You have to test the plans to make sure they work. That doesn’t just mean scheduling walk-throughs that are well planned and scheduled. Those are necessary for sure, but that is not going to ensure that in a crisis, when people are panicking, that your business and key assets will be protected and losses are minimized.

Best practices of the most successful companies include testing contingency plans via simulated emergencies on a surprise basis. It is understood that there is some cost associated with this, but it is important for every employee to know what to do in an emergency, where to go, and the next steps, particularly when stress and fear are high. Some panic may be inevitable in a disaster but effective contingency plans will in most cases ensure that the risk of loss in a disaster is reduced and also ensures the continuation of your business.

We have highlighted some of the key points to consider in developing contingency plans to protect your business in a disaster. Some of these are relevant to your personal residences as well, particularly for small business owners that work from home.  CFO Strategies has the experience to work with you to help build and maintain that protection.  Contact us today to discuss your specific circumstances and help ensure that your business survives the unexpected.