An article by KATHLEEN LUCEY in the July issue of Continuity magazine culled some interesting facts from a Continuity Insights/KPMG study re the state of Business Continuity Management (BCM) in the United States.
Ms. Lucey is president of Montague Risk Management, a consulting organization (http://www.montaguetm.com).
One of the first things to catch my eye was Ms. Lucey's comment that "... based on the size of the firms responding to this survey, it means that the small-and-medium size business sector probably has even less BCM capability that previously thought."
This is supported in a Jan Persson article, An alarming DRP statistic that can easily be fixed on the Rothstein Associates Inc. Business Survival Weblog at http://www.rothstein.com/blog/2008/07/an-alarming-drp-statistic-that-can-easily-be-fixed/.
A few years ago, while working on a SOx project in Charleston WV (great town, by the way), I became involved with some Certified Public Accountant (CPA)-type auditors. We - the auditors and I - proposed to the CPA firm's management that it provide BCM, the nom du jour for business continuity, to its Small/Medium Business (SMB) clients. Management agreed in principle, but before we could turn BCM into a "value added" service offering by the CPA firm, my contract expired (my client was bought by another company) and the proposal came to naught.
It seems to me that, if Ms. Lucey (and Continuity Insights and KPMG) are correct, we - risk management practitioners - would do well to introduce ourselves to CPA firms.
Likewise - and another "if I hadn't moved" situation - independent insurance companies and multiline agents.
I might even suggest lenders of BIG BUCKS, especially when collateral is less than desired.
There is a market for Enterprise Risk Management (ERM) in the SMB world.
Independent practitioners can't mine the market unless they are independently wealthy - I'm not. But if practitioners could convince multiple clients that serve the SMB world - the CPAs, insurance companies, lenders, and others - to put a practitioner on a small retainer then the CPAs, etc. could offer ERM as a value added product (enhancing the vendor's image while increasing profit for minimal investment), the SMB owners could have a real ERM plan that reduces risks to the insurers and lenders, and the practitioner could make a living.
I'm not certain what "Medium" size indicates - perhaps between 50 and 500 employees? It seems to me that SMBs need ERM more than the big companies.
Big companies, the Fortune 1000 level, might be able to weather a storm (as some monster organizations weathered Katrina) using owned resources and an ability to "waste" extra money (that was spent because mitigation and recovery plans were either non-existent or ignored), both of which are unavailable to the "typical" SMB.
A friend of mine owned a jewelry store in Orlando FL. Small store in downtown. He'd been there for years and his name was as important to his customers as was his merchandise.
If a fire gutted his neighbor, my friend would be, at least temporarily, out of business.
If some otherwise nice folks came out of the corner tavern and got a bit rowdy, his storefront glass might be shattered and some "midnight sales" take place. (He locked up all the good stuff.) His customer records, unlike his merchandise, could have "disappeared" and that would have been at least a small disaster for the business.
He was lucky over the years.
Most of us are.
At the same time, most of us carry insurance of some type.
Some of us even have personal "survival" plans (in case of a fire at home. etc.).
Businesses, of all sizes, need ERM plans.
SMBs normally can't afford our services, and we can't afford to court SMB business.
But CPAs, insurers, lenders can encourage ERM during the normal course of business.
It is to the practitioner's advantage, the SMB owner's advantage, and to the intermediate vendor's advantage to develop an ERM "value added" product.
John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @ JohnGlennMBCI.com