Wednesday, September 3, 2008

ERM-BC-COOP: Small businesses not prepared

An article from the Continuity eGuide for 3 September 2008 addresses small business risk management in the UK. The article, British Small Businesses Unprepared for Risk, is on the WWW at http://disaster-

A new survey by YouGov has found that small- to medium-sized businesses in the UK often disappoint customers because they lack business continuity planning.

In an article on the website, Rosalie Marshall says the online survey of more than 1,000 small business owners and managers revealed that only one third of SMBs are taking steps to ensure their business will continue to operate normally in the event of disruption.

Stephen Rankin, regional director for UK employers’ organization the Confederation of British Industry, told Marshall “companies cannot afford to be out of action for any extended period of time because they risk losing customers in the short term and damaging their relationship in the longer term. This survey highlights the fact that some businesses have a long way to go in getting their plans up to scratch.”

In other findings, 40 percent of respondents said a computer hardware failure would be detrimental to their business, and only 10 per cent said they would be able to function as normal after a failure.

“Also, less than ten percent of the SMB managers had heard of BS 25999, the first British Standard for Business Continuity Management, which was launched at the end of last year and sets best practices for business continuity plans,” Marshall adds.

However, it looks like the message might be sinking in a bit after all. The survey also found that after the managers were informed of the BS 25999 standard, 30 percent said they would apply for certification.

The problem, at least on this side of the pond, is that Small & Medium Businesses (SMBs) usually can't afford to engage a qualified planner full time and likewise lack the budget to hire a consultant.

I can understand the SMB owners' and managers' predicament.

There is a solution, but it takes a third party, or perhaps a group of third parties.

As much as practitioners want to provide their expertise to everyone, there is the small matter of paying the bills.

Last month I had a blog entry titled "SMBs and Understanding ERM" ( that looked at ways for SMBs to finance business continuity.

The point I was making then is worth making again - mostly because no one has been banging on my e-door asking for more information.

Then, and now, I suggest that trade, professional, and industry organizations - primarily national and regional - employ experienced practitioners and make their expertise available to their members. The organizations already change a membership fee to help offset various and sundry activities. Some of the money collected might be directed to a practitioner's compensation. Individual members also might pay a percentage of a plan's development and on-going maintenance costs.

Another approach would be for auditors and insurance companies or agents - and similar vendors - to engage a full-time practitioner to create plans for their clients as "value added" services. Again, the client might be able/willing to pick up some of the cost.

Frankly, Scarlett, I don't care how or who finances risk management, as long as a risk management program is undertaken.

Now, before someone pushes back and tells me "but all plans are different," I'll concede the point. But, having been doing this for more than a dozen years, I know there are some basic - repeat, basic - steps that can be translated into a "one size fits all" template or skeleton plan.

Since most SBMs are, by definition, "small," the plans should be relatively simple and straight-forward - translation: relatively quick to create and validate. Rather than have a plan reviewed by 20 people at several different management levels, the SMB plan typically will be reviewed by one or two Subject Matter Experts (SMEs) and one or two managers or owners.

Basic Statements of Work (SOWs) and Project Plans almost could be boilerplate, particularly if the program is sponsored by an affinity group (e.g., grocers, Realtors, doctors, religious organizations).

Bottom line: The wheel does not have to be reinvented for every plan. "Tweaked," yes; reinvented, no.

Every organization needs an enterprise risk management program, every organization deserves an enterprise risk management program.

Note I wrote program and not project.

Enterprise risk management, business continuity/COOP - call it what you will - to be successful needs to be an on-going program. Projects have a start and end point - and while a plan is created as a project, it is only one part of the program that includes continuous maintenance and exercises. Plans that gather dust on the shelf quickly become not just useless but sometimes dangerous.

There IS a way to assure that SMBs can afford enterprise risk management and that practitioners can make a decent living.

Now, if we can just get the organizations and vendors on board . . .

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

No comments: