Table of Contents
Executive
Summary
2
Introduction
.3
What Is
Contingency Planning?
..3
Risk
Analysis
...4
Contingency
Planning Strategies
.8
Process of
Contingency Planning
...10
Conclusion
..12
Glossary
..13
References
...14
Executive Summary
In order for a
small business to ensure continuity and a long life, it must have a carefully
thought out contingency plan. This
particular type of plan is a back up in case any type of disaster came upon the
small business. This process can be quite tedious and it is important to cover
every conceivable risk that could be a potential hazard to a companys
survival. This paper will address the
following issues. The contingency plan will first be defined. Then we will explain the various types of
risk analysis that must be addressed before any type of contingency plan is
established. This includes a qualitative and quantitative analysis. Along with these analysis, an array of
examples to consider when making such an assessment will be addressed. Then, we will provide an evaluation of the
various risks that a company can face and possible contingency strategies the
company can take. To conclude this
paper, we will offer a rough sketch of the actual process that a company should
take to develop a contingency plan.
Introduction
No matter how
carefully you plan; the likelihood of everything going exactly as you planned
is small. When a small business owner makes assumptions regarding the market
and the capabilities of the business, you know those assumptions are not
precise. While these assumptions may realistically account for reasonably
foreseeable events, that does not ensure their accuracy. For example, if your
small business is dependent on borrowed funds and you plan to obtain and use a
line of credit, you have to make some assumptions about interest rates. If you
are realistic, you probably need to look at a range of rates around your
assumed rate to test the impact. Making alternate assumptions and planning
around them is the best way to deal with events that are out of your control.
Let's say that
your business plans to obtain a line of credit, and you negotiate an interest
rate of prime+2 percent. You estimate that the rate you will pay is 9 percent,
but you can live with a rate as high as 12 percent. Obviously, anything below 9
percent makes it that much easier to meet your planned goals. But what happens
if the rate goes to 14 percent or even 20 percent? It happened in the early
1980s, and the change happened over a relatively short period of time. What
would you do?[1]
What Is A Contingency Plan?
A contingency plan is an effort to avoid having your
business disrupted when market or economic conditions change beyond what you
are prepared to handle without major adjustments to your business. What kinds
of contingencies should you plan for?
The SWOT analysis (strengths, weaknesses,
opportunities and threats) lists those internal and external factors where your
risks are greatest. For example, if a major external threat is a direct competitor opening up near your location, you can
plan for that eventuality. Perhaps you will lower prices, stay open longer
hours, or institute a frequent customer bonus plan.
Contingency
plans can be included in your business plan in a number of ways. For example,
your financial statements can incorporate a footnote explaining that the
projected interest rate could go up by as much as 3 percent before your profit
margin is seriously affected. Or, your discussion of how many employees you'll
need could state that an additional production person will be hired when sales
of $X are achieved.
Interestingly,
contingencies don't always involve things going worse than expected. For
example, assume that your initial marketing plan for your small business calls
for a mass mailing to 1,000 prospective customers. Assume further that a
primary selling point is the immediacy of the need for the customers to act.
You expect to get perhaps 10 to 20 paying customers out of the mailing.
Instead, you get 243. What do you do? You have sold the market on the need to
act quickly, but your business is not prepared to handle that many customers in
the time frame required. If you have a contingency plan, you are ready to act.
In this example, it may involve bringing in temporary help, outsourcing certain
tasks, or even asking competitors to do the work on a contract basis.
Ultimately, you
can only go so far in contingency planning. What is important is that you have
identified those areas in which your plan is vulnerable to variable factors
that can affect your business. If you have already considered possible
responses to changes in the market, you can react more quickly than if you have
never even thought of the consequences. Thus, whether things go better or worse
than expected, you have already identified the likely causes and considered
your responses.
To fully
understand contingency planning from a small business prospective we will
further analyze the initial impact of initiating a contingency plan, the risks
involved (risk analysis), the overall implementation and
strategies used, and finally the validation of the process.
The first step
in initiating a sensible business continuity process is to consider the
potential impacts of each type of disaster or event. This is critical - how can
you properly plan for a disaster if you have little idea of the likely impacts
on your business/organization of the different scenarios? At a basic level, business impact analysis is a means of systematically
assessing the potential impacts resulting from various events or
incidents.
Having
determined the impacts, it is now equally important to consider the magnitude
of the risks that could result from these impacts. Again, this is a critical
activity - it will determine which scenarios are most likely to occur and which
should attract most attention during the planning process.
With risk under
control the implementation process is the next step. This is where the trial and error method begins. Not all contingency plans are flawless. Companies can only predict the risks
involved with their industry and location.
This is precisely why the implementation process is an ongoing
process. Plans are continually being
altered to better suit the company and its future. Once a plan has proven its stability, only then is it validated
and officially part of the business plan.
Risk Analysis
The classical definition of Risk Analysis is one that
describes it as a process to ensure that the security controls for a system are
fully proportionate with its risks.[2] From a small business prospective
controlling and minimizing risk is imperative.
Because of the relative size and security a small business must
recognize all potential hazards and prepare properly. If precautions are not properly taken minor setbacks can turn
into major problems sometimes threatening the life of the business.
There are a number of distinct approaches to risk analysis.
We are going to describe two very common yet proven methods in our
analysis.
Quantitative Risk
Analysis
This approach employs two fundamental elements; the
probability of an event occurring and the likely loss should it occur.
Quantitative risk analysis makes use of a
single figure produced from these elements. This is called the 'Annual Loss Expectancy (ALE)' or the 'Estimated Annual Cost
(EAC)'. This is calculated for an event by simply multiplying the dollar amount
or impact of the probability of the loss occurring.
It is thus theoretically possible to rank events in order of
risk (ALE) and to make decisions based upon this.[3]
The problem with this type of risk analysis is usually
associated with the unreliability and inaccuracy of the data. Probability can
rarely be precise and can, in some cases, promote complacency. In addition,
controls and countermeasures often tackle a number of potential events and the
events themselves are frequently interrelated.
Notwithstanding the drawbacks, a number of organizations have
successfully adopted quantitative risk analysis.
Qualitative Risk
Analysis
This is by far the most widely used approach to risk
analysis. Probability data is not required and only estimated potential loss is
used.
Most qualitative risk analysis
methodologies make use of a number of interrelated elements:
THREATS
These are things that can go wrong or that can 'attack' the
system. Examples might include fire or fraud. Threats are ever present for
every system.
VULNERABILITIES
These make a system more prone to attack by a threat or make
an attack more likely to have some success or impact. For example, for fire
vulnerability would be the presence of inflammable materials (e.g. paper).
CONTROLS
These are the countermeasures for vulnerabilities. There are
four types:
o
Deterrent controls reduce the likelihood of a deliberate
attack by deterring a potential threat.
An example would be a small business using a security system in order to
protect themselves from the possibility of a burglary.
o
Preventative controls protect vulnerabilities and make
an attack unsuccessful or reduce its impact.
An example of this type of control is a small business enhancing
security on their computer systems in order to prevent important documents from
becoming public.
o
Corrective
controls reduce the effect of an attack by correcting the initial mistake. An example of this type of control would be
a small venture building a backup office for operations because of fire
hazards. If there was a fire in the main office, operations would not have to
be shut down for a longer period of time.
o
Detective controls discover attacks and trigger
preventative or corrective controls[4] An example of this type of control would be
a virus scanner on the businesss computers in order to detect possible viruses
that could cause disaster.
.
Source: www.security-risk-analysis.com
Now that we have
defined our methods of assessing risk, we are going to look at possible
situations that could affect the business thus reducing or creating risk. The entire business needs to be considered
when risk is being evaluated. Here are
some examples of areas to consider when making a risk assessment.
Security Administration
Security administration practices are ascertained for
resource access, system access and security system control. This means that only select individuals
should be allowed the key to the most important aspects of the small business.
This means trusting those who have such access.
Contingency
Contingency and recovery are considered in great depth. All
aspects are covered, including:
· back-up practice and policy if the small business were to
go under
· the contents of the recovery plan
What are the specifics?
· the status of the recovery plan Is the plan working
successfully?
· the recovery location Is the location feasible for
recovery?
· general contingency practice, procedure and policy Do the
procedures provide fallible corrective action for the small business?
System Design
Security considerations relating to application/system design
should be considered in order to make sure that the best possible security is
maintained within the small business.
Development
The development module embraces all security considerations
pertinent to application/system development, including documentation, auditing
requirements and project control.
Change Control
Covers change control procedures and practice, both scheduled
and emergency. This means that the
small business must be ready for any kind of change whether it is planned or if
the hazard comes unexpectedly.
Security Management And
Policy
This module will establish general security status, embracing
general and detailed policy,
awareness and security management. It is imperative that
management are the most knowledgeable and aware of policies of security and
contingency.
Physical Access
All aspects of physical access are examined, including:
· access and damage at a building level
· access to sensitive areas within the building
· protection of individual assets
· procedures to control personnel and others internal to the
building/site.
Hardware
Practice, procedure and risk with respect to hardware and
hardware maintenance is analyzed. The
small business must have a strong understanding of their hardware in order to
be ready for any type of curveball that could be thrown their way.
Operations
Close examination of operations procedures and practices is
undertaken.
Personnel
Personnel policy is covered, with respect to such matters as
recruitment, dependency and
supervision. The
small business should make sure any new employees are trustworthy.
Hazards
All major hazards are considered, including:
· fire
· flooding/water-damage
· power
· environmental systems
· general issues.[5]
If a small business recognizes these possible situations
and plans properly their chance of
unforeseen risk causing damage is significantly lower. With a conscious effort and detailed
education, businesses whether large or small can have great success avoiding
risk. But if a disaster strikes
regardless, a company needs to be adequately prepared to answer and diffuse the
situation. The amount of potential risk highlighted above seems vast. Risk is everywhere imaginable. Risk is found in personnel, hardware,
general operations, and other various aspects within a small business. If the preventative system fails there are a
few alternatives available in cleaning up disasters. For example, after the World Trade Center attacks many businesses
have started moving out of high rise buildings in order to avoid another
similar terrorist attack. A small investment bank within the towers lost many
key employees because this tragedy. It is important that a small business
attempt to evaluate each and every type of risk, even the ones that dont quite
seem fathomable.
Now that we have examined how risk can affect the life of a
business, alternatives helping to
avoid risk, and a what to do when risk analysis fails, we
will move on to basic strategies that can
be used by small businesses in order to minimize such
risk. Our paper will conclude with an
extensive description and steps of contingency planning.
Contingency Planning Strategies
When considering
a contingency plan, it is imperative that the small business take into account
all the possibilities of the potential risks involved. This may include environmental factors such
as fire, flood, or earthquakes, theft, equipment failure, loss of a major
supplier, customer or lender. The
direction of the contingency plan depends on what type of risk is
involved. There must be a concise
strategy for each possible risk.
First, a
contingency plan for natural disasters is essential. Hurricanes, fires, storms or whatever the hazard, the small
business must be aware of such occurrences.
The first step in this particular strategy is to consider your
location. Many of your emergency
preparations will depend on the dangers the location is likely to face. Of course bolting down bookcases to protect
against earthquake damage is more important in San Francisco than Chicago,
while a Chicago company will have to worry about what to do in the event of a
major snowstorm. With fires, all small
businesses should attempt to reduce that likelihood. If the company is
particularly exposed to fire dealing with flammable materials, work in an old
building, or are located in a high fire-danger area, then the small business
should work along with the fire department or fire prevention experts to help
develop prevention and emergency plans.
Of course safety comes first in any situation. The small business must prepare evacuation plans, conduct safety
drills and make sure all employees understand what to do in the case of an
emergency. Furthermore, a contact list
is beneficial when natural disaster strikes.
Alternate phone numbers provide the small business to contact their
employees in case they are unable to contact them through their primary phone. Also, keep extra copies of company files and
records stored away from the office in case the primary records are destroyed.
Finally, even though it can be quite costly, disaster insurance can be a
life-saver.
Secondly, what
if key employees are absent due to accidents or illnesses? It is important that
companies cope with such losses through preparation with the following
strategy. Not every emergency is a
natural disaster. A small business
should develop backup procedures in case key employees become unavailable.
Making sure someone knows where records are or has the power to deposit checks,
pay pressing bills, and contact customers is a crucial segment of a small
business contingency plan. Furthermore,
make sure other people have physical access to your offices and data. If youre
the only one who has access to these things, what happens if you become
unavailable? Of course you must trust these people first.
Third, the
possibility of a computer disaster or equipment failure is a huge threat. Everyone should know that computer crashes
are a lot less damaging if you have a full set of backup data or use stored
service providers. When making a backup plan for your data, consider the
following types of information. This
includes financial data, customer records, administrative records and any other
important data. A cost-effective method is to store backups off-site. Small businesses can have the boss or a key
employee take a copy home once a week.
This way, the company can reduce the risk of losing a weeks worth of
work. Another option for off-site
storage is to use an online backup company where your data is sent every
evening over the Internet for storage.
Even a fire-proof safe can be beneficial for vital documents.
Finally, a small
business should have a strategy for dealing with loss of suppliers, customers and
lenders. Lets use suppliers for our
example. Suppliers are a fundamental
part of a small businesss lifeline, especially in manufacturing and retail. In some respect, they can be considered
partners to the company. They make it possible for your business to move
forward. A supplier must be reliable,
respond quickly to needs, maintain a schedule, and be willing to negotiate on
terms and payment. The more suppliers
the better. This way, your small
business will have more flexibility on price and you wont be vulnerable to any
major problems. If you do have few suppliers, make sure they are reliable. You
dont want to be hanging dry without a major supplier. With customers, a backup
marketing plan must be implemented if the small business is not seeing growth
in their customer-base. If the business
is in retail, the small business may have to be more direct about their
products and what they sell. Every
company says they have the best products so in order to distinguish a company
from another is to offer the most elite customer service. Strategies such as these can help a company
get over the hump and begin gaining profits.
The above
segment has provided a glimpse of various problems that a small business may
encounter along the road of operations.
We have given a brief overview of the various contingency plans that
would need to be in effect in order to minimize risk as much as possible. In essence, it is essential keep notes on
how you carry out your business on an every-day basis to help better comprehend
what the business depends on the most in order to stay afloat. This includes location evaluation, keeping
track of equipment, must-have computer files, and other necessities. It is important that a company has a long
list of alternatives because if something were to happen, the small business
could be up a creek without a paddle.
Process of Contingency Planning
A contingency
plan is a crucial part of any sized business.
Small businesses, however, have more trouble creating a contingency plan
due to the high cost that goes with it. According to Todd Gordon, the president
and general manager of IBMs Business Continuity and Recovery Services, Small businesses typically dont invest
the time, effort, and resources to design redundancy into their systems. Its a
real paradox, because small businesses that face a disruption tend to face
tremendous financial hardships.[6] We live in an uncontrollable society,
full of disasters, and because of that, everyone must have a backup plan for
anything imaginable. In other words, in
order for a business to survive a disaster, it must have a plan that will be
instigated and it will make sure that their day-to-day operations are not
affected. This is especially important
for start-up businesses. They, of
course, are new to the way things are run, and if they cannot see where they
are vulnerable, they will not be around long.
This ties in with the main goals of a small business contingency plan. The three main goals[7]
are:
- Assess existing vulnerabilities
- Implement disaster avoidance and prevention procedures
- Develop a comprehensive plan that
will enable the organization to react appropriately and in a timely manner
if disaster strikes
There are seven
steps involved in creating the best contingency plan. The planning process should never be taken lightly, and should be
continuously analyzed and updated with the latest information.
Step 1: Project Team
The first step
in creating a contingency plan is to create a project team. The teams job is to refine the scope of the
project and the associated work program; develop project schedules, and
identify and address any issues that could have an impact on the delivery and
the success of the project. The project
team should consist of a person from every department, or in the case of a
small business, the management team. The project team, however, should not be
the only team established. There should
be a head team that has the overall responsibility for providing direction and
guidance to the project team. The head team should also make all decisions
related to the recovery planning effort.
Step 2: Problems Within The Business
The second step
of the planning process is to assess any potential problems that may occur
within the business in order to reduce the possibility of a disaster. The reason this is one of the first steps
for planning is that it will give the project team a scope of what needs to be
done. The team must make sure that the
daily operations of the business has no flaws, so that a disaster will not
occur due to an overlooking of potential hazards by the business. It is also easier to focus on problems
within the business since they are foreseeable. The contingency plan, however, will generally focus on unforeseeable
disasters that cannot be prevented. It
is important for the team to remember that once they assess the business for
vulnerability to a disaster, they must have meetings continuously to update
their data.
Step 3: Business Impact
The third step is
to look at the impact the disasters will have on the different units of the
business. By doing this, the business
will know exactly what each unit can withhold during a disaster. They will know how long it can last while
other units are out. The business in
the end will basically know the threshold of each
unit. This provides the project team
with information on how to incorporate a plan that interacts with all of the
units.
Step 4: Profile
The fourth step
is to put together a profile that has everything the business is going to need
in order to protect itself. An example
would be requiring better information on employees so the business has
alternative ways to reach them. To do
this, the business may need a new communications system. Once all of the requirements are in the
profile, the project team will analyze it and make alternatives to the
requirements and will also provide the requirements that are deemed necessary.
Step 5: Develop Plan
The fifth step
is to use all of the compiled data of the business and develop a plan. This step will consist of instigating the
requirements from step four. They will
do this by signing contracts with numerous disaster service businesses. All of the data will be updated at this
time. A decision maker must be
appointed and there should also be a chain of command that runs the
business. The decision maker must know
the plan by heart and will call all of the shots so that there is no arguing
and confusion, and in the end, will save precious time during the
disaster. Chain of command must be
developed in case the decision maker is not there. The next person in command will have the decision making power. All of the people on the chain must be able
to lead the business must have had proper instructions on how to do so.
Step 6:Testing
The sixth step
is to create a program that deals with creating a test for the plan. Testing will make sure that all aspects of
the business have been prepared for a disaster. Once a test has been created, the business should analyze it and
consider whether another form of testing would be better. Examples include
fire-escape plans or back-up data files.
Step 7: Educate Employees
The seventh step is to educate all of the
employees concerning everything about the plan. To do this, the business will execute the tests created in step
six. Testing should be done often so
that everyone remembers exactly what to do when a disaster strikes. The
business must keep in mind that it is very important that the contingency plan
is understandable, easy to use and easy to maintain. Businesses in the past
have missed vital signals that could have been prevented. Most major corporations think they have a
disaster recovery plan. Yet a startling 82 percent of established enterprise
systems do not have effective protection against problems such as corruption,
accidental deletion, system crashes, viruses, or environmental disasters,
according to the 1997 Vulnerability Index Study.[8] If major corporations still struggle to
pinpoint a viable contingency plan, imagine how many small businesses lack
disaster recovery plans.
Conclusion
After reviewing
the above analysis, contingency planning should be a vital part of every
company in order to sustain a long life of operation. We have defined contingency planning, given insights to risk
assessment, examples of contingency strategy and have mapped out the actual
process of this planning. It is easy to
see what the possibilities are and how we deal with risk every single day of
our lives. It seems as though different
risks pop up every day, as we saw from September 11th. Every company must acknowledge that they are
not immune to potential risks and that proper countermeasures must be taken in
order to minimize this risk. With this
in mind, a company without a contingency plan is analogous to a boat without a
paddle. There may be a calm before the
storm, but once that storm hits, you dont want your boat without a paddle.
Glossary
Annual Loss
Expectancy (ALE): is calculated for an event by simply
multiplying the potential loss by the probability
Business
Impact: A commercial activity engaged in as a means of
livelihood or profit, or an entity which engages in such activities
Contingency
plan: is an effort to
avoid having your business disrupted when market or economic conditions change
beyond what you are prepared to handle without major adjustments to your
business
Detective
control: discover attacks and trigger preventative
or corrective controls
Deterrent
control: reduce the likelihood of a deliberate
attack
Direct
competitor: any entity
in the same market (competing market) that directly affects your business.
Estimated
Annual Cost (EAC): see Annual loss Expectancy (ALE)
Prime Rate: The interest rate
that commercial
banks charge their most creditworthy borrowers, such as large corporations.
The prime rate is a lagging indicator. also
called prime.
Preventative
control: protect vulnerabilities and make an
attack unsuccessful or reduce its impact
Project
team: the team assembled to carry out the
day-to-day operations of the project
Recovery
plan: a plan designed to help an entity
reorganize after unforeseen disasters or setbacks take place
Risk
analysis: is one that describes it as a process to
ensure that the security controls for a system are fully proportionate with its
risks
Qualitative
Risk: Determining the
value of an investment,
especially a stock,
by examining its non-numeric characteristics, such as management,
employee morale, customer loyalty, and brand value
Quantitative
Risk: The process of
determining the value of a security by
examining its numerical, measurable characteristics such as revenues, earnings, margins, and market share
SWOT
analysis: defining the strengths, weakness,
opportunities, and threats in a small business
Threshold: The
point that must be exceeded to begin producing a given effect or result or to
elicit a response
References
1) Business Continuity Planning &
Disaster Recovery Planning Directory
www.disasterrecoveryworld.com:
2) Business Continuity and Contingency
Planning: June 14,1999
www.fda.gov/oc/y2k/ombcrit.htm
3)
www.contingencyplanning.com
Preparing Your Business For the Unthinkable
www.redcross.org/services/disaster/beprepared/busi_industry.html
5)
Contingency Planning
www.rhondaworks.com/RO/content/hmrArticles_view.asp?sect=crisis&did=152
6)
Interview, Don DeMarco, Director, IBM Business Continuity and Recovery
Services www-1.ibm.com/services/continuity/recovery1nsf/documents/home
7)
Emergency Management Guide For Business and Industry
8)
Freeman, Carl: Introduction to Contingency Planning.
9)
Greenwald, Judy. September 11 Attacks Show Value of Planning for Crisis
Business Crisis: Chicago; Jan
7, 2002
10) Mullin, Tracy. Is Your Business Prepared? Chain Store Age; New York:
Jan 2002
11)
Ohlson, Kathleen. Network World Fusion: Planning For the Worst, Bring in the
Best. 11/26/01
nwfusion.com/research/2001/1126featside5.html
12)
Strozniak, Peter.Averting Disaster. Industry Week. Cleveland; Feb 12,
2001