I see many businesses so involved in their day-to-day operational aspects that they lose sight of planning for adverse events which could suddenly derail their business. Asking yourself: “what is the worst that can happen, and how long can I continue to operate if that situation continues?” is a good start to identifying where you might be most vulnerable should an adverse event occur.
All aspects of your business operation will need to have this question applied to ensure you have considered your potential vulnerabilities.
Assigning degrees of impact is useful to focus your attention on events which are a nuisance, but have easy work-arounds; to those which are catastrophic, and which could potentially cause the sudden cessation of your operational activity. A further question to add to your analysis is the likelihood of the event happening.
To make sense of where to start; begin with a list of adverse events long the top of the page and then start a list of operational headings down the side of the page. Each adverse event and operational activity will most likely require several sub-headings – but these can added as you proceed with the exercise. Where each activity and event intersect, note the likelihood of occurrence as low, medium or high (e.g. LL, ML or HL); alongside the potential impact of the event on your ability to continue operating – also as low, medium or high (e.g. LI, MI, or HI).
Your list of adverse events might include:
Natural disaster – e.g. Fire, flood, earthquake, tsunami, cyclone
Communication disruption – e.g. Internet outage, internet malware or cyber attack
Utility outage – e.g. power, gas, water
Death or sudden illness of key staff – including workplace accidents
Security breach, both external and internal – e.g. Burglary, fraud, loss of data
Loss of key suppliers and/or customers
Loss of funding
Your list of operational headings might include:
Personnel Health and Safety (including office and factory environments, as well as staff who work from home)
Buildings and Working Environment (including waste management and hazardous substances)
Financial Management and Systems (including debtor and creditor management)
IT Management and Systems (including security, hardware and software)
Risk Mitigation strategies might include:
Creation of policies and procedures to review, monitor and mitigate risks on an ongoing basis
Regular audit by specialist professionals – e.g. fire and emergency service, police, insurance providers, health and safety consultants, other ‘risk management’ consultants
Identification of suitable alternative premises to continue operation – office and/or factory
Specialised IT support services
When writing up your risk management plan you might choose to focus firstly on those events which have a high likelihood of happening and which have the highest potential impact – then work your way through to those assessed as medium then low.
An internet search reveals there are many documents and specialists which can assist your risk identification and management planning – I recommend you don’t wait for an adverse event to happen before you give some serious thought to managing potential risks for your business...
If you want some help to talk through your options, then give me a call!