This is a guest post written by Ignition Law’s Francesca Yardley and Jake Schogger.
The recent coronavirus pandemic has highlighted the need for all businesses, from large corporates to early stage startups, to carry out impact assessments to anticipate and mitigate the effects of worst case scenarios.
Why Are Business Impact Assessments Important?
Business impact assessments enable you to produce well designed action plans that can help your business react quickly and effectively in a crisis, which can minimise the extent of any negative impact arising out of a crisis.
Additionally, a thorough impact assessment will help to alleviate investor concerns around continuity, which can be especially relevant in times of heightened caution and scrutiny.
In this article, we look at how to carry out a business impact assessment, the key impacts that early stage businesses should consider, and how to put together a business continuity plan.
What Is A Business Impact Assessment?
A business impact assessment aims to identify the types of issues and scenarios that might negatively impact the day-to-day running of a business, then predict the implications (financial or otherwise) of such disruption and identify steps that could be taken to mitigate the identified risks.
Who Should Conduct A Business Impact Assessment?
Whilst often a frequent exercise for larger businesses, the recent pandemic has demonstrated that earlier stage businesses should also be pinpointing potential threats to their daily operations in order to help mitigate against any potential financial and operational impact if such threats were to materialise. Whilst major disasters are uncommon, small scale disruptive incidents do occur frequently, so it pays to be organised.
Studies carried out post-2008 clearly demonstrated that SMEs were the most severely impacted by the global financial crisis, with the general drop in liquidity and decline in demand leading to many businesses downsizing or even closing.
However, if some of these businesses had carried out a detailed business impact assessment in advance, they might have been able to take action with the necessary speed and effectiveness to survive. A business impact assessment might, for example, have enabled them to quickly employ “off the shelf” measures that had been designed in stable times to help the business reduce costs, protect cash flow and diversify into “safer” categories of products and services.
How To Carry Out A Business Impact Assessment
1/ Threat Assessment
Start by identifying any specific threats to your business and consider whether there is anything you could do in advance to mitigate the potential effects of each.
This might include threats that are both within or outside of your control, for example
- the loss of a key supplier or customer;
- internal fraud;
- failure to protect key intellectual property;
- the unavailability of raw materials;
- natural disasters;
- malicious cyber-attacks; or
- the global spread of a highly infectious disease.
Once you have identified the threats, consider whether there are particular performance metrics or thresholds you could track in order to identify any early stage indications that your business is being negatively impacted. For example, a decrease in total number of leads generated or monthly recurring revenue could provide early signals that the threat is impacting your business.
2/ Identify Business Processes / Activities
The next step is to think about the day-to-day functions that allow your business to operate effectively. Identify each of the business processes that underpin those functions – including the human capital and financial resources needed to keep those processes ticking along – then ascertain how each of these might be affected by the threats identified in step one.
You should then consider the consequences of each function ceasing to operate. For example, an economic downturn might result in a minor impact on liquidity or the availability of certain supplies, but a global pandemic will likely have a much broader impact and therefore require a far more dramatic strategic response (e.g. shifting the business’ strategy from scaling or maintaining revenues, to survival mode).
In each scenario, you should think about the extent to which this could result in reputational damage, financial loss, an inability to meet demand, regulatory fines, a reduction in customer service standards or a risk to security and safety.
It is critical to assess the length of time for which the business could feasibly operate without each function operating effectively. This is known as the “Recovery Time Objective” or “RTO”, which will enable you to determine how to prioritise the protection of each function (or the extent to which any future disruption to each function will need to be mitigated). The RTO can then be used to help you focus your action plan, including any funding that goes into executing it.
3/ Capacity & Access To Resources
It can also be helpful to consider how the business’ access to resources and its general capacity to operate may be affected by a major incident.
You could start by identifying all the internal resources (e.g. factories, machinery, vehicles, IT support, security resources, laptops etc.) and external resources (e.g. raw materials, the supply chain, distribution networks, regulators, insurers etc.) that the business relies upon.
You should also ensure you have an up-to-date list of employees and other key personnel, including their roles, levels of seniority and locations. Consider whether some or all of those workers could work remotely if necessary (either from home or an alternative premises) and whether they have the resources/security clearance to do so. This type of analysis could help you to understand whether you will need to grant access rights, draft process documents (including handover processes), and explain where employees can find historic documents, passwords and data back-ups.
You should then assess whether there is anything that could be done in advance to mitigate the potential effects of each of the identified threats on your key resources. For example, if a global pandemic could result in key suppliers shutting down, should you start to hold additional stock in case the country goes into lockdown, or should you commence a dialogue with potential alternative suppliers.
4/ Business Continuity Planning
Using the information you have gathered during steps 1 to 3, as well as your risk assessment, you should then create a business continuity plan. Business continuity plans will vary greatly between businesses (depending on how functions are prioritised), but the general aim is to project how each of the threats you identified will impact your key business functions and resources, and then design steps to mitigate this impact. It’s important to create continuity plans that are relevant to specific threats, as you might otherwise find yourself with a blanket approach that isn’t particularly actionable in a specific situation.
As an example, during the recent coronavirus outbreak, one of the biggest impacts for many businesses globally related to cash flow. Good business continuity plans would have considered the steps these businesses could take in the short/medium term to better manage cash flow, and clearly identified how long it would take for the business to run out of cash in a range of scenarios.
Once completed, you should consider distributing your plan to key stakeholders for feedback and continue to review and refine it on a regular basis.
Business Impact Analysis & Insurance
It would be remiss not to mention the use of insurance when putting together a business impact assessment and planning for business continuity, although this shouldn’t be seen as an alternative to continually assessing your business risks and taking steps to mitigate any financial or operational impacts arising.
Of course, insurance would need to be purchased in advance of risks actually materialising. However, by carrying out the steps set out above, you can better gauge how a disaster might financially impact your business. This, in turn, can enable you to determine whether additional insurance cover may be necessary. Some insurers might even insist that you have a business continuity plan in place before they will provide cover.
The type of insurance available will vary according to the nature of your business and insurance may not always cover the risks that you would expect. It is therefore essential that you understand the scope of any policy, including any exclusions. For example, during the coronavirus pandemic, many businesses that had hoped to recover for loss of earnings under their business continuity insurance policies found that their claims were actually excluded.
To summarise: if the worst were to happen, having a well thought through business impact assessment and continuity plan in place can help to save time and money, by ensuring that you are prepared to adapt and respond quickly and effectively.
Ignition Law provides a unique, seamlessly integrated legal services offering that has helped thousands of entrepreneurial and ambitious start-ups, scale-ups, VC-backed SMEs and other high-growth enterprises secure investment, meet their governance obligations and rapidly scale.
You’ll have access to market-leading experts at a fraction of the usual cost, whilst many of Ignition’s lawyers also run their own successful businesses, equipping them with the personal experience necessary to understand and effectively tackle the many challenges faced by founders and innovative businesses.
For more information, visit https://ignition.law or email [email protected]. For free information relating specifically to COVID-19, visit https://www.ignition.community (this includes a range of articles that are particularly relevant for founders and key employees of start-ups, scale-ups and SMEs who are currently negotiating the current pandemic).