1. Information Technology

It is well known that even temporary loss of business IT functions can be damaging, and this is increasing as enterprises become more reliant on their ICT infrastructure. Risks may include;

• Loss of data - no backup of, or unrecoverable, business data, hacking, etc.
• Loss of infrastructure; hardware, software, desktops
• Loss of communication, including electronic payment capability

2. Financial

The financial robustness of the business can be adversely affected by risk factors such as;

• Capital funding loss or withdrawal of credit line
• Internal or external fraud
• Receivables; e.g. customer bankruptcy
• Market and political changes

3. Liability

With the best of intentions, businesses are still at risk of making wrong decisions and suffering the liability that follows. While liability is normally a component of business insurance cover, the results of being liable can still be very disruptive operationally. Crisis response may be needed in areas like;

• Public liability
• Professional or directors' indemnity
• Law suits involving customers, suppliers, staff, other 3rd parties
• Statutory liability

4. Supply chain

A high proportion of NZ businesses are not self-contained but rely heavily on supply chains, both for inputs such as stock or outputs like the distributor network. It could be argued that risks in the supply chain are high on the adverse event likelihood scale but often are not adequately recognised. Considerations include;

• Supply chain partners are not under your control
• Weak or non-existent contracts
• Reliance on sole supplier or distributor

5. Labour disputes

While obviously a dispute with your own staff is a risk, it is probably more manageable than any external labour dispute such as a lengthy strike at your main supplier's factory overseas.

6. Technology

To one degree or other New Zealand businesses are more and more reliant on the technology that is inherent in their product(s) or processing. The risks that accrue from this fact include;

• A competitor introduces a new product based on a new technology
• Attack on intellectual property owned or licensed by business
• Failure of key proprietary manufacturing equipment

7. Natural disasters

An important difference between a business-centric crisis, such as major fire, and a 'natural disaster' is that the latter also impacts your customers, staff, transport, city infrastructure and so on. This potentially makes recovery much harder, as the business people of Christchurch can vouch.

However, the experiences in Christchurch also include many examples of quick recovery by businesses that did have continuity plans in place. Such companies got on with recovery rather than sitting outside the barriers bewailing that they could not rescue their business records.

Statistically, natural disasters like earthquakes or tsunamis are much less likely than other crisis situations but can cause much greater business damage. However, the Business Continuity Plan(s) devised for business-centric crises do provide a good platform on which to build the natural disaster recovery plans.

8. People

Your business relies very much on its people, whether they are process workers in the factory or directors. Occasionally a staff member may be the cause of a crisis event 'such as in fraud or theft' but mostly continuity plans focus on keeping staff safe in the event of crisis and then getting them back to work as quickly as possible. Considerations include;

• Well thought out and tested evacuation procedures - we work closely with local Civil Defence and Fire Safety officers to help with this.
• Effective communication with staff before the crisis to ensure that they understand and buy into the procedures needed.
• It is important that continuity procedures recognise that people react differently in a crisis and may not follow prescriptive instructions that don't fit their perceptions of the crisis; like in a fire emergency.
• Reliable ways of communicating with individuals afterwards to help get the team back operating together in, perhaps, a new location.
• Succession plans covering key management and operational people for when resignation or illness occurs.

9. Physical

Your working premises, stock in trade, tools, office equipment, etc., are all at risk of loss in some types of disaster event, such as fire or flood. While all of these can and should be insured, such insurance seldom provides instant replacement and so backup strategies are necessary.

The disciplined approach used in Business Continuity Management helps you to put together contingency plans to provide, for example;

• Backup premises sufficient to support early resumption of your most vital business functions.
• Agreed emergency stock replenishments from suppliers.
• Resumption of computer systems, loaded with backup data.
• Possibly, duplicated backup sets of certain specialised tools, documentation and materials that your business relies on.

Of course, the costs of executing these recovery strategies must be noted and kept in perspective, with priorities carefully managed.

10. Stakeholders

In addition to your employees and management there are likely to be many other people and entities with a stake, one way or the other, in the continued health of your business. They all need to be identified, involved and actively communicated with about your Business Continuity Management strategy, and include;

• Suppliers - whom you rely on for inputs and whose own business continuity procedures (or lack of!) may impact your business.
• Customers and distributors - who must continue to buy from you, even in a crisis event.
• Shareholders - whose support you need in difficult circumstances.
• Financiers - whose understanding is very necessary during any recovery situation.
• Family - whose well-being may rely on the business, but who also can disrupt things.
• Local authorities and emergency services such as council, fire, CD, police, etc.
• Competitors - sometimes even competitors need to help each other in a general crisis.
• Compliance - negotiation may be needed where, in a crisis, your business is temporarily unable to comply with laws and regulations. For example, health and safety regulations.

11. Business development

The ongoing strategic decisions that are necessary to enable business growth and adaptation can have unintended consequences also.

For example, introducing a new product line is always risky and may not bring the result you expected – perhaps draining resources from other parts of the business. This illustrates how the defensive principles of BCM need to be kept in mind on a continuing basis, so that new risks are factored into your Business Continuity Plan.

12. Risk Register

As we discuss with you the risks that your business may face, they are prioritised and recorded in a Risk Register.

Then the risk elements that we have agreed are relevant are thoroughly reviewed in the context of their potential impact on the business.