The business continuity threats and risks for organizations we see here at MHA aren’t the ones you might think of first, like natural disasters, terrorist incidents, or blackouts. Sure, those things happen, but many companies have planned for disruptions like these and can point to a well-defined strategy already in place. (If that’s the case for you, then you’re doing well—we advocate that you always consider Mother Nature in your risk assessment plans and factor in the risks associated with your geographic location.)
But the more frequent occurrences may be the ones you’re not planning for—simply because they don’t appear to be as threatening as they actually are. Below are four categories of business continuity risks that should have a place in your business continuity risk assessment matrix—and recovery plans to address them. *The below risks may present a greater threat for some organizations than others, depending on the characteristics of your business and your risk tolerance.
Data breaches are happening so frequently nowadays that we no longer talk about if your organization gets hit, but when. Every organization—particularly small businesses with little to no data protection—will inevitably experience some type of data breach in the future, so it’s important to consider the risks associated with it. Not only will cyber attackers try to hack into your environment directly, they may also employ ransomware attacks and phishing attempts to access your data. All types of breaches are occurring at an alarming rate; in fact, Half of small businesses that are attacked go out of business within six months as a result
This is both the most common threat category and the one with the most potential to impact an organization’s financial situation—as well as its brand. Before it happens, consider the valuable data you have, what could be compromised, and the possible repercussions should a breach ever occur. Also take into consideration any regulatory requirements that might make it necessary to bolster your protection.
This category encapsulates the mistakes people make, particularly those related to technology. It might be anything from a simple programming mistake to a misstep brought on by the complexity of massive technological systems, but it’s not hard to imagine that such a mistake can take a company down. (See the latest computer glitches with United and Delta airlines) Human error poses a bigger risk for organizations that are highly dependent on technology and tech workers.
Many types of common disruptive events—like floods, snowstorms, etc.—are disruptive to individuals as well as businesses. You can bet that in the event of such an emergency, most people will take care of themselves and their family before going to work. So while it’s good to have plans to move workers to another location in the event a building is inaccessible, there may simply be no one available to go.
Technology is vulnerable to single points of failure (SPOF)—a situation where the failure of one component of a network environment would also take down the rest of the system. (For instance, consider an application that relies on a single database server; if the server goes down, so does the application.) To protect against SPOF, ensure that critical technology components are redundant—for example, that you have multiple databases or secondary servers available that can be activated in an appropriate timeframe. Most hardware devices have redundancy built-in for exactly that reason, but small organizations beware: If you use consumer-grade computers as your server (those not built with redundancy in mind), a failure could have a major impact on business operations. Also, many organizations today are scattered geographically and heavily rely on their networks to do business, making a single point of failure within the data network a real business continuity risk.
The concept of single points of failure also applies to human availability. This is especially relevant for a very lean workforce. When a regional call center that employs 150 people has 10 who can’t come to work, that’s not a big deal. But if that call center has two people and one can’t come, that’s a much bigger deal. Similarly, your level of risk is dependent on the functions people perform, some of which are more critical than others. If you can’t live without someone for a week because they have particular knowledge no one else has (have you ever placed calls to them during a vacation?), that’s a problem you need to address. Even a business that’s highly dependent on technology (like an automated factory, for instance) still needs at least a few humans to work.
Some businesses perform functions that are associated with inherently high risk, whether it’s from a standpoint of malpractice; individual health, life, and safety; or potentially dangerous operations. Hospitals, healthcare organizations, and chemical manufacturing plants are all examples of risky businesses.
Consider the primary function of your organization in terms of how it might impact the organization and its resiliency. For those businesses with risk-based functions, the stability of the organization at the leadership level is a critical consideration. And again, single point of failure comes into play: If you can’t function, is that a single point of failure for you? If the answer is yes, you need to plan for those possibilities.
The above business continuity threats may not always make the news, but their impacts are real—and happening every day to companies like yours. If you’re not as confident in your continuity program as you’d like to be, the BCMMetrics™ suite of online business continuity tools can help. It was created to help continuity managers and business leaders easily and effectively identify an organization’s critical processes, as well as evaluate levels of compliance and risk. This simple self-assessment tool is aligned with industry best practices and standards, and it is flexible enough to meet your team’s specific needs.