Starting Toolkit for Small Business Owners

Takashi Tsuda
08/04/2010
 Table of Contents

Introduction………………………………………………………………………...1

Get Started………………………………………………………………………….2

Risk Assessment and Impact Analysis……………………………………………..3

Response & Recovery Plan………………………………………………………...6

Training & Exercise and Evaluation & Modification……………………………...8

Conclusion………………………………………………………………………...10

References………………………………………………………………………...11
I. Introduction

About This Guideline:

This guideline will provide steps and tips for Business Continuity plan every company should
take into consideration in order to prepare, minimize, respond and recover from damages and
interruptions so that, they will survive and resume their normal operations. Although BC plan
specifically designed for an organization based on its characteristics and background, this
guideline will not focus on the specificity, instead, it will illustrates critical components of BC
plan that general businesses must cover. So it is designed as a starting tool of BC planning for
small business owners, and encourages specialization of the design for your business after
building the foundation of BC plan through this guideline.

Plus, just like we cannot see our future perfectly, you should keep in mind that there is no perfect
plan that can avoid all the risks as long as you run a business, because BC plan is built based on
imperfect access to information, ability to implement and other restrictions. Rather, optimum one
can be created by the maximum efforts you can take so that, you will minimize the risks and
damages to your business in continuity situation.

What is BC Plan and Why Needed?:

Business Continuity plan (BC plan) ensures continued performance of organization’s essential
functions and operations during emergency situation by reducing loss of life and properties and
minimizing damages to critical processes and information (FEMA, 2010; Institute for Business
& Home Safety, 2010; and Ready Business, 2010). This objective is supported by the following
practices:

 Prepare organizations and personnel for the possibility of relocating to continuity

facilities and being operational, and a timely and orderly recovery from a continuity
situation.
 Achieve an efficient reconstitution from an emergency and resume full service to both
internal and external customers.
 Develop and maintain a test, training, and exercise program to support the
implementation and validation of continuity plans.

There are various reasons for the significance of building BC plan. First of all, as long as you are
running a business, any actions you might take inherently bring you risks. Not only of financial
and economic status of your company, but also various factors such as natural disasters, human-
made accidents, terrorist attacks and scandals can negatively affect or even destroy your
business. In order to cope with these potential threats, BC plan is critically important for
maintaining endurance and sound condition of your business.

Also, currently small business is more than a backbone of the U.S. economy accounting for
99.7% of entire employer business of the U.S, according to the Office of Advocacy of the U.S.
Small Business Administration (2006). Thus, protecting small businesses is imperative not only
 for individual small business owners, but also
the economy of the U.S, and the role of BC
plan is prominently significant for that.

As illustrated in the figure, the process of BC

planning can be divided into four phases; know
your business, assess the risk, formulate the
plan and test the plan (Business Marketing
Plan.net, 2010). As you can see the cycle of BC
plan, it is a living document that should be
regularly reviewed and modified as situation
changes (FEMA, 2010), and these should be
done after phase four as after-action report,
review and corrective plan as we discuss later.
Next section will discuss more details about
each phase.
Figure 1: BC planning cycle, (BusinessMarketingPlan.Net, 2010).

II. Get Started

Know and Understand Your Organization:

As noted earlier, BC plan is context-dependent on each organization with different backgrounds.

And BC plan must document what will occur in an emergency situation, how and how quickly
continuity actions should occur, location of the continuity operations, and who will participate in
the operations (FEMA, 2010). Therefore, it is critical for you to fully understand about your
organization to build well-designed BC plan, and it should start from the review and evaluation
of existing preparedness of your business, functions, internal/external environment and assets
and resources. And these backgrounds of your business can tell you potential threats on each of
them and you can create safety & security measures and plans for them.

1. Create Emergency Management Team

Before starting the assessment of your organization, you will need to assign an emergency
management team (EM team) to handle the overall processes of BC planning including
assessment, planning, training, implementation and evaluation. Although the size of EM team
depends on the size of your business, it is important to have persons who are participating and
responsible for the processes and procedures of continuity programs and keeping you informed
the progress and situation. If the size of the team is more than ten people, having representatives
from each division such as Information Technology, Administration, Human Resources and
General Management will facilitate the planning process. Even if the size is too small to have
these representatives, you must make sure the relationships and functions of each function for
smooth implementation of BC plan in an actual emergency situation (Barton, 2007).

2
2. Identify Essential Functions of Your Business

As one of the most important building block of BC plan, first you must identify the essential
functions, which is the heart of your business. Essential function is defined as those functions
that enable an organization to provide vital services, exercise civil authority, maintain the safety
of general public, and sustain the industrial or economic base during an emergency (FEMA,
2010). In other words, essential functions are primary functions of your business to be continued
with no or minimum interruption. Lack of preparedness and protection for these functions will
directly influence the sound operations of your business significantly in an emergency situation.
Commonly recognized factors of essential function are power (electricity), communication, vital
records and information, suppliers and vendors, and human and physical resources (Barton,
2007; FEMA, 2010; Institute for Business & Home Safety, 2010 and Ready Business, 2010).
After you identify the essential functions, prioritize them in accordance with its criticality,
contexts of emergency and relationships with other functions and businesses.

3. Understand Internal/External Environment of Your Business

This step includes clarifying not only physical environment inside and outside of your
organization, but also relationships between employees, other businesses and surrounding
communities. Locations of your business reflect various implications necessary for BC plan; for
example, geographic, demographic and climatic characteristics, along with important facilities
and businesses in surrounding area such as hospitals, evacuation sites, community centers and
business partners who will cooperate with your business in an emergency situation. They will be
very important in setting logistics and players of response plans for emergencies and alternative
plans for your normal operations.

Understanding internal environment and situations of your workplace is also vital in securing
your business. As past incidents of workplace violence and active shooters indicates that many
perpetrators are former employees and clients who had problems in relationships with
employers, employees, customers and more personal issues (Barton, 2007). Barton explains the
importance of securing the workplace by avoiding negligent hiring with careful screening and
interview processes, and by managing troublesome employees through notification of poor
performances or consultation with them. As discussed in next section, it will be beneficial to
review if your employment polity and organizational policy are at acceptable level to keep your
workplace safe.

III. Risk Assessment and Impact Analysis

Conduct Risk Assessment and Impact Analysis:

In the last section, you fully recognized the functions, characteristics, environments and
situations of your business, and now you need to consider more details about what can happen to
these elements of your business, how serious the damages will be and the possibilities of
recovery and resumption of normal operations, and what can you do to prepare for these. Based

3
on the result of risk assessment and impact analysis, you can set the direction toward action plans
for a hazard with higher priority to tackle with, and gradually deal with the lowers.

3
1. Identify Hazards That Can Impact Performance of Essential Functions

This step includes exploring potential natural events, intentional manmade events, and non-
intentional man-made events that could adversely affect the ability of your business to perform
essential functions. Natural hazards are those where the occurrence is beyond the control of the
organization, including earthquakes, floods, ice storms, winter weather, and external fires.
Intentional man-made hazards are also beyond the direct control of the organization and could
include events such as external sabotage, workplace violence and terrorism. Non-intentional
man-made events, such as power outages, fires, explosions, equipment failures, or human errors
are generally within the control of the organization. Risks and impacts can be identified through
research and analysis of historical climatic data from local news papers and National Weather
Service, and information about man-made threats that can be obtained from local law
enforcement and FBI offices (FEMA 2010).

2. Develop Emergency Scenarios and Assessment Tool

All of the assessment steps should be conducted within the context of a set of scenarios, each of
which is a combination of a particular hazard or event and the essential functions of your
business. Within each scenario, the EM team should consider risks to all essential functions of
the organization from various viewpoints. As sample risk assessment tools illustrated in Table 1
and 2 below, scenarios can range from natural disasters and man-made threats, and also the EM
team should look into what interruption on their essential functions can be caused from these
events.

Sample Risk Assessment Tool and Definitions:

Recovery
Physical Employee Economi Reputation Total
Frequency Difficulty Likelihood
Impact Impact c Impact Impact Risk
Hazard/Event (1-5) Impact (1-3)
(1-5) (1-5) (1-5) (1-5) Point
(1-5)
Tornado
Snow Storm
Drought
Flood
Extreme
Temperature
Summer Storm
Infectious
Disease
HAZMAT
Building
Collapse
Fire
Shooter/Violence
Terrorism
Table 1: Risk assessment tool (potential hazard)

4
 Recovery
Physical Employee Economi Reputatio Total
Frequency Difficulty Likelihood
Interruptions Impact Impact c Impact n Impact Risk
(1-5) Impact (1-3)
(1-5) (1-5) (1-5) (1-5) Point
(1-5)
Electrical
System
Water System
Communication
System
Administrative
System
Sewage System
Production
System
Special Parts
Supply
Table 2: Risk Assessment tool (potential interruption)

Definitions:

 Total Risk Point = (Frequency + Sum of Impacts) * Likelihood

 Potential Impact Definition:
(1) Negligible: Lowest impact; unlikely to have an adverse effect upon site normal operations.
(2) Minor: Low Impact; potential to alter some operations and resource usage, small effect upon
site normal operations
(3) Major: Noticeable impact; key operations and resource usage altered, visible effect upon site
normal operations
(4) Critical: Sizable impact; broad operational and resource alteration, big effect upon site
normal operations
(5) Catastrophic: Huge impact; extensive operational and resource alteration, cascading effect
upon site operations
 Frequency Definition:
(1) = Once every century, (2) = Once every 50 to 99 years, (3) = Multiple times within 50+ years,
(4) = Every 10 years, (5) = Multiple times every 10 years
 Likelihood Definition: (1) Unlikely to Occur, (2) Somewhat likely to occur, (3) Likely to occur

By generating estimates of total risk point of each events or scenarios, the risk assessment tool
will show you general overview of potential threats and which ones should be treated as high-
priority in your business. Depending on the characteristics of the scenario and the background of
your business, the EM team can use or create different tools and resources to assess the
scenario’s risk. For example, the team may use historical data of severe climate around the
location of your business, distances of important sights such as hospital, center of transportation
and business partners from your location. Also, the EM team should consider both short- and
long-term impacts for disasters and incidents, as well as intended and unintended effects from
each risk. In cases of scenarios where historical data or detailed modeling are unavailable,
subject matter expertise must be involved to conduct the risk assessment.

5
3. Review Current Preparedness of Your Business

After you identify potential risks from each aspect of natural hazards, intentional man-made
events and non-intentional man-made events, the EM team should identify and analyze if the
existing plans that are in place (if you have) reduce either the likelihood of the risks and the
severity of the impacts. Check if awareness of potential risks and role clarity exist among
leaders, EM team members and employees what can happen to their business and what they are
expected to do in an emergency situation. Also review past incident report and after-action report
to understand what worked well and not. As mentioned at the beginning, BC plan is a living
document and need evaluation and improvement for better preparedness of your business.

IV. Response & Recovery Plan

Start Shaping the Alternative Plan and Preparation:

As of now, you clarified the overall picture of potential threats/impacts and preparedness of your
business. From this section, you will actually start creating BC plan based on the data you
identified. Furthermore, you have to identify alternatives for locations, resources and systems to
sustain your business in an emergency situation. These alternatives will construct the logistics
and plans for response and recovery.

1. Identify Alternative Locations and Resources

This step includes designating the alternative locations and resources necessary to perform BC
plan. If the primary facility of your business becomes unavailable in an emergency situation, you
must relocate other sites to implement your BC plan. You must confirm that alternative sites
ensure smooth execution of essential functions, and far enough from the primary one so that it
will not be impacted by the incident occurring at the primary facility (FEMA, 2010 and Ready
Business, 2010). The location of the continuity facility should be based on the results of your
business’s risk assessment.

If you don’t have any alternative facility, another option can be telecommuting. Telecommuting
is a form of alternative work arrangement for employees that allows them to conduct their tasks
at an alternative workplace away from the primary one (FEMA, 2010). It can be applied to
various alternative working environments ranging from an employer’s house, a telework center,
or to a traditional or satellite office close to employees’ house.

Along with alternative locations, you must identify what and how much of resources are required
for BC planning and the implementation of the planned continuity operations. Resource funds for
continuity planning must come from your budget. Budget items to consider will include:

 Photocopying
 Supplies for the EM team (discs, etc.)
 Mileage traveling to potential alternative facilities
 Training rooms, materials, and instructors

6
  Meeting rooms
 Other operation needs

The time commitment for EM team members and employees is also a critical resource as
well. Make sure you set realistic timelines and schedules of BC planning and time commitments
of them. Work with senior managers to ensure that team members will be able to dedicate the
time necessary to the BC plan.

2. Identify Communication/Notification Systems for Customers, Employees, Public and Media

In case of an emergency situation, emergency communication system is a vital element that

enables BC plan to perform essential functions in conjunction with other agencies until
resumption of normal operations. You must make sure emergency communication systems are
capable of;

 Supporting implementation of BC plan

 Communicating internally/externally
 Permitting access to data, systems and services
 Available within 12 hours of activation, and sustainable until normal operations can be
resumed (FEMA, 2010)

Other than communication for the implementation of BC plan and related operations, you must
deal with crisis communications to protect the public image of your business by meeting your
accountability during and after a crisis. According to Barton, following questions should be
asked to build crisis communications plan to inform stakeholders and public:

 What do we know?
 When did we know it?
 What are we going to do about it?
 Who has an immediate need to know about the incident?
 What categories of stakeholders exist?
 How much can we share during the first stages crisis management? (Barton, 2007, p.
217)

Failure to protect the image of your business will lead your stakeholders to feel as if you have
betrayed their trust, which could significantly damage your business and take a lot of effort and
time to rebuild their trust. As Barton emphasizes, the key is to “avoid – at any and all costs –
betraying your stakeholders (2007, p. 218).”

3. Build Response & Recovery Plans for Emergency Scenarios

For many scenarios, the current risk may be considered to be at an acceptable level.  For those
scenarios where the current level of risk is considered to be unacceptable, actions must be taken
to mitigate the risk. These actions must; provide a beneficial return on investment; be acceptable

7
to stakeholders; and not cause other significant risk (FEMA, 2010). Critical steps in this phase
include:

11
  Developing alternate risk management strategies:
The EM team should engage the appropriate stakeholders to determine how the risks for
each scenario can be managed most effectively. These alternate strategies should be
developed completely and documented by addressing all of the critical factors (e.g., cost,
schedule).
 Assessing the risk and the impact of the proposed strategies:
The analysis team should reassess the risk of each scenario based on the implementation
of each alternative strategy. This step will provide ideas of degrees of risk reduction that
each of the alternative strategies can bring.
 Selecting proposed alternative strategies for implementation:

After alternative strategies have been fully developed and their degrees of risk reduction have
been understood, decision-makers should select the collection of alternatives for actual
implementation. The alternatives will be evaluated based on consideration of all of the
previously identified critical factors, including effectiveness (risk reduction), efficiency, and cost
effectiveness. Ultimately these strategies should reduce the risks that the organization will be
unable to continue its business.

Another critical factor that should be incorporated is the confidence that the alternatives will
achieve the expected level of performance. The effect of many of the alternative strategies may
be well understood by the organization. The level of understanding and confidence of positive
effects of alternative programs should be recognized through the course of research and analysis
in related field. For instance, these alternatives may have a proven past record of performance in
other similar organizations, or they may have been studied intensely. Contrary, the ones with less
of a history or a study might not be well understood. The EM team may believe that these less
understood alternatives will achieve a level of satisfactory performance; however, their
confidence is at a lower level.

During the selection process, decision-makers need to be aware of both anticipated performance
and confidence to ensure that the proper set of actions will be taken. Finally, decision-makers
must recognize that this process is cyclical and many of the alternatives will be implemented in
subsequent cycles because of limitations in resources and time.

V. Training & Exercise and Evaluation & Modification

Test Quality of BC plan, and Enhance the Ability to Implement it:

In final phase of BC planning is to test the plans by conducting Training and Exercise (T&E)
programs and evaluation and modification after these activities. This allows you to check the
effectiveness and defects in your BC plan and also increase employees’ awareness and ability to
perform each role in an emergency situation. During and after T&E programs, make sure there is
someone to monitor the progress of implementation and record it to make after-action report that
will be used for evaluation and design of corrective plan.

8
11
1. T&E Programs

T&E programs are extremely important component of the entire BC plan. Even if you build the
response and recover plans, it will be useless if your employees, EM team and leaders are not
capable of implement them smoothly at the time of crises. Establishing T&E programs also helps
to ensure that the T&E programs share the common overall goal of readiness and preparedness,
and provides the framework to promote consistency of readiness activities (FEMA, 2010). T&E
programs include measures to ensure that an organization’s BC plan is capable of supporting the
continued execution of its essential functions throughout the duration of an emergency
situation. Your T&E program should be a combination of training, and exercise events to ensure
the following:

 Is comprehensive in that it includes all three components

 Reflects lessons learned from previous T&E events or implementations
 Provides training in the appropriate functional areas of mission readiness
 Provides opportunities to acquire and apply the skills and knowledge needed for
continuity operations
 Builds team unity

The training here indicates an instruction in individual or organizational functions, procedures

and responsibilities, while the exercise indicates demonstrations and practices of operations of
equipments, procedures, processes and systems that support the organization (FEMA, 2001).
Types of exercise include orientation, tabletop, drill, functional and full-scale depending on the
size, content and participants of an exercise. Taken into consideration each T&E program that
tackle with each emergency scenario, create T&E schedule that aims to middle or long-term
cycle of practices.

2. Evaluation & Modification

During and after the plans have been implemented, you should monitor the effectiveness of the
actions taken to manage risks, what worked well and what went wrong. The goal of the
monitoring phase is to verify that the organization is getting the expected results from its risk
management decisions. Key inputs into the monitoring phase include testing, training, and
exercising. The results of the monitoring should be documented as an after-action report that will
be used for evaluation and modification as a corrective action plan.

This step is one of the core elements and last phase of BC planning cycle as a living document,
as mentioned earlier, where new and improved plans will be shaped for altered situations.
Although it is an ending point as one cycle of BC planning, the cycle itself never stops as long as
your business successfully survives, and you must keep the cycle to improve and adapt the
dynamics of your business and surrounding world.

9
VI. Conclusion

As you follow the steps listed throughout this guideline, you should have general ideas about BC
plan and be able to see how a blueprint of your BC plan looks like. Although this guideline
shows collection of common elements and steps necessary for general BC planning, it only helps
creating broad basis of BC plan. There are some common elements among plans, but every plan
will be different because every organization’s structure and circumstances are unique. There are
no cookie-cutter templates, and one size doesn’t fit all. Therefore, you must hone it in further
through more specialized research and analysis based on the characteristics of your business.

Not to mention, BC planning and it implementation involves costs and efforts, as well as many
programs and policies, carry inherent time commitments. And some of these practices can be
costly up-front, however, they can help cut costs in the future as well as lower the potential
detrimental outcomes. As mentioned earlier, the cycle of BC plan should be continued in order to
enhancing safety culture by increasing awareness, preparedness and ability to sustain the life of
your business. And that will benefit not only you as a small business owner, your employees,
surrounding communities, and ultimately, the entire U.S. economy with an enormous number of
small businesses.

10
 References

Barton, L. (2007). Crisis leadership now: A real-world guide to preparing for threats, disaster,
sabotage, and scandal. New York, NY: McGraw-Hill

BusinessMarketingPlan.Net. (2010). Creating a Marketing Plan for Your Business. Retrieved at

http://www.businessmarketingplans.net/2010/05/26/creating-a-marketing-plan-for-your-
business/

Federal Emergency Management Agency (2010). Retrieved at http://www.fema.gov/

-----. (2001). Federal Preparedness Circular. Retrieved at

http://www.fema.gov/pdf/library/fpc66.pdf

Institute for Business & Home Safety. (2010). Open for Business: A disaster planning toolkit for
the small to mid-sized business owner. Retrieved at
http://www.ibhs.org/docs/OpenForBusiness.pdf

Ready Business. (2010). Retrieved at http://www.ready.gov/business/

U.S. Small Business Administration. (2010). Retrieved at http://www.sba.gov/

11