Being Prepared: Business Continuity for you and your clients
March 26, 2020
By Liza Robbins.
Is your firm ready for the Coronavirus?
The last few months have exposed just how vulnerable our economy and our businesses are, in the face of this catastrophic, unforeseen event.
We have already seen some businesses endangered overnight, as their clientele have disappeared or their supply chains have collapsed. Others are watching their clients and suppliers struggle, knowing that they will soon feel the knock-on effect.
Make no mistake: The human cost is tremendous. Both employees and employers are at risk of losing their livelihoods out of the blue, and many will struggle to recover from this blow.
This is a risk we, in the accounting industry, need to take very seriously as well.
That’s why I picked up the phone to speak to David Rosenthal, an associate at Jeremy Hyman Associates, who specialises in business continuity here in the UK.
He told me that it was not uncommon for businesses to be caught unprepared by serious events which threaten their operations.
“Most businesses will have elements of a business continuity plan, but it’s usually not up-to-date, current or effective.
“It’s a question of priorities – most businesses don’t pay this enough attention until they face a disaster, by which point it can be too late.”
He pointed out that while these events are rare, they are hardly uncommon.
In addition to the Coronavirus, there are numerous examples of businesses affected by cyberattacks, critical IT failures, local terror attacks, natural disasters affecting their supply chains and so on.
So you need an emergency plan.
Step 1, he says, is to put together a disaster recovery team.
“Irrespective of what needs to be done, you need to identify the people responsible for putting together the plan, and executing it.”
Their first job is to assess the risks to your organisation, whether these involve tech (for example, your servers go down and you can’t access data), your people being unable to reach the office, economic disaster and so on.
Then they can put together their plans.
David recommends working out what threatens the very survival of your business, especially in the first 2-3 days, and mitigating those risks.
Cashflow and payroll are often key.
“If you get your bills out 48 hours late your company will survive, but if you pay your staff 48 hours late, your staff may experience serious issues around paying their rent or mortgages, and that could be a very significant issue for you.
“Similarly, if you don’t take care of cashflow, that could affect your entire supply chain and survivability.”
You must also consider what documents and resources you might need to access in the immediate aftermath of a disaster.
For example, he asks, “Do you have a list of all your employees and clients and their contact details? How about passwords to log into your systems remotely? Do you have access to emergency funding to pay your staff, if for any reason your payroll people are out of action? And what about access to your clients’ records?”
The plan must specify how often you are going to backup these critical documents or resources, and where they are going to be stored, in case your main site is inaccessible.
“You need a backup site that is far removed from your primary site,” he notes, adding that after 9/11, Lehman Brothers’ backup site was within 1 km of the Twin Towers, rendering it effectively useless.
Finally, your Disaster Recovery Plan must be continually tested for effectiveness and refined.
“This is where most companies fall, irrespective of their size,” says David. “People leave, risk profiles change, and so do your services and priorities. The recovery plan that was right 18 months ago is probably out-of-date today.”
As examples of best practice, he cites Societe General – where he was formerly COO – which updated its staff’s contact details every quarter, and Merrill Lynch in London, which sends staff to work at its “emergency” site every quarter, to make sure that they can operate from there smoothly.
“There are no end of cases where companies set up IT systems so their staff can work from home in an emergency, but when it comes to it no one has the right logins or the IT guys just aren’t available,” he says.
The biggest mistake companies make, he adds, is to take “a naïve approach to risk – setting out solutions which are one-size-fits-all.”
For example, they might prioritise having senior people available, while a PA, admin or HR staff might be more valuable in an emergency. Or they send their entire teams to one alternate location, whereas in the case of a virus, teams should really be split or work from home.
Ultimately, he says, if you do not take these actions you are risking your future, your relationship with your clients and your reputation – and potentially failing your employees, to whom you have a primary responsibility.
When it comes to accounting firms, he adds, “You talk to your clients about managing risk, but how can you talk about this authoritatively if you don’t manage your own risk?”
He’s right.
I hope that when the immediate pressures of the Coronavirus emergency are over, we will all take what has happened as a prompt to put in place a serious, effective disaster recovery plan.
Our futures depend on it.
I am free to talk to any of our Kreston members, should you wish to discuss this further. In this situation it really is important that we all keep in touch and support each other.