Business Continuity: Small Business, Big Problems By Marc A. Reich, CBCP, CDP, MBA The Small Business Administration of the United States estimates that 99.7% of the businesses in the US are considered small. The criterion for being a small business is set by the SBA's Size Standards Committee. Examples are less than 500 employees in mos manufacturing and mining industries or less than $6 Million in revenue in most retail and services industries (http://app1.sba.gov/faqs/faqindex.cfm?areaid=15). With these standards the SBA calculates that there are 23.7 million businesses in the United States and all but 17,000 of them are considered small. Canada breaks down businesses into smaller units with micro-businesses being described as less than 50 employees and small businesses are 50 to less than 500. They still estimate that 99.7% of their businesses are small. So with a plethora of small businesses in the world, why would there be any problems? The reality is that most business continuity planning and management is done in large companies. Yes, large companies mean larger budgets for BCM, and they can afford the time, money, and resources to get the best plans. However, that does not mean that a simple backup routine will be the panacea for a small business. The rest of this presentation lists five reasons; presented in no particular order, of great importance to small businesses do not have a business continuity plan, and solutions to get the planning started. 5) We are not covered by that regulation. Many regulations do not cover small businesses in the same way they require compliance in large businesses. When the HIPAA regulations were written in 1996, they gave leeway of at least a year in each regulatory section to smaller medical practices to help accommodate the cost to the small practices. Many regulations have monetary or employee limitation. OSHA's orders for posting evacuation routes is not invoked until the small business has a certain number of employees working in an area. This allows small businesses the time to afford compliance, but it also creates a loophole for some businesses to keep away from the regulations. The reality is that the regulations are coming. Those that do not cover small business now will in the future. As a small business owner myself, I know the latest laws and regulations can get overwhelming, but we have to keep up with them. Sarbanes-Oxley, HIPAA, and even the Patriot Act either have or will affect your business. If you have a strategic plan, there should be a place for planning the approach your company will use in working these regulations into your business. As the
company grows, you will see more regulations and laws affecting your business. Do your employees know the procedure of closing each day? Do they close the fireproof safe? Do they take the backup with them? The best way to deal with this is to use the strategic plan to deal with the What ifs and When s that these rules will apply and be prepared for them in advance. 4) I won't be around when the problem happens. At one client I asked what would happen if a disaster occurred. Their response was, I have enough years in this company to retire. They would not be around to help fix the problem, or so they thought. When the business is just you, there is no I'll just retire. You are either there or you are not. Your business is there or it is not. There are startling statistics on recovery time and business survival. University of Minnesota found that 80% of companies having extended disasters are out of business within 5 years. IBM Recovery Services reported 50% of companies having a disaster without a plan are out of business within 2 years. DATAPRO Research showed in companies with a major disaster, that 29% close within 2 years and 43% will NEVER reopen. Finally, University of Texas, Arlington discovered the average company will lose at least 25% of their Daily Revenue in the first six days and over 40% will be lost if the disaster lasts up to 24 days. These statistics are the reality of today's fast-paced world and a very sobering set of facts that a small business has to face. If you are commited to your business, there must be a plan for continuity of operations and leadership. A flood, tornado, or any natural disaster does not happen at a convenient time, so the time to plan is now. A small business really needs a succession plan and a continuity plan to keep the business going. The worst possible senario needs to be planned. What happens if the owner of the 8a, minority, company is lost? Where do we go when the river next to us overflows its banks? How do I protect my employees from a disaster? All these questions are a good start for planning. 3) A disaster is not going to happen here. A few years back, a company that built custom furniture bought a fireproof safe. Just in case a fire burned the building down, their custom plans were safe in the safe. They felt that the materials would be replaced and they would get on with work wherever they set up the shop, but the plans were irreplaceable. One night they all left and a fire did occur. It raced through their building housing their factory and, by the time fire crews were able to get it under control, the building was a complete loss. It was after the fire was out and they could go into the remains of the building that they found out that no one had shut the fireproof safe that evening. All the plans were lost. The only thing that saves this company was their reputation for quality custom furniture.
The customers actually came back and helped rebuild plans and waited extra time for their pieces of furniture. Anther example is that of a company whose headquarters was just about half a mile from their data center. One night a violent storm came, and there was a direct lightning strike on their microwave system that communicated at high speed between the data center and headquarters. The dish for the microwave connection was damaged so badly that a replacement had to be sent from the factory. This meant no communications between the two areas for three days. The business had no plans that described how to replace the dish and no way to switch to land lines. They had to hand-carry information from the data center to the headquarters for the time the microwave was down. All this happened in an area that is not known for natural disasters. Never think that a disaster is not going to happen to you. Two states in the US are well known for not having many natural disasters, New Mexico and Utah. The statistics just mean that the mean time between disasters is very long. There are always chances of a lightning strike or the first tornado in forty years. Neither does it mean there are no disasters. There are always fires, chemical spills, faulty sprinkler systems, and simple errors by employees. A plan is not the end-all of safety. It is a beginning. The plan works for the worst-case scenario and other problems that are not as severe. Testing and maintenance must be part of planning. With testing, you may find that the worst-case scenario changes, or a new report has found a natural disaster in your area that was not considered before. What has changed is as important to a plan as what works now. 2) I have a backup. If you have a backup, you are ahead of the game, but not the winner and world champion. The world is full of stories of backup nightmares. The first is the backup that has not been tested and turns out to be blank. I have seen this several times. In most cases, the backup had been running automatically for many years. The tape was verified, but the verification was just that certain headers were written. The rest of the data was not there, just the verified headers. Another is the backup that is sitting on the server in the server closet. If the backup is in the same room as the original data, it is not a backup, it is a copy. The server room or the desk of the system administrator who is in the same building as the server room is a great place for it to be when you cannot get into the building, like when the fire department or police have the area roped off for investigation for a few days. Finally, there is the backup that is placed in an area with water, highly corrosive chemicals, or magnetic influences. The inadvertent placement can
cause damage to the media the backup is on. There have been companies wanting to read tapes that are old from a drafty, damp basement. The format of the tape may be a problem in reading, but the condition of the media may make it impossible to pass through the reading device. I have seen all these nightmares. A backup is only as good as it is and where it is. It is a start to have a backup. It is even better to store the backup in a fireproof safe. Even better is off-site storage from the company. However, there are three steps that should be taken with all backups: Have an automated schedule if you can. Otherwise, schedule regular backups. Make sure the backups do take place and that the software used is verifying more than the headers. Test those backups regularly. A blank backup will not help you recover and continue. The backup should be tested at least monthly. Keep the backup in a fireproof safe if possible. This could be expensive, but it could be the best investment you make. If you store off-site, make sure that your media is stored in a fireproof safe. While you are at it add your software licenses, or copies of those licenses, to that safe. 1) I have no budget for business continuity. Small business is notorious for razor-thin budgets. Money is tight in many areas. With most money coming from personal funds, the entrepreneur cannot always afford the luxury of a business continuity plan. However, the situation is a reminder of the 1980's commercial for Fram TM oil filters, You can pay me now, or you can pay me later. The mechanic was looking into the camera describing how an old oil filter can cause engine damage. In the case of business continuity, the business is the engine. It will suffer if the disaster, continuity, and risk filters are old or not in place. Like an oil filter they must be checked regularly, usually twice a year at least. We do not expect our cars to run well with no or bad oil and filters, but we worry about the cost of a plan that filters many of the risks we have as a business and eliminates others. The cost of a business continuity plan pays for itself many times over in cost savings on customer loyalty, insurance, regulations and laws, and continuity of the company. Many consultants and software packages for planning have very daunting costs. However, the loss of the business is far more costly. Many of the top
ten disasters of the past ten years have cost Billions of dollars. The old joke of How do you start a flood? does not work any more. Liability insurance is not easy to get without some risk mitigation like that you find in a good business continuity plan. There is no easy way to say it, so suffice it to say Small Business needs a Business Continuity Plan! There are ways to get a quality business continuity plan and keep the price low. If you do not want to do it yourself, there are also consulting packages that can help you. Disaster Recovery Journal has an annual survey of business continuity consultants. Look for a company that will help you in the planning, testing, and/or maintenance your need. They may also have software or resell a software package for continuity planning. A plan is only as good as its last test. I will suggest a plan that can work for many small businesses. Have the consultant come in only when needed, e.g., once a month. This plan offers the small business a chance to have a plan built, maintained, and tested regularly. Continuous Solutions offers that type of plan under the MyCBCO TM plan (http://www.continuoussolutions.com). If you want to do it yourself, there are software packages and classes that you can take. The price of software may look expensive, but there are some very good low price packages that can help you pull together the information you need. Once again, a good list of these products is in Disaster Recovery Journal's annual survey of business continuity software. The best series of training for business continuity management is from DRII (http://www.drii.org). There you can get a basic understanding and also be certified in business continuity by the world leader in business continuity training. With the number of small businesses that are flourishing in the new economy, it makes sense that local disasters will cause more havoc. More businesses in one location means a broader problem if a disruption occurs. Having a continuity plan is invaluable in this case. When all around you are losing their heads, you may just keep yours, and your business as well. Marc Reich, CBCP, CDP, MBA, is the President and Principal Consultant for Continuous Solutions, Inc. located in Albuquerque, NM. He has over 25 years in the IT industry, including over 10 years as a Certified Business Continuity Professional. He is also a Certified Instructor for DRII. Marc can be contacted at marc@continuoussolutions.com.