RISK AND DISASTER MANAGEMENT: SOME USEFUL TOOLS AND RESOURCES FOR BUSINESSES AND ORGANISATIONS MAY 2011 Sector Development Team Queensland Council of Social Service Inc
DEVELOPING A BUSINESS CONTINUITY PLAN BASED ON A PREVENTION, PREPAREDNESS, RESPONSE AND RECOVERY CYCLE This plan incorporates the Prevention, Preparedness, Response and Recovery (PPRR) framework (Queensland Government: Business Continuity Plan Template, 2010). Each of the four key elements is represented by a part in the Business Continuity Planning Process. Source: Queensland Government: Business Continuity Plan Template (2010) The Queensland Government provides a detailed, step-by-step planning template for business continuity, which is very useful for developing a plan to manage risks and disasters for small businesses. Further information and access to the template is available on the Department of Employment, Economic Development and Innovation s (DEEDI) official website under Business Development. BUSINESS CONTINUITY AND DISASTER RECOVERY CHECKLIST FOR SMALL BUSINESS OWNERS A checklist has been developed by Capital One to help small businesses in the United States prepare for both large and small incidents (Department of Employment, Economic Development and Innovation, 2011a). DEEDI has also provided a sample emergency plan for businesses (embedded below) sampleplan.pdf Source: Department of Employment, Economic Development and Innovation (2011a) Develop a business continuity/disaster recovery plan Establish a disaster-recovery team of employees who know your business best, and assign responsibilities for specific tasks 1
Identify your risks (kinds of disasters you're most likely to experience) Prioritize critical business functions and how quickly these must be recovery Establish a disaster recovery location where employees may work off-site and access critical back-up systems, records and supplies Obtain temporary housing for key employees, their families and pets Update and test your plan at least annually Alternative operational locations Determine which alternatives are available. For example: A satellite or branch office of your business The office of a business partner or even an employee Home or hotel Backup site Equip your backup operations site with critical equipment, data files and supplies: Power generators Computers and software Critical computer data files (payroll, accounts payable and receivable, customer orders, inventory) Phones/radios/TVs Equipment and spare parts Vehicles, boats and spare parts Digital cameras Common supplies Supplies unique to your business (order forms, contracts, etc.) Basic first aid/sanitary supplies, potable water and food Safeguard your property Is your property prepared to survive a hurricane or other disasters: Your building? Your equipment? Your computer systems? Your company vehicles? Your company records? Other company assets? Contact information Do you have current and multiple contact information (e.g., home and cell phone numbers, personal e- mail addresses) for: Employees? Key customers? Important vendors, suppliers, business partners? Insurance companies? Is contact information accessible electronically for fast access by all employees? Communications Do you have access to multiple and reliable methods of communicating with your employees: Emergency toll-free hotline? 2
Website? Cell phones? Satellite phones? Pagers? BlackBerry(TM)? Two-way radios? Internet? E-mail? Employee preparation Make sure your employees know: Company emergency plan Where they should relocate to work How to use and have access to reliable methods of communication, such as satellite/cell phones, e-mail, voice mail, Internet, text messages, BlackBerry(TM), PDAs How they will be notified to return to work Benefits of direct deposit of payroll and subscribe to direct deposit Emergency company housing options available for them and their family Customer preparation Make sure your key customers know: Your emergency contact information for sales and service support (publish on your website) Your backup business or store locations (publish on your website) What to expect from your company in the event of a prolonged disaster displacement Alternate methods for placing orders Alternate methods for sending invoice payments in the event of mail disruption Evacuation order When a mandatory evacuation is issued, be prepared to grab and leave with critical office records and equipment: Company business continuity / disaster recovery plan and checklist Insurance policies and company contracts Company checks, plus a list of all bank accounts, credit cards, ATM cards Employee payroll and contact information Desktop/laptop computers Customer records, including orders in progress Photographs/digital images of your business property Post disaster contact information inside your business to alert emergency workers how to reach you Secure your building and property Cash management Be prepared to meet emergency cash-flow needs: Take your checkbook and credit cards in the event of an evacuation Keep enough cash on hand to handle immediate needs Use Internet banking services to monitor account activity, manage cash flow, initiate wires, pay bills 3
Issue corporate cards to essential personnel to cover emergency business expenses Reduce dependency on paper checks and postal service to send and receive payments (consider using electronic payment and remote deposit banking services) Post-disaster recovery procedures Consider how your post-disaster business may differ from today Plan whom you will want to contact and when Assign specific tasks to responsible employees Track progress and effectiveness Document lessons learned and best practices RISK MANAGEMENT PLAN The Government of Victoria has detailed information on how to develop risk management plan for individual business/organisation. Business Victoria webpage provides a combined Risk Register and Risk Treatment Register (templates) which businesses/organisations can use to plan and manage risks (embedded below) sbv_template_risk_r egister_and_risk_treatment_register.doc Source: Government of Victoria: Risk Management Plan (2009c) Further, organisations can use information from the Assessing Individual Risk page on the same website along with the Risk Assessment Table (1.2) below to gauge the level of risks. RECORDS MANAGEMENT PLAN The University of Technology, Sydney website has some useful forms and templates for records storage and recovery (embedded below) storage-risk-assessm ent.docm 4
records_recoveryflo wchart.pdf Source: University of Technology, Sydney: Risk and Disaster Management (2010) In addition, businesses and organisations can also store important operational details such as bank account details, staff salary in the Critical Information List. This can be used to hand over to someone else (e.g. power of attorney) during emergencies (embedded below) critical_information_li st.doc Source: Government of Victoria: Critical Information List (2009a) 5
ADDITIONAL TOOLS AND TEMPLATES FOR RISK AND DISASTER MANAGEMENT 1.1 COMMUNITY CONTEXT (Note: Only for organisations that provide direct services to the community) FEATURE RELEVANT INFORMATION AND CONSIDERATIONS Geography Climate and Weather Population Community Capacity Industry Public buildings, spaces and events Critical Infrastructure Essential Services Hazardous Sites Source: Department of Emergency Services (2005) 6
1.2 RISK ASSESSMENT TABLE Consequences Major Serious Minor Insignificant e.g. death, disability, large financial loss e.g. serious injury, cash flow shortage e.g first aid injury, temporary supply shortage e.g. incident but no injury, non-essential staff ill Very likely, almost certain to happen Extreme risk High risk High risk Medium risk Likelihood Likely, will probably happen at some time High risk High risk Medium risk Medium risk Unlikely, could happen at some time High risk Medium risk Medium risk Low risk Very unlikely, might happen rarely Medium risk Medium risk Low risk Low risk Source: Government of Victoria: Risk Assessment Table (2009b) 7
1.3 MANAGING RISK STEP 1 STEP 2 STEP 3 STEP 4 STEP 5 IDENTIFY RISKS THAT COULD IMPACT YOUR BUSINESS Take a close look at each of your business operations and ask yourself: What could cause an impact? How serious would that impact be? What is the likelihood of this occurring? Can it be reduced or eliminated? For example, if you owned a cafe, your risks might include fire, food poisoning and flood ANALYSE RISKS TO ASSESS THEIR IMPACTS Determine which risks have a greater consequence or impact than others Separate minor acceptable risks from major risks which must be managed immediately. This involves deciding on the relationship between the likelihood and impacts of the risks you have identified In a cafe, the likelihood of a flood may be assessed as low, but the impacts on the business would be very high. A flood could potentially destroy both equipment and stock and would lead to loss of trade and financial loss EVALUATE RISKS TO PRIORITISE THEIR MANAGEMENT Compare the likelihood and impact of each risk to evaluate and prioritise the resources you are prepared to invest to treat these risks. The outcome of this step is a prioritised list of risks that require further action In the cafe example, your prioritised list may be: Source: Department of Employment, Economic Development and Innovation (2011b) Fire - your top priority risk. The likelihood is high and the potential impact of a fire on the business is very high Food poisoning - your second priority risk. Whilst the probability may be assessed as low, the impact on the business would be very high Flood - your third priority risk. The probability is assessed as very low, but again the impact on the business would be very high 8 TREAT RISKS TO MINIMISE THEIR IMPACT Determine which risks are acceptable for your business to leave untreated and which risks need to be treated. Risk treatment is about considering options for treating risks that are not considered acceptable, through a number of strategies including: Insurance quality control processes Staff training C Complying with government legislation and regulations Properly maintaining facilities, plant and equipment Using appropriate security devices Establishing systems and controls e.g. segregation of duties (cash receipting, banking and accounting) Developing contingency plans Some of the treatment strategies for the risk of flood might include: Ensure flooding is covered by your existing insurance policy and the amount of cover is adequate Ensure stock and equipment are stored off the ground where possible Organise off-site storage for stock and equipment when a flood is forecast DEVELOP AND REVIEW YOUR RISK MANAGEMENT PLAN A Risk Management Plan indicates the chosen strategy for treatment of the identified risks. It details information about: Risks identified Level of risks Planned strategy Timeframe for implementing the strategy Resources required Individuals responsible for ensuring the strategy is implemented The final documentation should include appropriate objectives, a budget and milestones on the way to achieving those objectives
1.4 RISK MANAGEMENT RECORD HAZARD VULNERABLE SECTOR POTENTIAL RISK LIKELIHOOD CONSEQUENCE LEVEL OF RISK ACTION PRIORITY RISK TREATMENT OPTIONS RISK TREATMENT EVLAUATION RESPONSIBLE AGENCY CONSEQUENTIAL ACTIONS IMPLEMENT ATION TIMEFRAME (Source of Risk) (Element at Risk) (Risk Statements ) (Include Current Control Measures) (Link Treatment Option to Core Business of Relevant Organisation) (Identifying Project Details) (Define timeframe & any dependenc e) Source: Department of Emergency Services (2005) 9
REFERENCES Department of Emergency Services (2005). Queensland Disaster Management Planning Guidelines 2005: For Local Government (online). Available from < http://www.disaster.qld.gov.au/publications/pdf/disaster_management_guide.pdf > Accessed 21 April 2011 Department of Employment, Economic Development and Innovation (2011a). Recovering from a Disaster: Business Continuity and Disaster Recovery Checklist for Small Business Owners (online). Available from < http://www2.business.qld.gov.au/managing/275.htm > Accessed 09 May 2011 Department of Employment, Economic Development and innovation (2011b). Business Development: Managing Risks (online). Available from < http://www2.business.qld.gov.au/managing/206.htm > Accessed 09 May 2011 Government of Victoria (2009a). Emergency Contingency Plan: Critical Information List (online). Available from < http://www.business.vic.gov.au/busvic/standard/pc_63238.html > Accessed 10 May 2011 Government of Victoria (2009b). Risk Assessment Table (online). Available from < http://www.business.vic.gov.au/busvic/standard/pc_50328.html > Accessed 10 May 2011 Government of Victoria (2009c). Risk Management Plan (online). Available from < http://www.business.vic.gov.au/busvic/standard/pc_50328.html > Accessed 10 May 2011 Government of Victoria (2009). Assessing Individual Risks: Risk Assessment Table (online). Available from < http://www.business.vic.gov.au/busvic/standard/pc_50328.html > Accessed 10 May 2011 Local Government Association of Queensland (2010). Incorporating Disaster Management into Local Government Corporate Planning Practices: Workshop Manual (online). Available from < http://www.lgaq.asn.au/c/document_library/get_file?uuid=52239ba1723a9360ce1db5b8b13210cb& groupid=10136 > Accessed 03 May 2011 Queensland Government (2010). Business Continuity Plan Template (online). Available from < http://www.business.qld.gov.au/risk-management/business-continuity-planning.html > Accessed 06 May 2011 University of Technology, Sydney (2010). Risk and Disaster Management (online). Available from < http://www.records.uts.edu.au/forms/index.html > Accessed 10 may 2010 10