staff sheet review

You may not think too much about serious disasters. Most of us focus on the day-to-day chores of running our businesses and keeping revenues up. However, there are long term planning concerns that many firms just avoid. Those concerns are managing the risk to your business if something very bad happens. This long-term planning is called risk management and it is the dullest topic ever—until something bad happens.

Business school academics have varying definitions of risk and risk management, but for our purposes the concepts are fairly simple. Risk is the negative uncertainty that comes from any potential loss. Risk management is the collection of activities a business undertakes to mitigate, avoid, and transfer the losses that might damage the business due to some negative event. Risk management, now frequently referred to as Enterprise Risk Management, has been an area of business focus for decades. Businesses have long recognized that they need to look at the financial risks they might face if something happened to their physical assets or were confronted with major litigation. However, in the past few decades, there has been a stronger and broader focus on the entire spectrum of risks that confront a business which has begun to push the issue to the C-suite level. Unfortunately, while large businesses devote serious resources at the the highest level to managing risk to protect their organization, smaller firms often spend little or no time considering risk as an important business issue. Even smaller firms who do take the time to think about protecting against operational threats may be unlikely to consider threats that are a degree or two of separation away from their core business. That means that technology infrastructure may be ignored if, and when, business continuity and disaster recovery plans are being considered.

Background: Why is risk management gaining greater visibility? As noted, risk management isn’t new. However, the last few decades have seen the United States face two major catastrophic events: Hurricane Katrina in 2006 and the terror attacks in 2001. Both brought to the fore the consequences to businesses who are unprepared, as well as the reality that very bad things can happen.

Globalization has also shown that distance does not shield us from the consequences of far away events. The earthquake and subsequent tsunami that hit Japan in 2011 reminded manufacturers and businesses in the United States about the consequences of their reliance on long supply chains and just-in-time inventory.

Another new threat that has alerted even the smallest firms to their vulnerability is technological. For a small firm, a major man-made or natural disaster may seem too distant to distract management from day-to-day operations, but the emergence of cyber threats, ransomware, hacking and data theft has really hit home for every organization out there. Even smaller firms totally focused on making it day-to-day are taking notice of this threat. Have you really given thought to how you would handle a disaster?