The COVID-19 pandemic served as a major wake-up call to businesses that operational threats can emerge anytime. If downtime lasts more than a few days, the chances that a business will fail are high. Yet many companies have no business continuity plan.
Business continuity planning helps restore critical functions to normal operations in the wake of a disruption. Without a plan that includes an analysis of shutdown scenarios, an impact analysis, recovery strategies, and training, a business is tempting fate.
Failing to Plan Could Be Planning to Fail
COVID-19 may have been a once-in-a-lifetime occurrence, but its lessons should be permanently ingrained in the small business community. Caught flat-footed, businesses did their best to adapt on the fly to the pandemic. Unfortunately, large numbers of them were not able to weather the storm.
Economists say pinpointing the number of businesses that were shut down during the pandemic is difficult. By some estimates, one-third of US small businesses closed during the pandemic, permanently or temporarily. Closures were not felt equally among business sectors, though, and many businesses have since reopened.
But economists also say that the longer a business remains closed, the less likely it is to ever reopen. This analysis is in line with Federal Emergency Management Agency (FEMA) data indicating that 40 percent of businesses do not reopen after a disaster, 25 percent fail within one year of a disaster, and 90 percent fail within a year if they cannot resume operations within five days. Statistics from the U.S. Small Business Administration show that over 90 percent of businesses fail within two years of a disaster.
In the wake of the pandemic, a study found that more than half of businesses globally had no plans or protocols to combat an emergency such as COVID-19. The study also revealed that more than one-quarter of companies of any size had a business continuity plan in place.
According to the insurance company Travelers, nearly half of small businesses are operating without a business continuity plan. The insurance brokerage Gallagher says that over 70 percent of companies without a comprehensive business continuity plan fail to recover from a significant business interruption.
The Threat Landscape
On its Disasters and Emergencies preparedness page, the federal government lists the following hazards that can cause a business to shut down:
- Natural disasters such as floods, earthquakes, hurricanes, volcanoes, and winter weather
- Power outages
- Mass attacks and terrorism, including active-shooter scenarios
- Chemical and hazardous material incidents
However, a focus on dramatic occurrences can obfuscate the more mundane risks that threaten business operations. Unplanned downtime can be caused by something as simple as a hardware or software failure, corrupted data, or user error.
Cybercriminal attacks represent one of the biggest threats that small businesses face. A 2022 report found that nearly two in three midsize organizations suffered a ransomware attack in the past eighteen months. And one in five of them spent $250,000 or more to recover from the attack.
Data breaches are another common cause of business interruption. Midsize businesses represent about 30 percent of all data breach victims. The cost of a data breach to a small business averages $120,000 to $1.24 million.
Cyberattacks have risen dramatically in recent years and are mainly perpetrated by external actors. But a sobering statistic comes from Verizon, which found that internal personnel commit one-third of cybercrime. Even when employees are not being malicious, they are often careless. Verizon says 82 percent of breaches involve human error, such as a worker opening a malware-infected email.
Additionally, in some instances, major life occurrences involving owners or key leaders may lead to business interruption. Events such as motor vehicle accidents, medical complications, or unexpected death may shake the foundations of a business that is considered stable.
Unplanned downtime—whether caused by disease outbreak, natural disaster, cyberattack, IT malfunction, staff shortage, life occurrence, or some other unexpected event—is costly. Although downtime costs vary by business size and type, they can run from hundreds to thousands of dollars per minute. There are also the associated restoration and recovery costs, which are often greater than the downtime costs.
Business Continuity Planning Steps
The longer a business interruption lasts, the more money it costs. Lost revenues and extra expenses equal reduced profits. Cash flow problems are a leading cause of small business failure, and most organizations cannot afford to ignore business continuity planning.
While the actual plan may be detailed, a few simple steps can kick off the planning development process:
- Perform a threat assessment. Before a business can start preparing for disaster, it must understand the possible threats it faces and the likelihood of those threats impacting them. Risks can be assessed in a matrix that classifies the types of disasters that can occur and the scope of damage a given disaster can create for the business.
- Conduct a business impact analysis. The results of the threat assessment inform the business impact analysis (BIA)—a catalog of the actual effects brought on by an interruption. The BIA, conducted with input from knowledgeable team members, identifies impacts like lost sales and income, increased expenses, customer dissatisfaction and defection, and supply chain issues.
- Create a response strategy. Once potential threats and their possible impacts are identified, steps need to be in place—and in writing—to recover critical business functions and processes. The written plan should detail recovery resource requirements, recovery strategy options, backup and recovery plans, responsible staff members, communications, and implementation.
- Test, train, and prepare team members. A plan that looks perfect on paper can reveal its shortcomings when implemented. The business continuity team must be tested and the plan put into action to ensure that they are disaster-ready. Continuity plans can be further updated and refined based on these exercises.
- Develop or update legal documentation. When creating a business continuity plan, it is important that key leaders are legally empowered to exercise authority when the unexpected occurs. Documents like operating agreements, bylaws, and buy-sell agreements are critical and must be both referenced and updated regularly to ensure business continuity.
- Purchase insurance. Business interruption insurance is available to cover income and operating expenses if a covered loss—typically property damage due to a disaster—requires a business to temporarily cease operations. A separate insurance policy may be needed to cover losses resulting from data breaches.
If this all sounds a bit vague, it is because every company is different, and organizational needs vary. There is not a one-size-fits-all option for business continuity planning. Any specific plan should reflect a company’s critical functions and resources and the recovery strategies it can reasonably implement. A company headquartered in hurricane- or tornado-prone areas, for example, will need reliable sources of backup power, while industries more prone to cyberattacks may need to focus on ransomware responses.
For continuity planning resources, check out ready.gov, this small business continuity plan template from FEMA, and these tips from the SBA.
Will You Be Ready When Disaster Strikes?
Entrepreneurs often learn the hard way to expect the unexpected. The threat landscape, from pandemics to cyberattacks to hardware and software failures, is continually growing and changing. While it is impossible to see around every corner, it is possible to anticipate major disruptions or disasters and plan accordingly.
Our attorneys can help you with the legal aspects of business continuity planning, particularly drafting the contracts and preparing the documentation necessary for your business to survive a crisis. We can also help you assemble a team of experienced professionals to implement other aspects of your plan. Do not get caught without a continuity plan. Start planning today, and be ready for whatever comes your way. Call or contact us to get started.
 Chris Nichols, Fact Check: Have One-Third of US Small Businesses Closed During Pandemic?, Austin Am.-Statesman (Jun. 8, 2021), https://www.statesman.com/story/news/politics/politifact/2021/06/08/kamala-harris-small-business-closures-covid-fact-check/7602531002/.
 Megan Cerullo, Many Small Services Businesses Won’t Be Able to Reopen after COVID-19, CBS News (May 6, 2021), https://www.cbsnews.com/news/small-businesses-services-sector-wont-reopen-after-closing-covid-19/.
 SBA Disaster Workshop: Are You Prepared for the Next Big Disaster?, Small Bus. Admin. (Oct. 28, 2015) https://content.govdelivery.com/accounts/USSBA/bulletins/121b1ba.
 51% of Companies Have No Business Continuity Plan to Combat Coronavirus Outbreak: Mercer Study Finds, Mercer (Mar. 4, 2020), https://www.me.mercer.com/newsroom/covid-19-companies-have-no-business-continuity-plan-to-combat-coronavirus-outbreak.html.
 Travelers Risk Control, Why Is Business Continuity Important?, Travelers, https://www.travelers.com/resources/business-topics/business-continuity/why-is-business-continuity-important (last visited Apr. 17, 2023).
 Gallagher, Do You Need a Business Continuity Plan? (2018), https://www.ajg.com/us/-/media/files/gallagher/us/insurance/business-continuity-overview.pdf.
 Disasters and Emergencies, Ready, https://www.ready.gov/be-informed (last visited Apr. 17, 2023).
 2022 MSP Threat Report, Connectwise, https://info.connectwise.com/cybersecurity/fortify/ebook/rmkt/2022-msp-threat-report (last visited Apr. 17, 2023).
 Andrew Rinaldi, The Cost of Cybersecurity and How to Budget for It, Business.com (Mar. 6, 2023), https://www.business.com/articles/smb-budget-for-cybersecurity/.
 Nicole Lindsey, New Verizon Data Breach Report Outlines Changing Cyber Threat Landscape, cpomagazine.com (May 20, 2019), https://www.cpomagazine.com/cyber-security/new-verizon-data-breach-report-outlines-changing-cyber-threat-landscape/.
 Social Engineering. https://www.verizon.com/business/resources/T5cd/reports/dbir/2022-data-breach-investigations-report-dbir.pdf (last visited Apr. 17, 2023).
 Calculating the Cost of Downtime, Atlassian, https://www.atlassian.com/incident-management/kpis/cost-of-downtime (last visited Apr. 17, 2023).