SMEs – Stop the Preaching
Andrew Hiles, of Kingswell International, and Mel Gosling, of Merrycon, believe that the time has come to stop preaching to an audience that doesn’t want to listen and using scare tactics that cannot be substantiated, and to start taking action to improve the resilience of small organisations on which most people depend for their livelihood.
The July, 2008 issue of Continuity: The Magazine of the Business Continuity Institute devoted a leader and no less than three articles to the issues of Business Continuity Management (BCM) for Small and Medium Enterprises (SMEs), generally stressing the importance of BCM to SMEs and bewailing their low take-up.
The European Union (EU) has defined SMEs as those enterprises with a headcount of less than 250 and a turnover of less than or equal to €50m or balance sheet total of less than or equal to €43m1. In defining an SME, the EU recognised that SMEs are the engine of the European economy, are an essential source of jobs, create entrepreneurial spirit and innovation in the EU, and are therefore crucial for fostering competitiveness and employment(2).
Business Continuity (BC) is now seen as an essential element of good corporate governance, and its importance has been underlined through regulation and legislation in many countries. In the UK, for example, the government has put a requirement on local authorities under the Civil Contingencies Act 2004 to promote BC to SMEs in their local areas(3).
Lack of Business Continuity in SMEs
Despite all the propaganda that has been directed at SMEs from insurers, regulators, governments, and the BC industry, the take-up remains stubbornly low. According to research from AXA undertaken in the UK(4), 46% of SMEs do not have a BCP, and a US survey conducted by TNS NFO(5) found that 71% of small business employees work at a company that does not have a disaster preparedness plan.
In our experience (both of us having worked in the SME sector for many years) the latter statistic is nearer to the reality, and of those that do have a BCP, only a minority keep it up to date, and very few have ever undertaken an exercise.
Given the perceived importance of SMEs and that BC is seen as an essential element of good corporate governance, should the fact that a significant number of SMEs do not have a Business Continuity Plan (BCP) be a cause for concern, and if it is a cause for concern, what can be done to rectify the situation?
The Scare Factor
The traditional approach to convincing SMEs to take-up BCM has been to warn of the dire consequences of not acting. This is often presented using a variation on the “80% of businesses affected by a major incident either never re-open or close within 18 months, , the original source of which seems to have been lost, if it ever existed, despite the best efforts of both of us to find it over the past two years (our research showed many of the scare statistics appear to have originated in the 1990s and have been frequently recycled – a table showing our research results is available on request by email).
Many BC practitioners still make use of the 80% statistic, as did Bert van der Zwan(6) when highlighted the risks facing SMEs, but as the lack of an original source to back up the claims becomes more apparent, many are starting to lose faith. Despite this, a number of local governments in the UK persist in basing their promotion of BC to SMEs on this scare tactic. One such is Southend-On-Sea, stating on their website(7) that “80% of businesses affected by a major incident close within a month.”
Reliable Statistics
In an attempt to address the problem of a lack of reliable statistics, we have undertaken research into information that is available on business failures in the US and UK. Although reliable government statistics are available on the numbers of business failures, very little research seems to have been conducted on the reasons why.
Such information as there is on why businesses fail indicate that business-oriented reasons (such as a decline in sales) are a far more common cause than disasters. An example of this is some research published by the University of Texas(8) in 1998, which studied 3,377 non-farm business bankruptcies filed in the United States during calendar year 1994, and found that only 9.6% of their sample cited “calamities” as the main reason for bankruptcy.
Without this information, and an associated analysis of whether or not the businesses that failed did so because of a disaster, and whether or not they had an up to date BCP, it is impossible to come up with estimates of the percentage of businesses that failed as a result of not having introduced BCM.
Our conclusion is that this would be a good subject for a PhD in Business Continuity. Is anybody out there interested?
Professional Advice
Another approach to convincing SMEs to introduce BCM that has been tried is through the professionals that SMEs rely on for advice (solicitors – legal, brokers – insurance, and accountants – finance and tax). Both of us have tried this over the years, forging agreements with a variety of professional advisers, but the number of SMEs actually deciding to implement BCM as a result of these agreements has been very disappointing.
Mike Taylor(9) raised the issue of insurance companies promoting BCM “arguing that a client with a BCP represents a good risk and less of a liability”. Certainly, there are many insurance companies that promote BCM, and Ark & General in the UK was a pioneering example of one. However, this does not seem to have had much effect.
An example of this is the arrangement that Andrew’s company, Kingswell International, has had with an insurance broker for over 10 years now, where the broker will negotiate a 10% discount on insurance if his company provided their client with a BCP. It would be nice to say it has been a roaring success, but frankly it has not.
It would be tempting to say that one of the reasons why these agreements have not worked is because few of these professional advisers have actually introduced BCM for their own organisations (after all, most are themselves SMEs), but the reality is that the main barrier to SMEs introducing BCM appears to be that the cost is not seen as being worth the benefit.
Costs and Benefits
The cost of sale of a BCM project of a few thousands dollars to an SME is not substantially different in scale to the cost of sale of a BCM project costing tens or hundreds of thousands of dollars to a large company or a multinational. The bigger companies know they need it. It’s just a question of timing, scope and budget. Usually though, the SME has to be convinced of the need for BCM.
Although we do not yet have any solid information on which to base the impact of not having BCM in place, the discipline of risk assessment can help us with its Risk = Impact x Likelihood formula. The break-even point for having or not having a BCM programme should be where the cost of implementing BCM (the Risk) is equal to the Impact on the SME of an incident that causes serious disruption, when the SME does not have effective BCM in place, multiplied by the Likelihood of such an incident.
The typical cost to a single site distribution company for the implementation of a BCM programme (including the development and exercise of a BCP), if undertaken by Mel’s company, Merrycon, is £4,000, and the percentage of Merrycon’s clients that have invoked their BCPs is just over 20%.
Using these figures, the break even point for having or not having a BCM programme can therefore be calculated as £4,000 = Impact x 0.2, which is where the Impact = £20,000.
In other words, having an effective BCM programme in place for a single site distribution company is worthwhile if the Impact is greater than £20,000. However, the Impact is not the cost of the loss, it is the costs that would be caused by the incident less those costs for which the company was insured. Assuming that the company had a typical commercial insurance policy, including business interruption, these uninsured costs would include such things as loss of reputation and the cost of regaining lost customers.
For our single site distribution company, the loss of reputation and the cost of regaining lost customers following an incident that caused major disruption to their operations would almost certainly be more than £20,000. Paying £4,000 to avoid the loss is therefore a good deal, particularly when you consider that SMEs are more likely to be devastated by the loss of their customers from a larger disaster (witness the restaurants, sandwich bars, dry cleaners, florists, etc. that ceased trading with loss of their customer base following major incidents such as the Oklahoma bombings, 9/11, and the New Orleans floods).
Unfortunately, although SMEs are more vulnerable than multinationals to trading failure (they do not normally have the financial reserves or the management experience to carry them through problems), they are, by their very nature, willing to take risks. SMEs are usually focused on survival at the trading level, and will forgo safety to gain market share and business results. It’s usually only when a SME grows to a stable and secure trading position that it starts worrying about other aspects of insurance, security, safety and protection.
As a result, most SMEs would rather rely on their own abilities to respond to an incident when it occurs, and take the risk of losing reputation and customers, than pay for the implementation of BCM. The cost would need to be brought down to the hundreds of £s to make most SMEs seriously consider implementing BCM.
Low Cost BCM?
Is it possible to bring the cost of implementing BCM down to the hundreds of £s? There are lots of templates out there to enable SMEs to develop their own BCPs, but in a recent review of the use of one of these templates in the UK by a National Health Service (NHS) Primary Care Trust, Mel’s company, Merrycon, identified that the resulting BCPs contained less than 20% of what would be expected if they had been developed by a qualified BC practitioner.
Andrew feels that maybe it’s time for BCM vendors to make a determined effort to persuade BCM and risk management professional institutions – the DRII, BCI, ACP, IRM et al – to enter into serious discussions with other professional institutions outside the risk industry and chambers of commerce to provide a packaged, easy to implement, no-frills, no-techno-speak solution for SMEs. This would however, require the development of a system that provided SMEs with the expertise of the qualified BC practitioner.
Would anyone want to invest in a project that was unlikely to provide any return, except for having the satisfaction of knowing that it’s been done for the public good? Would interested governments put up the money if approached by the combined efforts of the BCM and risk management professional institutions?
Changing Behaviour?
Mel believes that an alternative approach that could work is to change the behaviour of SMEs by ensuring that not having implemented BCM will really have an affect on their enterprise. One thing that you can be sure about is that if the owner or chief executive of an SME perceives that there is something that will affect their enterprise, they will act. This could be achieved through large organisations that have already put BCM in place insisting on all their suppliers having appropriate BCM arrangements.
Have BC Managers in large organisations enough power to implement such a strategy, or are the large organisations simply paying “lip service” to BCM?
===============================
This article originally appeared in the January/February, 2009 issue of Continuity: The Magazine of the Business Continuity Institute.
===============================
Andrew Hiles is a Fellow of the BCI and Managing Director of Kingswell International, he can be contacted by email at ahiles@Kingswell.net.
Mel Gosling is a Member of the BCI and Managing Director of Merrycon, he can be contacted by email at melgosling@merrycon.com.
References
1. Official Journal of the European Union L 124/36, “COMMISSION RECOMMENDATION of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (notified under document number C(2003) 1422) (Text with EEA relevance) (2003/361/EC)”
2. European Commission, “The new SME definition – User guide and model declaration”, ISBN 92-894-7909-4
3. Her Majesty’s Stationery Office (HMSO), “Civil Contingencies Act 2004”, ISBN 0 10543604 6
4. Continuity Central, “Many of Britain’s SMEs still ignoring business continuity”
5. Continuity Central, “US survey shows many small businesses are complacent when it comes to disaster preparedness”
6. “Communication Immunisation for SMEs”, Bert van der Zwan, Continuity Magazine – July 2008
7. http://www.southend.gov.uk/content.asp?content=7318 . (Home – Advice & Benefits – Emergencies)
8. SBA-95-0403, “FINANCIAL DIFFICULTIES OF SMALL BUSINESSES AND REASONS FOR THEIR FAILURE”, Business Bankruptcy Project,The University of Texas at Austin, September, 1998
9. “Business Continuity in the SME arena”, Mike Taylor, Continuity Magazine – July 2008
================================
BUSINESS CONTINUITY MANAGEMENT FRAMEWORK(tm) by Kingswell International, Ltd. is a comprehensive, word-processor-driven Business Continuity Management template with extensive Standards-Driven components reflecting the latest international standards.
Tags: BCM, Business Continuity, Business Continuity Management, SME
