test your customers’ business resilience

The last few years have clearly shown that no company is immune to an unforeseen event serious enough to jeopardize its activity. Prolonged absence of a key team member, natural disaster, health crisis, widespread computer failure, cyber attack,… the possibilities are endless.

So, specifically, how do you check that your customers are prepared? Here are 5 questions to start the discussion.

Have you defined a business continuity plan?

According to the government, the nature, frequency and cost of crises have evolved significantly over the past 20 years (see chart below). In this context of increasing uncertainty, organizations that have taken a prior step to ensure the continuity of their activity are the most resistant to destabilizing events .

Asking your client about the existence of a business continuity plan (BCP) in his company is to raise his awareness of these issues very directly. But the existence of such a plan is not enough, it must also be updated continuously, because the threats and risks weighing on the company evolve over time.

Main global shock
Global catastrophe losses 1970-2010 (source: Swiss Re, Guy Carpenter & Company LLC)

Global shocks

(Source: Guidance for creating a business continuity plan, Minister of Economy [1])

What is a business continuity plan?

Business continuity management identifies potential threats to an organization, as well as the impacts that those threats, if they materialize, could have on the organization’s business operations, and [fournit] a framework for building the organization’s resilience with an effective responsiveness that secures the interests of its key stakeholders, its reputation, its brand and its value-creating activities.

The Business Continuity Plan (BCP) sets out the strategy to guarantee the resumption and continuity of its activities after a disaster or an event that seriously disrupts its normal operations.

How many days can you last if the collection chain breaks?

One of the principles of business continuity management is to focus on the vital functions of the business, to estimate the maximum allowable interruption duration (MAID) for each one. In VSEs/SMEs, however, the collection function is often very high on the priority list.

Lack of cash is actually the main cause of business failure and VSEs/SMEs have little room to maneuver in this area: they are paid in an average of 42.4 days and pay their suppliers in 48.5 days. The health crisis and the recovery have also shown this: A company can be profitable and at the same time be insolvent due to a need for working capital despite its management. Small businesses therefore cannot afford long periods of unavailability of billing and collection services. Being resilient also means controlling your cash to avoid insolvency.

Dematerialization processes, and especially payments, are essential to ensure the continuity of these two key functions. By managing deposits and withdrawals online with a solution like Libeo, companies reduce the risk of running out of cash for logistical reasons. Libeo also gives managers a clear vision of future payouts, month by month, thus giving them the means to manage their cash flow as closely as possible.

How would you ensure business continuity if you could no longer access your data?

It’s a threat that’s starting to be familiar to managers: According to a study by Forrester Consulting, 33% of VSEs/SMEs with fewer than 250 employees have been hit by a cyber attack in the previous 12 months. [2].

In this respect, CPAs are particularly well placed to support VSEs whose organizations and information systems they are generally familiar with. The Superior Council of the Order also published a guide to cyber security for certified public accountants in 2018, available at Bibliodre.

To reduce his risk exposure, the business manager can work on various points, including in particular:

  • classification of company data and management of associated access rights;
  • management of employee departures and associated entitlements;
  • performing penetration tests;
  • increase team awareness of best practices;
  • review of data storage and duplication conditions (within the company and outside).

How will you communicate with your employees in the event of a major crisis?

In certain particularly critical situations, the traditional forms of communication are no longer applicable (especially cyber attacks) or poorly adapted to the urgency of the situation. How to communicate in this case?

Recommend that your clients maintain a GDPR-compliant database of employee contacts with multiple means of communication to reach them, even before they arrive at the workplace. It can also be useful to plan the upstream methods of this communication, and especially its transmission to all teams. Should the manager personally contact each employee? Should managers be asked to cascade information? How to ensure a good reception at the end of the chain?

And what would you do if…?

In addition to the few specific questions mentioned above, it is important to encourage the manager to think about the environment and the risk factors specific to his organization. The Business Continuity Plan guide distinguishes between 3 main types of crisis situations that can be used to feed this reflection:

  • a short and brutal episode. It will e.g. often be a climatic episode which requires the protection of the company and its resources (human and material) during the event;
  • an extended episode. This mainly concerns a pandemic, but also a cyber attack that would paralyze the company’s IT system. In this situation, in addition to the protection of resources, there is the question of maintaining or resuming priority activities without waiting for the end of the crisis;
  • a prolonged episode of the Company’s website being unusable, unavailable or inaccessible. This is especially the case with a major fire or an earthquake. In this case, it will also be necessary to provide a fallback mechanism (transfer of data, physical transfer of what may be, general remote work, etc.).

By discussing these 3 types of crises with the manager, threats that may seem abstract are made more concrete.

Once these risks have been listed, it is recommended to prioritize them according to two criteria: the likelihood of the scenario occurring and its severity. The most critical risks are those that are both frequent and large.

Libeo

Leave a Comment