Business Continuity Management for Small and
Medium Sized Enterprises
How to Survive a Major Disaster or Failure



Business Continuity Management
for Small and Medium Sized
Enterprises
How to Survive a Major Disaster or Failure

David Lacey


First published in the UK in 201 2
by
BSI
389 Chiswick High Road
London W4 4AL

© British Standards Institution 201 2
All rights reserved. Except as permitted under the Copyright, Designs and Patents
Act 1 988, no part of this publication may be reproduced, stored in a retrieval
system or transmitted in any form or by any means – electronic, photocopying,
recording or otherwise – without prior permission in writing from the publisher.
Whilst every care has been taken in developing and compiling this publication, BSI
accepts no liability for any loss or damage caused, arising directly or indirectly in
connection with reliance on its contents except to the extent that such liability
may not be excluded in law.
The rights of David Lacey to be identified as the author of this Work have been

asserted by him in accordance with sections 77 and 78 of the Copyright, Designs
and Patents Act 1 988.
Typeset in Frutiger by Letterpart Limited, www.letterpart.com
Printed in Great Britain by Berforts Group, www.berforts.co.uk
British Library Cataloguing in Publication Data
A catalogue record for this book is available from the British Library
ISBN 978-0-580-741 08-1


Contents
Foreword
Introduction
How to use this book

1

viii
ix
xi

Making the business case

1
1
2
3

2 Key concepts and principles

7

7
8
9
9
11

3 Deciding what to protect

15
15
16
17

4 Assessing risk

21
21
22
23
24
24
25
27
27
29
33

5 Identifying hazards and threats

37

38
38
39
39
40

How much risk should you bear?
Safeguarding business interests
How much work is involved?
What, how and who
Be selective and keep it simple
A process, not just a plan
The business continuity management cycle
The language of risk

Assessing business criticality
Assessing the impacts of incidents
Conducting a business impact analysis

The nature of risks
The risk management process
The lifecycle of risk management
Identifying critical assets
Assessing threats and risks
Building a ‘heat map’
Capturing further detail with a heat map
Building a risk register
Risk treatment
Communicating risk appetite
Fire and Flood

Earthquakes
Terrorist attacks
Sabotage and vandalism
Equipment and supply chain failures

BCM for SMEs

v


Accidents
Strikes and transport failures
Environmental pollution
Pandemic
Space weather

40
41
42
42
43

6 Preventing and responding to fire

45
45
46
47
47
47

48
49
49

7 Preparing and planning for floods

51
51
51
52
53
54
55
55
55

8 Physical security measures

59
60
60
62

9 Information security measures

65
66

1 0 Back-up and fallback arrangements


75
75
77
80

11

85
85
86
87
88
89

A continuous process
Identifying fire hazards
Identifying people and assets at risk
Assessing and reducing fire risks
Installing fire safety measures
Training and drilling staff
Maintenance considerations
Documentation

Preparing for a flood
Establishing your level of risk
Identifying people and assets at risk
Implementing flood precautions
Arranging appropriate insurance
Drawing up an emergency flood plan
Training employees to deal with flooding

What to do after a flood

Key principles and measures
Safeguarding premises
Protecting valuables and assets

Information security standards for SMEs

Making back-up copies
Fallback options
Building resilience in computer systems

Preparing the plans

Types of plan and their relationship
Emergency plans
Contingency plans
Drafting your business continuity plan
Limitations of plans

vi

BCM for SMEs


1 2 Organizing your response team

Fundamental goals and skills
When does an incident become a crisis?
The art of crisis management

Response team structure and roles

91
91
93
94
95

1 3 Training and exercises

99
1 01

1 4 Learning from incidents

1 05
1 05
1 06

1 5 Reviewing business continuity plans
Reviewing the business process
Reviewing the recovery process

111
111
112

1 6 Summary of this book

115


1 7 Sources of further advice

1 21

Glossary

1 25
1 30

Designing and equipping a crisis room
Why learning is important
Conducting a root cause analysis

Index

BCM for SMEs

vii


Foreword

In 1 996, I was Chief Executive of the Radiocommunications Agency, an
Executive Agency of what was then the Department of Trade and
Industry. At 1 9:02 on the evening of Friday 9 February, our agency
headquarters building was destroyed in the Provisional IRA London
Docklands ’South Quay’ bombing. The Agency had a good
continuity/disaster recovery plan and, largely, it worked well. This has
given me a life-long respect for the importance of continuity planning.

Subsequently, my work with the Institute of Directors back in 2006
illustrated the weaknesses in many small and medium sized enterprises’
understanding of business continuity management. Highlights from one
BCM survey included:
•

•

•

•

•

92% of survey respondents agreed that they had business critical
data stored in their ICT systems. I wonder what the others had stored
in their systems?
28% of respondents admitted to having no ICT business continuity or
disaster recovery plans in place. This was worst amongst the smallest
companies (1 -25 employees) at 43% and in the ‘Distribution and
Hotels’ sector at 42% .
For those with business critical data stored, 1 1 % admitted to
backing-up less than once per week (if at all! ), with ‘Distribution and
Hotels’ the worst sector with 29% backing-up less than once per
week.
For those that did back-up at least once per week, 51 % kept their
back-ups on-site, with ‘Government, Education, Health and Personal
Services’ the worst sector at 72% .
Of those with Business Continuity plans in place, 90% felt that they
were well positioned to survive a disaster (despite the lack of off-site

back-ups by many… ).

I’m not convinced that the passing of five years has entirely resolved
these problems.
I very much welcome the publication of David Lacey’s straightforward
and practical book. I commend this book to you. It provides exactly the
kind of clear guidance sorely needed.
Professor Jim Norton, President 201 1 -1 2, BCS - The Chartered Institute for
IT

viii

BCM for SMEs


Introduction
This book is a simple, practical guide on how to go about implementing
business continuity management. It is written primarily for business
directors and managers in small and medium sized enterprises (SMEs), but
it is also a useful guide for consultants or managers working in large
organizations with small business units or outlets.
Disasters such as fires, floods and terrorist attacks often strike
indiscriminately and without warning. Their impact on business
operations can be substantial, regardless of the size of the enterprise.
Experience has shown that advanced planning is crucial to preventing
and minimizing business damage.
Business continuity management is a simple management process that
helps identify potential hazards to your business operations, and equips
you with the information, plans and facilities to manage a major disaster
or failure. It operates through a combination of techniques, including risk

management, contingency planning and crisis management.
In recent years, most large organizations have developed business
continuity plans and incident response processes to safeguard their
business operations. This is not just in response to regulatory compliance
demands, but also because it is a good business practice. Many small
companies, however, have yet to catch up with this trend.
One reason for this is that business continuity management has
traditionally been a big company practice, requiring specialist consultants,
project teams and full time managers. Big organizations need large
programmes because of the sheer complexity and scale of planning
needed to respond to a major incident across a large enterprise.
The task is much simpler, however, for a smaller business unit. It need not
demand a big budget and a large team of people.
This book sets out how business continuity management can be tackled
by any small- or medium-sized enterprise, and with a minimum of
budget, time and manpower. The objective is to present the key
principles and learning points in a form that is digestible, appropriate
and, hopefully, compelling.

BCM for SMEs

ix


Introduction
Both the approach and the content of this book are designed to be
suitable for SMEs of any size, ranging from a micro company of less than
ten people to a medium sized enterprise with hundreds of staff.
The guidance is aimed at ordinary business managers, and it assumes no
specialist knowledge or skills. It is designed to enable managers to

identify risks to business continuity, and to take simple, affordable steps
to minimize their impact. It includes some useful ’tips of the trade’ for
assessing risks, drawing up contingency plans and managing incidents.
The material draws on the real-life experience of the author in
developing business continuity strategies and plans for business units of
all sizes, ranging from small retail outlets to large global enterprises. It
also builds on research carried out on behalf of the UK Information
Commissioner’s Office (ICO) and the UK Chapter of the Information
Systems Security Association (ISSA) into the requirements of SMEs for
security advice and standards.
This book is published at a time of increasing awareness of hazards to
business continuity presented by all manner of disruption to normal
running, including floods, malware, cyber attacks and even the effects of
space weather. These concerns also come at a time when large corporate
customers and regulators are beginning to set their sights on tackling
weaknesses in supply chains.
With growing dependence on small contractors, big organizations will
increasingly expect, and demand, that their SME suppliers raise their
game in business continuity planning. This book shows how SMEs can rise
to this challenge.

David Lacey

x

BCM for SMEs


How to use this book
This book provides a logical, step-by-step sequence to understanding

business continuity management. You can read it from cover to cover, or
dip into selected chapters to find key recommendations on particular
topics.

Figure 1 – Step-by-step sequence to understanding business continuity
management
Chapters 1 and 2 explain the benefits and principles of business
continuity management, and include the life-cycle for developing and
implementing a business continuity plan.

BCM for SMEs

xi


How to use this book

Chapters 3, 4 and 5 take you through the planning activities of
identifying what to protect - and from what or whom - including how to
carry out a risk assessment and how to develop a simple register of risks.
Chapters 6–9 set out practical guidance for common risks such as fire,
flood and security incidents. Every enterprise faces a slightly different set
of risks, but some threats and countermeasures are universal, and this
chapter aims to provide helpful, prescriptive advice based on well
established principles and practices.
Chapters 1 0 and 1 1 cover essential tasks to prepare you for a disaster,
including back-up and fallback arrangements, as well as how to develop
and structure the business continuity plan itself.
Chapters 1 2 and 1 3 provide advice on how to organize and train an
incident response team.

Chapters 1 4 and 1 5 discuss techniques for improving business continuity
plans and arrangements, including how to learn from incidents, and how
to carry out a review of processes and plans.
Chapter 1 6 provides a concise summary of the contents of this book for
readers who would like a reminder of the key learning points, as well as
for those who lack the patience to read it from cover to cover.
Finally, Chapter 1 7 lists some useful sources of further advice.
There are also helpful summaries of key points at the end of each
chapter.

xii

BCM for SMEs


1

Making the business case

This chapter aims to set out the case for business continuity
management, and to persuade you that it is a necessary and smart use of
your time.

How much risk should you bear?
An important question that will no doubt be going through your mind is,
’Why should I bother to invest valuable time and money in drawing up a
plan for something that might never happen?’
The simple answer is that it will reduce the operational risks to your
business, and ensure your survival in the event of a major disaster.
Each business director has a different appetite for accepting risk. Some

like to gamble in the hope of gaining a higher return, while others
prefer to keep their heads down and play it safe. But whatever your
outlook, it is better to have as many of these risks under your control as
possible.
Small businesses face enormous risks in today’s highly competitive
environment; it comes with the territory of running a small or medium
enterprise. You might not be able to do much about the commercial risks
you face, but you can certainly take steps to minimize your operational
risks. Keep in mind that these risks are often related. A bad operational
performance, for example, can affect customer confidence and future
sales.
Not all of the risks we face are within our sphere of influence. Economic
risks, for example, are part and parcel of the surrounding business
environment. Disasters such as floods and earthquakes are the results of
circumstances far beyond our control.
Yet many types of risks are created by our own actions. They arise from
bad decisions, unconscious oversights or human errors. We can take steps
to reduce these risks, though it might not be physically possible to
eliminate every last one of them.
Disasters and equipment failures, however, remain inescapable risks, and
their impact on business operations is growing with our increasing

BCM for SMEs

1


1

Making the business case


dependence on technology, communications and transport. Every business
needs to be prepared to tackle such major incidents as and when they
arise.
Nearly one in five UK businesses suffers a major disruption every year.
Your enterprise could very well be next. In fact, given these odds it is
likely you will encounter some form of damaging incident at some point
in the future.
Business continuity management will help you to ensure that your key
business activities (such as sales, manufacturing, deliveries and
purchasing) can be reliably carried out with minimal risk of interruption.
It will also help to reduce the level of potential business damage from
any form of disruption or ‘outage’, limiting your losses as well as
safeguarding your reputation.
Developing the capability to continue to deliver products and customer
services throughout environmental hazards will help you to retain your
customers and win new business. A speedy response to a disaster helps
safeguard your bottom line.
Business continuity management protects your business interests. It is a
cornerstone of good corporate governance, as well as a smart business
investment.

Safeguarding business interests
If you have already invested in an insurance plan to cover your premises
and their contents, then it will also make sense to invest in a set of
contingency plans to ensure business continuity. It is all part of the same
concept: the need to plan for the worst to safeguard your longer term
interests.
You should also consider investing in some form of business interruption
insurance . This will compensate you for lost income, based on your

financial records, though it is unlikely to provide cover for other possible
consequential losses such as lost future business. Minimizing lost future
sales will rely primarily on your ability to continue to satisfy your
customers both during and immediately after a disaster.
If your clients include large organizations, it is likely that they will at
some point ask you about your business continuity arrangements. The
need to ensure business continuity across essential supply chains is
increasingly being recognized by government agencies, supervisory
bodies and large companies. The need for a business continuity plan
might also be raised at some point by your bank manager, insurance
company or investors.

2

BCM for SMEs


How much work is involved?

Business continuity management is a vital element in maintaining your
safety and security from hostile acts, such as terrorist attacks. In today’s
world of heightened terrorist threats, which can strike at any time
without warning, business continuity planning is your best defence.
This point is acknowledged by security agencies such as MI5. In the words
of Eliza Manningham-Buller, a former MI5 Director General:
I am often asked what single piece of advice I can recommend that
would be most helpful to the business community. My answer is a
simple, but effective, business continuity plan that is regularly
reviewed and tested.


Even if you judge that you are unlikely to be a victim of a terrorist
attack, you can still be affected by the consequences of such an event.
Major incidents can result in damage to critical infrastructure, such as
electricity supplies, transport and communications, which are vital to
many business services.
Business continuity management is an essential process for any
organization that is required to deliver services without interruption.
That is why MI5 takes it very seriously. It is also why the UK Civil
Contingencies Act 2004 mandates it for frontline responders, such as fire
and rescue services. And it is why business continuity is a mandatory
policy for all UK public sector organizations. 1

How much work is involved?
How much preparation is needed to create a business continuity plan?
The truthful answer is that it is likely to be quite a bit more than you
expect, though the effort should be easily within your capabilities.
Reading this, you might be tempted to do as little as possible and hope
that in the event of a major disaster, you will find an easy way of
salvaging your assets and continuing your business. But experience has
shown that managing your way through a major incident is far from
simple. An effective crisis response demands smart planning, detailed
preparation and regular rehearsal.
Incidents can of course vary enormously in their impact. Recovering from
some hazards, such as an equipment failure or power outage, might be
relatively easy. But disasters such as a major fire or flood are likely to
cause major damage and upheaval. In such cases it is vital to respond
quickly and effectively to contain the damage, establish alternative
business facilities, and get back to business as quickly as possible. Ask
1


Business Continuity is one of the seven policies set out in the UK Government Security
Policy Framework.

BCM for SMEs

3


1

Making the business case

yourself what immediate action you would now take if you suddenly
discovered that your premises had been seriously damaged by a major
fire or flood. If your answer is ’I’m not sure’ then you need to start
thinking about the precise steps you and your staff will need to take to
keep your business going, as well as the type of advance arrangements
you will need to have in place in order to support these actions.
Contingency plans cannot be conjured up overnight. They take time to
conceive, debug, refine and put into place. So you need to start thinking
now about the shape of the plans, facilities and services you will require
to protect and maintain or restart your business activities during a major
disaster.
Do not be put off by the size, cost and complexity of arrangements you
might have seen in bigger companies. Implementing business continuity
management in a large organization is a major undertaking. There are
numerous systems, services and people to take into account.
But for a small enterprise, the task is much simpler. It should not require
a large investment of time or money. And it should not be difficult,
because it is largely applied common sense.

In fact experience shows that in a real disaster, smart strategies, advance
thinking and a good understanding of roles and priorities will count for
much more than complicated plans and sophisticated technology. As in
many areas of business, simplicity is the key to a fast, smooth recovery.

4

BCM for SMEs


How much work is involved?
Learning points from this chapter

This brief chapter was intended to set out the arguments for developing
a business continuity plan. Here are the key learning points to be taken
from this chapter:

?
?
?
?
?
?
?
?
?
?

Business continuity management reduces the risks to your business
and might ensure your survival in a disaster.

Regardless of your own appetite for risk, it is better to have as many
risks as possible under control.
Nearly one in five businesses suffers a major disruption every year.
Yours could be next.
Business continuity is a cornerstone of good corporate governance,
and a smart business investment.
If you invest in insurance cover, it also makes sense to invest in
business continuity planning.
If your clients include large organizations, it is likely they will at
some point ask you about your business continuity arrangements.
Business continuity management is your business’ best defence
against terrorist threats.
An effective response demands careful planning, advance
preparations and regular rehearsal.
Business continuity management is not a difficult or expensive task
for a small enterprise.
Simplicity is the key to a fast, smooth recovery.

BCM for SMEs

5



2

Key concepts and principles

This chapter explains some of the key concepts and terms used in
business continuity planning, including the life-cycle for planning,

developing and implementing business continuity plans.

What, how and who
Regardless of the shape or size of your enterprise, the principles of
business continuity management are essentially the same. At heart,
business continuity management is comprised of three main strands that
are different in nature and scope, but need to be very closely
co-ordinated. They are the ’ what’, the ’ how’ and the ’ who’ of business
continuity management, as illustrated in Figure 2 below.

Figure 2 – Key elements of business continuity management
Ask yourself what needs to be protected, how it will be achieved and
who will make it happen.
•

What: The value chains and critical business processes that have to be
maintained throughout the disaster.

BCM for SMEs

7


2
•

•

Key concepts and principles


How: The set of plans, facilities and arrangements you will need to
invoke to enable your critical business processes to operate as
effectively as possible throughout the crisis.
Who : The crisis team organization you must put in place to manage
your response and to execute your business continuity plans.

A further consideration is when your staff and plans need to be
mobilized, which will be in response to a clear, identified hazard. An
important part of business continuity management is identifying and
mitigating possible sources of risk before they strike.

Be selective and keep it simple
Simplicity is the key to successful business continuity management. In a
crisis, you cannot be expected to maintain business as usual. You will
have numerous distractions, fewer resources at your disposal, and limited
facilities to carry out your business. You will have to cease non-essential
tasks and postpone non-critical activities in order to focus your limited
capabilities on the most important activities and transactions.
This type of decision-making demands quick thinking and relies on
advance planning, especially when it comes to establishing alternative
sources of production facilities, materials or services. You will also need
key information at your fingertips, such as contact details - for staff,
customers and emergency services - and ideally a set of aide memoire
guides to help you manage through the crisis.
Most importantly, you will need to have advance agreements in place
which address who is responsible for carrying out specific tasks and who
will coordinate on your behalf.
•
•
•

•

Who
Who
Who
Who

will
will
will
will

lead the crisis team?
deal with emergency services?
get the fallback site up and running?
liaise with customers?

These are the sort of questions that require clear, instant answers and
must be understood by everyone involved.
Finally, you will also need disciplined procedures for keeping your plans
up-to-date and for carrying out essential, routine support tasks, such as
making regular back-up copies of your data and storing them securely at
a suitable remote site that is unlikely to be affected by the same disaster.
And that is it. These are the key elements of business continuity
management. Once you grasp these steps, everything else is simply a
matter of progressively filling in the detail in order to improve your
preparedness.
8

BCM for SMEs



The business continuity management cycle

A process, not just a plan
When organizations tackle business continuity management, they
generally treat it as a project, with a defined start and end. However, it is
much more accurate to think of it as a living process that is continually
reviewed, refreshed and aligned with changes in business practice,
infrastructure and personnel, as well as any new developments in the risk
environment, such as a new form of cyber attack, or a raised level of
terrorist threat.
In fact, the best place to keep your contingency plans is in your head!
This might sound a little too informal, but experience has shown that it is
far better to be aware of your strategy, role and arrangements than to
have a detailed paper plan stored away in an unopened folder on a
shelf.
The best plans are the ones that people know inside out and have
rehearsed over and over again. But that level of awareness can only be
developed after you have properly considered the risks, defined your
precise requirements, and developed an appropriate strategy, plan and
review mechanism.
There is a logical, practical sequence for defining your business continuity
needs and developing a set of plans. An iterative process often works
best, starting with a simple set of arrangements, and then over time
enhancing, testing and refining the arrangements and plans as your
needs evolve and your understanding of the subject matures.
It is important, however, to start by asking the right questions in the
right sequence to ensure you set off in the right direction.


The business continuity management cycle
Business continuity management is best approached as a logical sequence
of simple steps. Following this sequence helps you to identify your
requirements and make informed decisions in the most effective and
efficient order. The sequence is illustrated in Figure 3. Each of these steps
is addressed in detail in the following chapters (though not necessarily
under the same headings).
Note that the above sequence is illustrated as a continuous cycle , rather
than a list of actions with a start and end. This is to emphasise the need
for the ongoing review, alignment and updating of all requirements,
plans and arrangements, as well as for regular tests and rehearsals to
ensure that everything will work correctly and smoothly when required.
The key steps in the development and maintenance cycle are as follows.

BCM for SMEs

9


2

Key concepts and principles

Figure 3 – Steps in implementing business continuity planning
1.

2.

3.


4.

10

Decide what to protect - and what to put on hold
Start by determining which business processes and services you will
need to maintain after a major disaster or failure. You will not be
able to keep everything running normally, so you need to be as
ruthless as possible in deciding priorities.
Assess the risks
The next step is to identify and assess the possible hazards to your
critical processes and activities. It involves careful consideration of the
probability and impact of each risk.
Note that this is not a precise science, as many aspects of risk are
unknown, uncertain and difficult to measure. But even an educated
guess is a better basis than an arbitrary decision.
Identify your requirements
This step is to identify and set out your specific requirements for
contingency plans, fallback arrangements, and a crisis response team.
Your decisions will need to take into account your identified critical
processes and services, bearing in mind the effect of identified risks
on their operation.
Prepare your plans
Preparing a formal set of plans might seem a daunting task,
especially if you are not comfortable with paperwork. But it need
not be difficult. You do not need fancy prose or lengthy procedures.
Simple, brief instructions and reminders are more effective. Set out
the key elements in a concise manner to ensure actions are easy to
understand, execute and update.
BCM for SMEs



The language of risk

5.

Brief your response team

6.

Test and update your plans

In a small enterprise, a response team will probably encompass your
entire staff, who might operate in a single, collaborative unit. In a
larger business, however, it will be necessary to assign individual roles
or specialist teams to coordinate particular activities. The important
point, in both cases, is to ensure that everyone involved understands
the contribution they are expected to make.
Many plans and arrangements, especially concerning fallback
facilities, fail to work the first time you try them out. Regular tests
and exercises are essential to correct errors, spot gaps and identify
further requirements. Plans can become out-of-date surprisingly
quickly with changes in personnel, facilities or business practices, so
regular updates and reviews are essential.

Each of the above steps is relatively straightforward, and can be carried
out by an ordinary manager with no specialist skills or experience, other
than a good dose of common sense. The following chapters set out in
more detail how to go about each of these steps in turn. But first we
need to explain some of the terminology commonly used in business

continuity management.

The language of risk
Many different terms are used when describing the key motivators for
business continuity management. Some, such as ‘hazard’, ‘threat’ or ‘risk’
are used interchangeably in common language. However, there can be
subtle differences in the interpretation of these words, particularly in
their precise scope. In fact, the meanings of these terms are formally
defined in the international standard ISO/IEC Guide 73, Risk management
– Vocabulary – Guidelines for use in Standards. 2 To avoid creating any
further confusion, it is useful to define what is meant when we use such
terms.

Hazards and threats
A hazard or threat is a potential source of harm. These terms are often
used interchangeably, and for the purpose of this book can be regarded
as the same. Standards purists might decry the use of two different words
with one definition, but varying the choice of words makes for
marginally better English.
There are many different types of hazard. They can be threats to
business, property or human life. A hazard might be a force of nature,
such as a fire, flood or earthquake, or perhaps a person such as a
2

The descriptions given here are consistent with this standard.

BCM for SMEs

11



2

Key concepts and principles

terrorist, thief or computer hacker. They might even include technological
phenomena, such as software bugs, equipment breakdowns or computer
viruses.

Risks
A risk is a combination of the probability of an event and its likely
consequence.
Risks are essentially the chances of hazard or threats penetrating our
defences and causing business harm. Some risks can have positive or
negative outcomes. When we gamble or invest, for example, we expect a
risk to have an ‘upside’ (winnings or earnings) as well as a ‘downside’
(losses). When it comes to business continuity, however, it is inevitably
something bad that we are anticipating.
The most important point to grasp is that risks are events, and they may
or may not happen. With a bit of smart guesswork we can have a stab at
assessing their likelihood of occurrence over a given period of time.
Risks are often confused with issues, but are not the same. Issues can be,
for example, customer demands, emerging legislation or regulatory
compliance demands. They can also have a major impact on business
operations, but they are ongoing requirements, rather than events which
pose risks.
A further point is that risks might not actually materialize. With
hindsight, an investment in a set of contingency measures that is never
used might seem to be a wasted expenditure. But that is the nature of
risks. It depends on luck; but luck will eventually run out if you push it

too far. As Benjamin Franklin put it, ’Diligence is the mother of good
luck.’ 3
An additional quality of risks is that they have an associated impact or
consequence. Appreciating this will help you to determine your response.
Taking into account both the likelihood and impact of a risk enables you
to decide whether it is best to aim to avoid the risk, accept it, insure
against it, or perhaps take steps to improve your response.
For example, a low impact risk that is likely to occur several times a year
clearly justifies immediate, preventative measures. On the other hand, a
high impact but unlikely risk is generally better dealt with by a smart
contingency plan.

3

12

A phrase that has also been attributed to numerous politicians, actors and sportsman,
especially golfers

BCM for SMEs