Planning for business crisis risk

The business world may be climbing out of the crisis atmosphere that began with the pandemic in 2020. But these events are also a reminder of the business law and financial consequences if there is no planning for business crisis risk. Even though the situation is improving, organizations should update their plans.

Facing risk

Companies must prepare for unforeseen circumstances. In addition to pandemics, these also include:

• Outages or data breaches
• Reputation attacks
• Ransomware attacks
• Lawsuits
• Employee turnover
• Environmental hazard
• Workplace violence
• Civil unrest
• Regulatory investigations and fines

Working from home

Most businesses adopted telework and telecommuting policies last year. Using technology outside a traditional workplace poses risks to their cybersecurity. According to an Ontrak survey, 39 percent of businesses are unprepared for a ransomware attack and 20 percent of organizations are unable to access operable data back-up.

Businesses need to consider all-encompassing defense plans that reduce the risk of suffering substantial downtime or data loss. Plans should also address possible privacy law violations that could lead to costly fines and negative publicity.

Resiliency

Effective plans deal with business resiliency that covers crisis management, continuity, and operational recovery. These should include a strategy that effectively prepares for and allows a business to recover from a crisis and disruptions while continuing to provide critical services.

Businesses should also have data-driven strategies, business impact analysis and risk threat assessments. These can help reduce spending money and resources on unlikely risks or unneeded recovery.

A business resiliency plan involves three major components. First, a crisis management plan having strategic and tactical procedures with defined roles and responsibilities to respond to incidents that could impact employees, customers, and important stakeholders, or that can have substantial financial, operational, or reputational consequences.

Next, business continuity plans may be implemented that are rehearsed and identify potential business disruptions. Finally, businesses should have a disaster recovery plan that addresses IT recovery and allows it to recover from disruptions.

Other elements

Business crisis and continuity plans should be part of a larger plan on structure and governance. These plans should deal with several elements:

• Impact thresholds.
• Risk assessment.
• Policies, guidelines, and standards.
• Incident and remediation plans.
• Tabletop exercises.
• Failover tests.
• Mass notification and crisis communication.
• Vulnerability audits.
• Debriefing.
• Project management.
• Emergency employee procedures.
• Crisis briefings
• Metric collection.
• Legal, cyber, and public relation support.

Attorneys can help develop these procedures and prepare the documents to implement it. Lawyers may also assure that business is complying with legal requirements for technology and crisis management.