Business Reflections Podcast Episode #33- Business Continuity Planning with Arris Risk Management

Episode Transcript

Meredith Matics: Welcome to Business Reflections with your host Meredith Matics, and we are here to reflect on the business topics that are affecting you today and how you can better run your business. Today, I have A'Dream Starkey, Managing Partner of Arris Risk Management.  

A'Dream Starkey: Hi Meredith. Thank you so much for having me.  

Meredith Matics: First off, let's just say one of our listeners doesn't know what risk management is. What is risk management?  

A'Dream Starkey: Risk management is basically the practice of managing risk for your business. It can also apply to your life. It's really important that we take time to look forward and think about what could potentially impact the future of our business. Risk management is just taking the time to look forward and plan for anything that may occur. It could be a natural disaster or it could be a business risk. 

Meredith Matics: How did you get into risk management? That seems like a really unique choice.  

A'Dream Starkey: Well, I guess ultimately it wasn't really a choice to sort of chose me. I have, I have what some might consider a unique career path within like finance and insurance. I've worked in the same industry in a variety of client facing roles for a really long time. Traditionally, if you work in underwriting, you sort of remain in underwriting. If you work as a broker, you mean as a broker. If you work in risk management, you remain in risk management. People may change companies, but typically the role doesn't change. 

I've actually worked in all of those roles from an underwriter to a broker or a producer, an agent and account executive, and most recently as a risk manager. These are all the same industry, but they're just really the client facing roles within the finance and insurance industry.  

Meredith Matics: I would imagine that it gives you a better view of things or a more encompassing view.  

A'Dream Starkey: Correct. I think it gives me a 360 view, I like to say, on how clients interact with the finances and to some extent the insurance that protects their business. One of the practices of risk management is to look at all of the ways an occurrence could ultimately impact your business from your finances, to your staff, to your property, anything that could actually pose an exposure to your business. 

What we want to talk about is continuity planning and continuity planning is sort of that forward-looking planning perspective that we talked a little bit about earlier, essentially it's preparing for possible future realities of your business today. It doesn't have to be specific to business because I think of my life this way also. I try to think about possible future realities of my life, and then I make plans towards it. 

You do the same thing for your business. You think about possible future realities of your business. You think about what could impact those future realities? We can predict things that could occur. But you can't always predict when they could occur. For example, we could predict that there could be a pandemic, but nobody could see that COVID-19 was going to be yet.  

Continuity planning would have you looking at predictions and planning for it, so you'd say there's a possible future where a pandemic occurs. How can I protect my business with the best data available today? We're never going to be able to plan for everything, but with the data that's available to you today, what could you do in the event that occurred?  

Meredith Matics: I have so many questions. As soon as we start talking about continuity planning, the main thing I start thinking about is, especially we're in California, so I'm thinking of like fires and earthquakes and now pandemic, and what if somebody broke in. That seems really overwhelming. That's a lot of things to think about. 

Is there a way to manage that without getting overwhelmed and jumping into it?  

A'Dream Starkey: Yes. Utilize your professionals. I do understand, so even hearing you say fire, earthquake, I'm getting excited. But I'm getting excited in a completely different way than you. But I'm getting excited because I like to hear that someone is thinking of these things, even if it's maybe in a way that can be a little tense in your stomach. The bottom line is utilize the people and the professionals in your life that you have relationships with and whose advice you can trust. 

Don't think about it as if all of these things are going to happen to you and you have to plan for every single one of them, because that would overwhelm you. You want to think about these things sort of one at a time in a vacuum and what could you do to mitigate risk. That's where we start to have the risk management conversation. 

Everyone knows that if you buy a home, you get home insurance. But, why do you get home insurance? That's a risk management technique. You've transferred the risk of the fire that could possibly occur at your home to an insurance company. Granted, you may only have that insurance because the mortgage company told you to buy it. But that's because they've managed their risk as an organization and they understand that it's necessary. You want to look for ways that you can do that with other things that could potentially be threatened in your home or with your business. 

So if the place where you operate your business, for example, let's say it's located in a flood zone. Then you should potentially purchase flood insurance. That way you're transferring the risk of your business being shut down, due to a flood to your flood insurer.  

The idea of insurance is the premiums of the many will pay for the accidents that occur to the few. Which is why data analytics are really important because if we can properly predict the few that this will happen to, then we know how to charge premiums to everyone.  

 If I am able to buy insurance and pay my premium, I'm paying this premium with the understanding that in the event, this unlikely thing happens, I can look to this insurer for protection or for coverage or for some limitation to what my exposure ultimately is. The practice of risk management sort of goes beyond insurance because not all risks are insurable, but there are ways that you can manage them without buying insurance. 

Meredith Matics: What are some of the basics for creating your continuity plan? 

A'Dream Starkey: The best way to start, so if you Google this, right, continuity plan, how to plan for my business' continuity in the event of blank. You can Google it a few different ways. You'll get things from maybe four steps all the way to like 13 steps. Ultimately, there are five basic things that is the best way to start any plan. First is the risk assessment and the assigning of a threat level. This can sound really scary, but think about, especially as a business owner, if you're sitting at your desk, you're looking around, think about the things that could physically threaten your business. 

And also now we want to think about like virtually, digitally. Do we have a cyber exposure? Do we need to protect our passwords? In what ways could my business be threatened is the best way to start.  

Step two would be the business impact analysis, so this is the things that you came up with in step one, how would they actually impact the business? If I do lose all of my passwords, the impact of that could be me being locked out of all of my business accounts. That would be very inconvenient, but as a threat level is pretty low, right. I can click a link and create a new password.  

Now, if it was a situation where I lost a digital wallet and the key code to that, now I have ultimately lost hundreds of thousands of dollars that I can never get back. So that's a different threat level. The way that the threats impact your business is step two. You want to do a full analysis and assign how each of those risks can actually impact your business.  

Step three, that's where you decide, okay, I know that these are my threats. I know this is how those threats will impact me. How do I mitigate those threats? What can I buy insurance for? What can I just maybe start a fund or save for?  

For example, if we use like a home again, standard homeowner's insurance, doesn't cover like wear and tear and regular maintenance. You as the homeowner are responsible for that. So maybe you say, I'll start a sinking fund to replace my roof in 10 years, because you can't insure the exposure of your roof. But you can actually save towards buying a new roof before the current one expires. 

 Same thing for your business. If there's equipment in your business that standard maintenance wear and tear. It's not covered by insurance, but you can plan a fund to save the money to replace or repair the equipment over time. That's your step three. That's your strategy where you're thinking I can't insure this, but I can save money for it or some other way to limit that risk. 

Meredith Matics: We had a time where we had a power outage and my main computer shorted out.  I was so bummed, but we had a savings going for like emergency for the company. So I was able to purchase a new computer with that savings. But when I did purchase a new computer, I did purchase the extended protection plan with the company that I purchased it with so that if something shorted out, I had that potential in the future. 

Maybe two weeks later, we had another short and I was like, Oh, my gosh, I'm going to walk in there and this brand new computer is going to be shorted out, but went through this once, I know what we're going to do now. Thankfully it wasn't, but as you're giving the steps, I'm thinking in my head like, okay, so the computer is a critical aspect of my work. 

I can't work without it. We have everything on the cloud so it's not a huge deal. If the physical item has gone other than costs. Realizing what the cost would be okay, so have the savings account and then how to prevent it in the future. But then I realized I cut you off because you were only on level three of five.  

A'Dream Starkey: Well, actually it was pretty cool is in the story you just told you gave sort of step number four. You had a plan, right? Step number four is to create an incident response plan. After you've come up with your strategy and you have a plan for how to mitigate your risk, you need to also come up with a plan to actually respond if something happens.  

So right now, I think as a culture maybe, at least in my industry, everyone's talking about cyber. Insurance has been talking about cyber for a very long time, but like everyone is really talking about cyber now. The interesting thing about cyber is the safest time for a company is after they've been breached, and that's when they'll get the best insurance rates. Unlike other insurance, like say your auto, if you have an auto accident, you try to find another carrier. 

You're going to have a hard time. The reverse is true when it comes to cyber. When it comes to their computer systems, they've built these things over years. They've just added newer technology. They've added newer equipment. As far as knowing where their actual intrusion points are, that's hard so it's only after something happens that they get the big guys to come in probe the entire thing and build a system that protects them based on where they were breached. 

Meredith Matics: I feel like some cyber insurance company needs to partner with somebody who just fixes cyber problems and be like, pass us your clients when they're done. 

A'Dream Starkey: So after an incident, you want to have a way to respond to an incident. And then the last step is actually just communication. 

The plan is only as good as the communication of the plan, especially to the people whose responses required in the plan. So if there are many roles in your incident response plan or in your strategy to minimize risk, you want to make sure that that plan is communicated to all the people who are included, especially if you're a business owner and your risk mitigation plan involves your employees. 

You want to be sure that they are aware of their part in the plan. You also want to be sure that the other professionals you do business with, so like you probably have an insurance agent or broker, you probably have a lawyer, you probably have an accountant or bookkeeper. You want to be sure that all of these people are aware of what part, if any that they play in your risk mitigation and your business continuity plans. 

Those are the five steps I would say, assess the risk, business impact analysis. Step three is your strategy, your plan development. Four is creating an incident response plan, and five is communicating. Also, I guess, with an asterisk, annually, you just want to do a review of your plan to make sure that it's like compliant from a legal perspective or regulatory perspective. 

And then you also want to stress test your plan every now and again, just to be sure that if you have funds set aside, like you have savings goals, is that still enough? Some people say, well, we're going to save six months of operating expenses. 10 years can go by is six months of operating expenses, still the same dollar amount that it was 10 years previously? Those are the annual reviews.  

Meredith Matics: Even just what I think in personal experience, my insurance agent makes me review it with him every year. Even if it's just a, Hey Meredith, anything changed in the last year and I'm like, I bought another computer and he's like, yeah, it's still under the limit, but that's the point is to make sure nothing has changed and...  

A'Dream Starkey: Yeah.  

Meredith Matics: At least for me, when this last year we did the review, I had not thought about the fact that we had passed the next limit of employees, like when they say like, you have one to five, five to 10, 10 to 15. We had passed it, but one person, but I hadn't thought about like, Oh, do I need to call my insurance agent and tell them that we hired this other employee. 

It had not occurred to me. The things that you have to review yearly for your business are important so that if you know something had happened, I wouldn't be like, sorry, new employee, you're not included on the insurance policy.  

So for a business owner, who's starting out this five step plan, where do they get started? How do you even know what to pick first?  

A'Dream Starkey: Okay. I'd recommend natural disasters are a good way to start because a lot of them are insurable. The harder things are going to be the things that you can't just buy insurance for. The risks that you are able to insure are going to be easy to sort of mitigate because there's a policy and there's a product on the market to help you protect against it and also your physical person too. Physical people like humans are also important so I send people often to fema.gov. They have disaster preparedness resources. Everything from physical structures to physical persons and like loss of life. They give really good advice and plans on how to pack a go bag, how to test your fire extinguisher and best practices for your home and your business. Fema.gov is a great place to start. For business specific, like business continuity planning resources ready.gov/business is a government website that has all sorts of information for all sorts of disasters or crises. Ready.gov/business will give you maybe has 12 steps. My five steps is nothing compared to what the list ready.gov has. It's way more.  It's a good place to start. It's a great place to get a workflow and a framework to work within and to get you to start thinking. Even though it sounds like you're already thinking, and I imagine your audience is probably already thinking, but it gives you a good framework to start thinking about where do I see my business in the future? 

What do I want to protect about my business today to make sure that we realize that  intended future?  

Meredith Matics: With the coronavirus, we definitely saw this shift of like any businesses that hadn't moved into like the technology front, or thought about what it would be like to have their employees be able to work from wherever or be cloud-based. But the companies that had really relied on like paper, and had not looked at the future, not looked forward, really hurt and the ones that were prepared we're able to jump right in. There was that two weeks where just you couldn't get ahold of any person on any business platform ever. So I think everybody now is probably more aware than ever.  

A'Dream Starkey: I think to your point, one of the things that I look to as far as remaining an optimist is the fact that all of the systems that at least I had been hearing for the longest time working within the circles that I work within. Oh, you can never automate this. Oh, you can never digitize that. Oh, we'll always need a wet signature for this. All of those things are out of the window and someone has figured out how to take it online.  

Meredith Matics: Just the human innovation that we figured out, like, okay, let's figure out how to do this. Cause we, we gotta do this. We got to work. We got to get businesses up and running. How do we do this? And how do we do it tomorrow?  

A'Dream Starkey: What I saw more than anything I think is, I don't even know what the word for it is, but taking one thing that's maybe used in this industry for this purpose and repurposing it for a completely different industry for a completely different use and it being a solution to a problem that didn't even exist until this occurred. 

Meredith Matics: As we close up our time today, what do you think is the first step that every business owner needs to take today to make sure that they have a realistic idea or to get started on this risk management? Because it's important, but I know a lot of us are going to put it off because it sounds like a lot of steps, but what is the number one thing we all have to do today? 

A'Dream Starkey: I think the number one thing today is to just really be patient with yourselves, with your staff, with other businesses and services, and especially with like the government and institutions. Just really take a breath, be patient. I think that as we move forward and you start to think about, well, How has my business, like we're all sort of cleaning out the rubble and seeing like what's left. 

What can I salvage? How do I move forward? So I think just take a deep breath, be really patient and one thing at a time. So we're going through a COVID-19 recovery. What are some best practices that you can take from the last six months, the last 10 months, what have you learned about how your staff interacts virtually or in person now? 

Everyone's routine has changed, so what can you incorporate, that's been calming from your new routine into your business going forward? The best thing that we all can do is look for just those little pockets of peace like the things that we've picked up during this pandemic where we've felt more human. How can we incorporate that into our business as we move forward, instead of keeping that intention as we move into the future? I think nothing but good can come from that.  

Meredith Matics: That's really beautiful. I almost don't even want to ask my closing question because it was going to be, what is one piece of advice that you want to share? And I'm like, that's it right there!  

A'Dream Starkey: I think so. The more we feel rooted and like our humanist, the more clarity we have. The more clarity we have, we're just going to make better decisions.  

Meredith Matics: And where can our listeners learn more about you? 

A'Dream Starkey: I have a website www.arrisrisk.com. I'm on Instagram. It's Arris Risk, no space. I am also on LinkedIn. 

Meredith Matics: Well, wonderful. I hope our listeners  take some pieces of advice today and get started with their risk management. Thanks for coming on.  

A'Dream Starkey: Thanks so much for having me, Meredith. Take care. 

Business Reflections Closing: Please note that these are thoughts and opinions alone. For tax advice, please see your CPA or tax advisor, tax professional for business advice and legal entities. Please see your local business, lawyer, or attorney for advice. And if you'd like to reach out to us for any topics or questions about. Any subject, any episode you can reach us podcast@maticsbilling.com. That's podcast@maticsbilling.com.    

For show notes, visit Maticsbilling.com/podcast. If you liked this episode, we want to hear from you. Please hit subscribe. Leave a review and share this episode with your friends, family, and on your social media pages. See you next time!