Recovering from a flood or fire is hard for a business. But dealing with problems caused by a lack of business continuity plans or inadequate insurance can make it worse.
“The better you can plan for how to deal with an incident, the better off you’ll be,” says Lawrence J. Newell, CISA, CBRM, QSA, CBRM, manager of Risk Advisory Services at Brown Smith Wallace. “I say ‘incident’ because it could be something not always thought about in typical disaster terms, such as a breach of credit card information.”
Smart Business spoke with Newell and William M. Goddard, CPCU, a principal in the firm’s Insurance Advisory Services, about developing business recovery plans and the insurance options available to reduce risk.
What goes into a business continuity/recovery plan?
One component is a business impact analysis, placing a value on what the business needs to operate. Layered underneath are the business processes, which include the business continuity plan and its identifying process flows. For example, length of shutdown is part of the business continuity plan, which contains timelines.
Then there is the disaster recovery plan, which covers anything the business depends on that is IT related. Information has more value than just the data because of the intelligence built around it. So you need to identify where that data is processed, stored or transmitted.
There is also a communication plan, making sure an incident is communicated upward, downward and outward — upward to the executive management team, downward to the enterprise and outward to customers and business affiliates. Part of the communication plan is identifying the impact, whether it’s a simple outage or a more widespread incident such as a tornado, flood or hurricane.
What options are available to manage risk?
In the example of a credit card breach, there are risk reduction processes such as applying security standards developed by the credit card industry. There’s also cyber risk insurance, which insures costs to locate the problem, including hiring experts to do that, notification of cardholders, and business interruption loss.
What do businesses need to know about disaster coverage in insurance policies?
Generally, what we think of as disasters — earthquakes, hurricanes — are covered under property insurance. But business insurance policies also contain sublimits. For instance, you can have $100 million insurance coverage, but the sublimit might be $25 million for a flood. Policies carry different sublimits, and a company planning to use insurance to cover these disasters needs to be aware of them.
What is co-insurance, and how does that impact claim payments?
After a loss, the insurance company will judge the value of a building, say it’s $1 million. A co-insurance clause is typically 90 percent, meaning that the building should be insured to 90 percent of its value — so you’ve bought $900,000 insurance coverage on a $1 million building. If it burned to the ground, you would be paid $900,000. But if you only bought $800,000 insurance coverage and were supposed to buy $900,000, all recovery is based on having 88.8 percent of the coverage you should have. If a small warehouse fire causes $100,000 in damages, you wouldn’t be paid $100,000, but $88,800. This concept of co-insurance is frequently in policies and can be punitive for loss recovery.
How can insurance costs be reduced?
Insurance companies will inspect your property and following their recommendations can make you a better risk, reducing premiums. It’s also important to figure out exactly what coverage you need — it’s best to get an independent adviser. There have been many court cases involving inadequate insurance; they’re expensive to bring and hard to win. It’s better to get it right when you buy the policy, so you should have someone other than the person who’s selling you the insurance answer your questions and conduct an analysis of your needs.
William M. Goddard, CPCU, is a principal, Insurance Advisory Services, at Brown Smith Wallace. Reach him at (314) 983-1253 or firstname.lastname@example.org.
Lawrence J. Newell, CISA, CISM, QSA, CBRM, manager, Risk Advisory Services, at Brown Smith Wallace. Reach him at (314) 983-1218 or email@example.com.
Insights Accounting is brought to you by Brown Smith Wallace