Despite news reports about natural disasters and man-made calamities that seemingly occur every week, many businesses have not considered the potential impact of these exposures. Consequently, they may end up with a risk management program that ignores potential losses or an insurance program that does not provide adequate coverage limits. The potential damage of these shortcomings is especially serious for small businesses. According to a study by the U.S. Small Business Association, up to 60% of small businesses fail following a significant loss. That figure becomes far higher if the business did not have a continuity plan.
Anecdotally, large companies with dedicated risk management departments are more likely to address business interruption exposures, but many may still not be adequately covered. The concern over short- and long-term disruption of operations cannot be overstated. In addition to standard perils such as fire, lightning or wind storm, businesses also need to consider emerging risks such as cyberattacks and acts of terrorism. They all can take down a business.
Business interruption insurance is designed to replace lost net income as well as cover ongoing normal operating expenses. Extra expense coverage compensates for costs beyond lost business operations, such as overtime pay, expedited shipping, relocation and other expenses that minimize downtime. Since business interruption coverage is triggered following direct damage by a covered peril, it is critical to confirm that your policy addresses all exposures, including cyber and terrorism.
Traditionally, business interruption insurance protected companies that were unable to operate due to covered events such as natural catastrophes. The insurance came into use decades ago and has not always been fully updated to align with the realities of conducting operations globally and via the internet. Today, operations can come to a screeching halt if servers are taken down by a distributed denial of service (DDoS) attack or through any number of other ways that cybercriminals wreak havoc. Terrorist attacks that would prevent employees from accessing the workplace also require consideration. Therefore, businesses need to be concerned with exposures relating to supply chain logistics and acts of civil authority.
When evaluating business interruption coverage, there are several key factors to consider:
Business type: There is no standard policy that will meet the needs of every organization. A business interruption policy for a restaurant, for example, will likely look very different from the policy of an online retailer. One may focus on more traditional exposures such as fires or storm damage, while the other would cover cyberattacks and data breaches.
Policy limits: Make sure the policy covers the right expenses and length of time it would take your business to get up and running. Most disasters, natural or man-made, will halt operations for more than just a few days. An extreme example is the 9/11 terrorist attacks that forced businesses in the vicinity of the World Trade Center to cease operations because the entire area was blocked off.
Financial impact: It is important to understand total business expenses if an interruption occurs. Business interruption insurance is divided into business income coverage that would have been earned based on past financial performance, and extra expense coverage designed to take care of costs beyond normal operating expenses. Completing a business interruption worksheet will help you identify and quantify direct income exposures, including any contingent exposures existing in your supply chain logistics, as well as continuing expenses and potential extra expenses needed to mitigate a loss.
An organization also needs to review exposures and determine if it has the appropriate insurance coverages and controls in place. This process includes completing and updating your business interruption worksheet, which takes into consideration supply chain logistics.
In addition, every enterprise should establish an effective business continuity plan that includes: identifying threats or risks; conducting a business impact analysis; adopting controls for prevention and mitigation; preparing employees for emergencies; and testing, exercising and improving procedures on an ongoing basis.
Proactively addressing business interruption risks and ensuring your enterprise is protected can be an arduous task, but it may be the difference between surviving or closing up shop in the wake of a disaster.