BUSINESS RISK AND CONTINUITY

PLANNING
HELLO!
Balneg, Nelson
Delena, Reymark
Cheng, Li

2
 WHAT ARE THE TOPICS TO EXPECT?
 What Is Business Risk  Developing a Recovery Plan
 Risk Management  Cybersecurity for your business
 Identifying Business Risk  Information Technology Risk
 The PPRR Risk Model Management
 Business Continuity Planning  Protecting IT and Data System
 Preparing a Risk Management  Managing Risk in Supply Chains
 Plan and Business Impact Analysis  Keeping Your Workplace Safe
 Preparing an Incident Response  Avoiding Business Scam

https://www.business.qld.gov.au/running-business/protecting-business/risk-management/identifying-risk 3
 “
There's no harm in hoping for the best
as long as you're prepared for the
worst.
― Stephen King, Different Seasons

4
4
1
WHAT IS BUSINESS RISK?

5
BUSINESS RISK CONT.
Risks can be internal and external to your business. They can also
directly or indirectly affect your business's ability to operate.
Risks can be hazard-based (e.g. chemical spills), uncertainty-based
(e.g. natural disasters) or associated with opportunities (e.g. taking
them up or ignoring them).
The Australian standard defines risk as’ the chance of something happening
that will have an impact on objectives'.

https://ag.purdue.edu/commercialag/farmrisk/understanding-risk-types/ 6
BUSINESS RISK
The probability of loss inherent in an organization's operations and
environment (such as competition and adverse economic conditions) that
may impair its ability to provide returns on investment.

Business risk plus the financial risk arising from use of debt (borrowed
capital and/or trade credit) equal total corporate risk.

7
BUSINESS RISK CONT.
Business risk, which can also be categorized as short-term or
operational risk, impacts the return on assets and includes price,
costs and productivity.
Business risks are relatively easy to manage in that there are clear
approaches to managing them and they have low-impact outcomes or
a low probability of occurring.

https://ag.purdue.edu/commercialag/farmrisk/understanding-risk-types/ 8
BUSINESS RISK

DIRECT RISK AND INDIRECT RISK

9
 Direct risks to business…

Natural Disasters Global Events Technology Pandemic

Legal Regulatory And Government Policy

Changes Environmental
Work Health and Safety Property and Equipment
Security

Economic and Financial Suppliers

Staffing
Market
Utilities and Services

10
Indirect risks to business…
People often make the mistake of overlooking things that
don't directly impact their business and are
therefore unprepared to deal with change.

11
 Indirect risks to business…
Consider how these scenarios could affect your business:

 If your suppliers are affected, you may run out of the

products you sell, or the materials you need to make
products.
 If your customers are personally affected, their priorities
may change, and you could experience a reduced demand
for your products or services.
 If your general location is affected, you and your customers
may not be able to access your premises, or your utilities
could be affected. For example, you could lose power, which
could mean you:
o will not be able to operate your business 12
BUSINESS RISK MODEL AND OPPORTUNITY cont.

Environmental
Risk

Operations Risk
Financial Risk

Business
Risk
Empowerment
Information
Business
for Decision
Business
Process Risk
Risk
RiskRisk
Making Risk
Operational
Risk

Info Pro /
Integrity Risk Technology Risk
Strategic
Financial
Risk
Risk

13
BUSINESS RISK MODEL AND OPPORTUNITY cont.

• Competitor
• Sensitivity
• Corporate Governance
• Capital Availability
Environmental • Catastrophic Loss
• Political
Risk • Legal
• Regulatory
• Industry
• Key Stakeholders

14
BUSINESS RISK MODEL AND OPPORTUNITY cont.
•Public Safety
•Customer Satisfaction
•Organization Development
•Product Development
•Efficiency

Integrity
•Performance Gap
Operations Risk • Management Fraud
•Compliance /Legislative
•Business Interruption • Employee Fraud
•Product/Service Failure • Illegal Acts
•Environmental
•Health and Safety
•Asset Management
Risk • Unauthorized Use

•Leadership
Empowerment •Performance Incentives
•Authority/Limit
Risk •Change Readiness
•Outsourcing Communication

Financial • Cash Flow

• Opportunity Cost

Information
•Relevance
•Integrity
Risk • Concentration

Processing/ •Access
•Availability
Technology Risk •Infrastructure

PROCESS RISK
15
BUSINESS RISK MODEL AND OPPORTUNITY cont.

•Pricing
Operational •Contract Commitment
•Performance Measurement
Risk •Alignment
•Regulatory Reporting

•Budget and Planning

Financial •Accounting Information
Risk •Financial Reporting
•Taxation

•Environmental Scan
Strategic •Business Portfolio
•Performance Measurement
Risk •Organization Structure
•Resource Allocation
•Planning

Information for Decision Making Risk

16
CATEGORIES OF BUSINESS RISK

17
Managing risk in business…
The process of identifying risks, assessing risks and developing
strategies to manage risks is known as risk management.

Business continuity planning, which can

help your business manage risks and
recover from situations if they do happen

PPRR risk management model to reduce

the impact an incident has on your
business.
Australian standard for risk management

18
2
PPRR RISK MANAGEMENT MODEL

19
PPRR RISK MANAGEMENT MODEL
The prevention, preparedness, response and recovery (PPRR)
model is a comprehensive approach to risk management.

Use PPRR model to put plans in

place to minimize losses in the
event of an incident

To anticipate possible direct impacts to your

business, and impacts on your suppliers
and customers, which may flow on to your
business.
20
3
BUSINESS CONTINUITY PLANNING

21
Definition
Business continuity planning (BCP) is the creation of a strategy
through the recognition of threats and risks facing a company, with
an eye to ensure that personnel and assets are protected and able to
function in the event of a disaster.

22
23
Four Steps to Developing a Business Continuity Plan

• Conduct a business impact analysis

• Identify, document, and implement
• Organize a business continuity team and
compile a business continuity plan
• Conduct training for the business
continuity team and testing and
exercises

24
BCP Life Cycle

25
1
Risk Assessment
Risk Assessment
This phase includes:
 Evaluating physical on-site security and conducting walkthroughs
 Reviewing physical and network single points of failure
 Evaluating the impact of various business disruption scenarios
 Defining the probability of a risk occurring based on a rating system
 Prioritizing findings
 Developing a roadmap

27
2
Business Continuity Impact
Analysis

28
https://www.fema.gov/media-library/assets/documents/89526
Business Continuity Impact Analysis
 The BIA will identify critical business functions and describe what
would be necessary to recover these functions, in the event of a
disaster or disruption in service.
 Gathering this information will help your agency develop a BCP
and will allow for the prioritization of available equipment and
resources, were an event to occur.

29
Business Continuity Impact Analysis cont’d.
The objectives of the BIA are as follows:

• To identify business processes and prioritize them according to criticality.

• To identify the Recovery Time Objective (RTO) associated with each critical
business process.
• To identify the Recovery Point Objective (RPO) associated with each critical
business process.
• To identify the key computer systems, equipment, and applications associated
with each critical business process.
• To identify the quantitative and qualitative impacts that will be incurred should a
disruption occur.
• To identify critical interdependencies associated with the business unit and its
processes.

30
Business Continuity Impact Analysis cont’d.
The completed BIA will provide each section with the following information:
 Ranking of critical and non-critical business processes.
 Assignment of RTOs and RPOs for each business process.
 Document listings of key vendors, systems, and vital records.
 Estimates of the qualitative and quantitative impact impacts of an event,
based upon duration of unplanned disruption. (e.g. 24 hours, 48 hours,
5 days, etc.)
 An overview of what would be necessary to recovery the functions of the
section or program.

32
For instance,
Telephones are ringing, and customer service staff is busy talking with
customers and keying orders into the computer system. The electronic
order entry system checks available inventory, processes payments and
routes orders to the distribution center for fulfillment. Suddenly the order
entry system goes down. What should the customer service staff do now?
If the staff is equipped with paper order forms , order processing can
continue until the electronic system comes back up and no phone orders
will be lost.

The order forms and procedures for using them are examples of “manual
workarounds.” These workarounds are recovery strategies for use when
information technology resources are not available”.
33
3
Strategy and Plan
Development

34
https://www.fema.gov/media-library/assets/documents/89526
Strategy and Plan Development

This phase includes:

• Obtaining executive sign-off of Business Impact Analysis
• Synthesizing the Risk Assessment and BIA findings to create
an actionable and thorough plan
• Developing department, division and site level plans
• Reviewing plan with key stakeholders to finalize and
distribute

35
4
Implementation

36
https://www.fema.gov/media-library/assets/documents/89526
Implementation
This phase centers on:
• Distributing the plan to all key stakeholders
• Conducting training sessions to help ensure employees are
comfortable with the steps outlined in the plan

37
5
Rehearse, Maintain And Review

38
https://www.fema.gov/media-library/assets/documents/89526
Rehearse, maintain and review cont’d

The final critical element of a BCP is ensuring that it is tested

and maintained on a regular basis. This includes:
• Conducting periodic table top and simulation exercises to
ensure key stakeholders are comfortable with the plan steps
• Executing bi-annual plan reviews
• Performing annual Business Impact Assessments

39
Rehearse, maintain and review cont’d

 A business continuity plan needs to be tested and updated

as your business and the wider business environment
changes.
 By testing your plan regularly, you can evaluate how
reliable it is likely to be if you have to respond to an
incident or crisis. You can use a variety of strategies to test
your business continuity plan, including drills, training and
scenario testing

40
Developing a
recovery plan
 A recovery plan will help you respond effectively if an
incident or crisis affects your business

It aims to shorten your recovery time and minimize

losses

Developing a
recovery plan Your recovery plan contains information relating to
planning for recovery as well as the resumption of
critical business activities after a crisis has occurred.

It also outlines the time frame in which you can

realistically expect to resume usual business
operations.
 Developing a recovery plan gives you a
chance to consider how you will get your
business back on track if you do
experience a crisis. It should include:
• strategies to recover your business
activities in the quickest possible
time
Developing a • a description of key resources,
recovery plan equipment and staff required to
recover your operations
• your recovery time objectives
• a checklist you can use after a crisis
has passed and it is safe to return
to your premises.
 Review Review your time frame for recovery

In developing
a recovery Develop Develop recovery strategies

plan
Monitor the recovery process using a
Monitor checklist
 A | Review your time frame for recovery

• A recovery time frame covers the time from when an incident or crisis happens to the time
your business can resume usual operations
• Critical activities are those that your business couldn't operate without. Think about how
long your business could cope (even without serious financial losses), if your key services,
resources and staff were affected by a crisis and you were unable to conduct these
activities. Then think about how you would get them back on track if something did
happen, and how long it would take.
 A | Review your time frame for recovery

• You should assign a recovery time objective to each of your critical business activities
• This will help you prioritize your business activities so you can work out what will need
attention first if a crisis does happen
• Your recovery plan is part of your business continuity plan that outlines practical strategies
to help you manage and recover from a crisis. A business continuity plan also includes
your risk management plan, business impact analysis and incident response plan.
 B | Develop recovery strategies

• You can develop and implement strategies that will help your business recover from an
incident or crisis. Your recovery strategies should demonstrate a clear understanding of
your business's recovery objectives and reflect what the business needs to continue
operating. Prioritize critical business functions and record a recovery time for each. This
process will highlight the actions you should list in your recovery plan.
B | Develop recovery strategies
The following are some strategies to consider when developing a
recovery plan for your business.

Designate Designate a recovery team

Review Review your emergency kit and contact lists

Maintain Maintain external communications

Identify Identify alternative suppliers, facilities and equipment

Keep Keep your business operating

 B | Develop recovery strategies
Designate a recovery team

• Nominate staff to be part of a recovery team, assign backups and ensure that all are aware of their
roles and functions in the recovery process. Your recovery team could be similar to your incident
response team.
• Ensure that more than 1 person knows how to do a certain task and you don't risk losing essential
skills or knowledge if something happens to one of your staff members.
• Make sure your team can use manual processes in case your equipment or machinery is damaged.
• If you deal with hazardous materials, special equipment, or in risky environments, you may need to
provide training for your staff so they can do their jobs safely and respond after an incident. This will
help you reduce the impact a crisis may have on your business and help you recover quicker.
 B | Develop recovery strategies
Review your emergency kit and contact lists

• As part of your incident response plan you should have developed an emergency
kit that includes key documents that will be essential for recovery. Make sure the
emergency kit is stored safely off site in case your premises are unreachable in a crisis.
• Put together contact lists of all people who may be affected by a crisis, including staff,
key customers and suppliers and your insurance company. You may need to let your
customers and suppliers know of alternative methods of contacting you or placing
orders and what to expect from your business in the event of a lengthy outage.
• Record contact details of people who can fix your equipment, machinery and systems
if they are damaged.
 B | Develop recovery strategies
Maintain external communications

• Keep the lines of communication open with your customers, suppliers and other
stakeholders such as business partners. Make sure that you have contact lists of all people
who may be affected by the incident. Effective and timely communication will create and
build the perception that your business is under control, that you know and understand
what is happening, and that the situation will be resolved.
 B | Develop recovery strategies
Identify alternative suppliers, facilities and equipment

• Develop relationships with more than 1 supplier, so that if one is affected by an incident your
business can continue as usual.
• Establish a disaster recovery location where you and your staff can work off site, if necessary, and
will be able to access critical backup systems, records and supplies. This may be a room or space at
another business location or at a hotel or home.
• Determine which assets (including documents) are essential for recovery and therefore require
protection.
• Be prepared for the possibility of broken or damaged equipment, machinery and systems. Know
who can fix them and have their contact details at hand. Consider renting or borrowing equipment
if possible. Find out who you can rent or borrow equipment from if yours is damaged or
unreachable.
• Factor in disruptions to electricity, gas, water, sewerage and telecommunications systems. Work
out what backup systems or alternatives are available.
 B | Develop recovery strategies
Keep your business operating

• Be prepared for cash flow emergencies. Keep enough cash on hand to handle
immediate needs and consider setting up internet banking services.
• Assess your processes to work out if you can reduce your operating costs.
• Assess the impact of the crisis on your business and consider a range of business
strategies to keep your business operating.
• Consider doing business online as this may allow you to operate even if your premises
are damaged.
 C | Monitor the recovery process using a
checklist

• Once a crisis has passed and it is safe to return to your premises, there are a number of
steps that you need to take. As part of your recovery plan you should develop a checklist to
use as you assess the extent of the damage after a crisis and monitor the recovery process.
Cybersecurity for
your business
 Protecting your business from cybercrime
• Read recommendations from the Queensland Police
Service about preventing cybercrime.
• Register for the Australian Government's Stay Smart
Online alert service to stay updated on cybersecurity
threats.
• Read the Australian Taxation Office's top
cybersecurity tips for business and complete
the online security self-assessment.

Cybersecurity • Download the cybersecurity best practice guide from

the Australian Small Business and Family Enterprise
Ombudsman.
for your • Apply for a grant to access cybersecurity testing
through the Cyber Security Small Business Program.
business • Read more about protecting IT data and systems.
• Learn about information technology risk
management.
• Find out how to avoid business scams

Reporting cybercrime
• You can report suspected cybersecurity threats to
your business
Information technology
(IT) risk management
 • IT risks include hardware and software
failure, human error, spam, viruses and
Information malicious attacks, as well as natural
disasters such as fires, cyclones or
technology (IT) floods.

risk • You can manage IT risks by completing

management a business risk assessment. Having a
business continuity plan can help your
business recover from an IT incident.
 If your business relies on information
technology (IT) systems such as
computers and networks for key business
What is an activities you need to be aware of the
range and nature of risks to those
information systems.

technology General IT threats

risk? Criminal IT threats
Natural Disasters and IT Systems
Information technology risk
General IT threats

General threats to IT systems and data include:

• hardware and software failure - such as power loss or data corruption
• malware - malicious software designed to disrupt computer operation
• viruses - computer code that can copy itself and spread from one computer to another, often
disrupting computer operations
• spam, scams and phishing - unsolicited email that seeks to fool people into revealing
personal details or buying fraudulent goods
• human error - incorrect data processing, careless data disposal, or accidental opening of
infected email attachments.
Information technology risk
Criminal IT threats
Specific or targeted criminal threats to IT systems and data include:
hackers - people who illegally break into computer systems
fraud - using a computer to alter data for illegal benefit
passwords theft - often a target for malicious hackers
denial-of-service - online attacks that prevent website access for authorised users
security breaches - includes physical break-ins as well as online intrusion
staff dishonesty - theft of data or sensitive information, such as customer details.
Information technology risk
Natural disasters and IT systems
• Natural disasters such as fire, cyclone and floods also present risks to IT
systems, data and infrastructure. Damage to buildings and computer
hardware can result in loss or corruption of customer records/transactions.
 Managing information technology risks
Managing information technology (IT) risks is a structured process that
involves a series of activities designed to:

• identify risks
• assess risks
• mitigate risks
• develop response plans
• review risk management procedures
 Legal requirements

• As a first step in managing IT risks, you should be aware of the legal and
legislative requirements for business owners (Privacy Laws, RA 10173 –
Data Privacy Act of 2012 – DICT)

IT risk assessment

• An effective IT risk assessment identifies serious risks, based on the

probability that the risk will occur, and the costs of business impacts and
recovery

Managing information technology risks

 Business continuity planning

• Having identified risks and likely business impacts, the development of a business continuity
plan can help your business survive and recover from an IT crisis. A business continuity plan
identifies critical business activities, risks, response plans and recovery procedures.

IT risk management policies and procedures

• IT policies and procedures explain to staff, contractors and customers the importance of
managing IT risks and may form part of your risk management and business continuity plans.
• Security policies and procedures can assist your staff training on issues such as:
• safe email use
• setting out processes for common tasks
• managing changes to IT systems
• responses to IT incidents.
• A code of conduct can provide staff and customers with clear direction and define acceptable
behaviors in relation to key IT issues, such as protection of privacy and ethical conduct.

Managing information technology risks

 Threats and risks to information technology (IT) systems
and data are an everyday reality for most modern
businesses. You should put in place measures to protect
your systems and data against theft and hackers.

Reducing Practical steps to improve IT security

• secure computers, servers and wireless networks
information • use anti-virus and anti-spyware protection, and
firewalls
technology • regularly update software to the latest versions
• use data backups that include off-site or remote
risks storage
• secure your passwords
• train staff in IT policies and procedures
• understand legal obligations for online business.
 Create a secure online presence
• If your business has an online presence, you
should assess the security of your website,
email accounts, online banking accounts
Reducing and social media profiles.
information • For example, secure socket layer (SSL)
technology is used to encrypt transaction
technology data and to send customer and card details
to the acquiring bank for authorization. You
risks should ensure any web hosting solution you
consider is capable of supporting the SSL
protocol.
 Induction and IT training for staff
Training new and existing staff in your IT policies,
procedures and codes of conduct is an important
Reducing component of IT risk management strategies.
Training can cover key business processes and
information policies, such as:
technology • safe handling of infected email
• protecting the privacy of customer details
risks • priority actions in the event of an online
security breach (REDDIT).
 Business insurance
• It is impossible for a business to prevent or
Reducing avoid all IT risks and threats. This makes
business insurance an essential part of IT
information risk management and recovery planning.
technology You should regularly review and update your
insurance, especially in light of new or
risks emerging IT risks, such as the increasing use
of personal mobile devices for workplace
activities.
 Responding to an information technology
incident

• How you respond to information technology (IT) incidents determines how well your
business recovers, and also influences customers' ideas about your reliability.

Your IT risk management plan and business continuity plan should include:
• IT incident response plans
• emergency response plans
• recovery plans.
 Responding to an information technology
incident

IT incident response plans

IT incident response plans identify principal IT risks and the steps you need to take to
mitigate effects or damage. They may include details of key staff who need to be
notified, priority actions, communication plans, contact lists and an event log to record
actions taken.
 Responding to an information technology
incident

Emergency response plans

• IT incidents may be the result of a wider crisis, such as an explosion, bushfire or flood.
In any emergency situation the safety of staff and members of the public are your first
priority. An IT incident response plan should integrate with and support emergency
response plans.
 Responding to an information technology
incident

IT incident recovery plans

• A recovery plan will help you respond effectively if an IT incident or crisis affects your
business. A recovery plan can shorten recovery times and minimize losses, and should
include:
• strategies to recover your business activities in the quickest possible time
• a description of key resources, equipment and staff required to recover your
operations
• your recovery time objectives.
 4
Protecting IT and Data System

74
Protecting IT and Data System
 Online security is vital to protect your company's virtual assets (electronic data) and IT
systems.
 Data protection and a secure online presence will build your customers' trust and help
you meet legal obligations, such as privacy laws.
 IT data and systems are at risk of hacking, malware, viruses, spam and online scams
that may corrupt your hardware or allow criminals to steal private data.

75
1
Security threats to IT data and systems

76
Security threats to IT data and systems

Businesses face many external and internal digital threats that

can corrupt hardware and compromise data. Your private data
and intellectual property could be used in e-crimes or fraud.
This includes:
• Malware, viruses, spam and cookies
• Online scams, phishing and pharmers
• Hackers, cybercrime and information/IP theft

77
2
Securing computers, servers and wireless
networks

78
Securing computers, servers and wireless networks

Proper online security can protect your business from internal

threats, such as staff who open email attachments infected
with viruses, and external threats, such as hackers who steal
information and commit other cybercrimes.

79
Securing computers, servers and wireless networks
Steps to guard against internal threats to IT systems:
Allow only authorized staff to access IT data and systems.
Put IT policies and procedures in place.
Be careful about employees connecting portable devices to work systems.
Be alert for spam claiming to be from 'trusted' email senders - for example, banks do not do
business by email.
Think before opening attachments or sharing information to ensure data protection.
Store data carefully - choose who has access to it and decide what devices you allow staff to
connect to your network.
Password protect your website so authentic users can access the site.

80
Securing computers, servers and wireless networks
Steps to guard against external threats to IT systems:
Install anti-virus and anti-spyware software, including spam filters, and ensure they are
turned on and updated regularly.
Enable wireless or wi-fi network security and change the default password immediately
because most default passwords are well-known to hackers.
Install a software firewall, normally included in IT security bundles or operating systems.
Choose strong passwords involving a combination of numbers and upper and lower-case
letters. Change passwords regularly.
Back up data regularly and store copies of backups off site.

81
3
Policies and procedures for protecting IT data
and systems

82
Policies and procedures for protecting IT data and
systems
Business owners have legal obligations to secure data and
protect the privacy of their customers' information. To
safeguard your online customers, you need policies that
comply with the laws on privacy, spam and electronic transfers.
Policies can cover:
privacy of customer data
code of conduct
business procedures.

83
Policies and procedures for protecting IT data and
systems
Electronic transaction laws
Legally there is no difference between electronic financial transactions and cash transactions,
and your online security must comply with national and state laws.
Procedures for using IT systems
You must have defined procedures about using and accessing IT data and systems, backing up
data and data protection. Such procedures define how employees and contractors behave. For
example, IT procedures could instruct staff to always delete spam without opening
attachments, which can contain viruses.
IT risk management and business continuity planning
You need to identify risks to your IT data and systems and put in place measures, such as SSL
certificates, firewalls, passwords and anti-virus software, to protect you and your customers. A
risk management plan can help you identify and manage risks to IT data and systems.

84
 5
Managing Risk in Supply Chains

85
Managing Risk in Supply Chains
 A supply chain consists of the different activities that transform natural resources, raw
materials and components into a finished product that is delivered to the end customer.
 When one business within the supply chain fails to deliver their product or service to the
next business in the chain, the entire supply chain can be disrupted.
 A business with a resilient and responsive supply chain will have a significant
competitive advantage over other businesses.

86
1
Identifying supply chain risks

87
Identifying supply chain risks
Business owners have legal obligations to secure data and
protect the privacy of their customers' information. To
safeguard your online customers, you need policies that
comply with the laws on privacy, spam and electronic transfers.
Policies can cover:
• privacy of customer data
• code of conduct
• business procedures.

88
Identifying supply chain risks
You can limit the impact of supply chain disruptions on your
business by identifying the risks within your supply chain and
developing ways to mitigate them. You should document this
process in a risk management plan, which is part of your
overall business continuity plan.

There are 2 main types of risk to include in your risk

management plan:
1. external risks - those that are outside of your control
2. internal risks - those that are within your control.

89
External supply chain risks
External risks can be driven by events either upstream or
downstream in the supply chain. There are 5 main types of
external risks:
demand risks - caused by unpredictable or misunderstood customer or end-customer demand
supply risks - caused by any interruptions to the flow of product, whether raw material or
parts, within your supply chain
environmental risks - from outside the supply chain; usually related to economic, social,
governmental, and climate factors, including the threat of terrorism
business risks - caused by factors such as a supplier's financial or management stability, or
purchase and sale of supplier companies
physical plant risks - caused by the condition of a supplier's physical facility and regulatory
compliance.

90
Internal supply chain risks
Internal risks provide better opportunities for mitigation
because they are within your business's control. manufacturing risks -
caused by disruptions of internal operations or processes
business risks - caused by changes in key personnel, management, reporting structures or
business processes, such as the way purchasers communicate to suppliers and customers
planning and control risks - caused by inadequate assessment and planning, which amount to
ineffective management
mitigation and contingency risks - caused by not putting contingencies (or alternative
solutions) in place in case something goes wrong
cultural risks - caused by a business's cultural tendency to hide or delay negative information.
Such businesses are generally slower to react when impacted by unexpected events.

91
2
Preparing for supply chain disruptions

92
Preparing for supply chain disruptions
• The best way to manage a supply chain disruption is to prepare for it. You should
undertake a business impact analysis to prepare your business to address the
impacts of supply chain disruption.
• A business impact analysis identifies your key business processes, and the
activities and resources you need to operate your business. It assesses how these
key elements will be affected by supply chain interruptions highlighted in
your risk management plan.
• The degree of impact on your business will depend on the severity and length of
the disruption, but most disruptions will have a financial effect.
• Disruptions can be internal, such as a breakdown of vital machinery, or external,
such as interruptions to the flow of raw materials or parts to your business. The
business impact analysis allows you to measure how supply chain disruptions
may affect business activities, including financial management.

93
Preparing for supply chain disruptions
For example, if vital machinery breaks down and disrupts production, the
impacts on various business activities could include:
• inventory management of raw materials and finished goods
• supplier relations
• ordering and purchasing
• staffing
• sales and revenue
• marketing aspects including customer relations and business reputation
• financial management.
By identifying the key business activities affected by disruptions to your
supply chain, you can prioritise your efforts to focus on those activities that
would have the most impact on your bottom line.
94
3
Responding to supply chain disruptions

95
Responding to supply chain disruptions
Although prevention and being prepared go a long way toward ensuring supply chain
continuity, disruptions can still occur. Creating an incident response plan will allow you to
effectively manage your business's immediate response if your supply chain is disrupted.
It's critical to have a plan in place to deal with supply chain interruptions if and when they
occur. In general, the longer it takes to restore supply, the greater the costs to your business.
These costs can include:
• interrupted stream of revenue
• lost revenue from customers switching to competitors
• overall customer dissatisfaction
• damaged business reputation
penalty payments for contractual non-performance clauses

96
Responding to supply chain disruptions
As well as reducing the potential costs to your business, an incident response plan also has
several other benefits:
• It gives you a better understanding of your supply chain processes.
• It provides a course of action when a supply interruption occurs.
• It allows any knowledgeable person in your business to take immediate action to restore
supply if key staff are unavailable.
Your incident response plan should:
• identify actions for shortening the duration of a disruption, thereby minimising its impact
on your business
• identify resources - human, financial and material - that will be required to carry out these
activities
• indicate what triggers will implement the plan (e.g. once stock decreases to a certain level
you will implement the plan).
97
 6
Keeping Your Workplace Safe

98
Keeping Your Workplace Safe
 As an employer, you are legally obligated to provide a safe workplace for yourself, your
workers, customers, and other people such as members of the public and visitors. This
is a requirement under the Work Health & Safety Act 2011.
（https://www.worksafe.qld.gov.au/laws-and-compliance/workplace-health-and-safety-laws/laws-and-
legislation/work-health-and-safety-act-2011）
 Work health and safety obligations apply to everyone involved in a business. Ensure you
meet your obligations by familiarising yourself with the laws and following them.

99
1
Workplace incidents

100
Workplace incidents
 Preparing for workplace incidents
 Preparing for emergency situations
 Reporting and recording workplace incidents
 Investigating workplace incidents
 Resolving and recovering from workplace incidents

101
2
Work health and safety risk management

102
Work health and safety risk management
 All businesses, regardless of their structure or size, must have work health and safety risk
assessment that is current and meets legal obligations.
 A strong risk management plan, as part of a larger business continuity plan, will improve
your business resilience and help you recover from incidents.

103
Work health and safety risk management

 A strong risk management plan, as part of a larger business continuity plan, will improve
your business resilience and help you recover from incidents.

104
Work health and safety risk management
Risks and hazards
A hazard is something with the potential to cause harm. A risk is the likelihood that the harm will occur from
exposure to the hazard.
Workplace hazards in/volving the risks of illness or injury may include:
chemicals and substances hazards - such as hazardous substances and dangerous goods, asbestos, lead and waste management
biological hazards and infectious diseases - such as legionella and hendra virus
physical hazards - such as equipment, confined spaces, electrical hazards and working at heights
manual tasks hazards - such as the use of the human body to perform any kind of manual task
environmental hazards - such as noise, lighting, surrounding environment (including uneven floor surfaces, etc.), cold, dust and heat stress
psychosocial hazards - such as fatigue, work-related stress, workplace harassment and occupational violence.

105
Work health and safety risk management
Risk management legislation
Under the How to manage work health and safety risks code of practice 2011 (PDF, 494KB), to properly manage
exposure to risks you must:
1.look for the hazards
2.determine who might be harmed and how
3.decide on control measures
4.put controls in place
5.review the controls.

106
Work health and safety risk management
Risk management legislation (cont)
Control measures should be implemented in the following order:
1.Get rid of the harm or prevent the risk.

2.If this is not possible

oreplace with something less harmful
oseparate people from the harm
ochange work processes or the physical work environment (e.g. by redesigning work, plant, equipment, components or premises)
oapply administrative arrangements (e.g. limit entry or time spent in a hazardous area)
ouse personal protective equipment.

107
3
Managing work health and safety in your
business

108
Managing work health and safety in your business
Build business resilience
▷ Improve how you will deal with workplace incidents by developing a business continuity plan and conducting
a comprehensive analysis of how your business could be affected by various possible incidents.
▷ If your business does suffer from a major incident, having a business continuity plan could help you
continue to operate and avoid having to close.
▷ A business continuity plan includes a risk management plan, a business impact analysis, an incident
response plan and a recovery plan.
▷ Use our business continuity plan template.

109
Managing work health and safety in your business
Improve your safety performance through safety leadership
The Safety Leadership at Work Program is designed to improve safety culture and contribute to reducing work
related injuries and fatalities in Queensland workplaces. Join the program for free and learn how to influence
and build a positive safety culture through:
webinars, forums and safety leadership events (receive special membership rates)
films, benchmarking tools and case studies
updates on leading industry practices
direct access to business leaders to apply their learnings directly to your own business
networking opportunities to explore solutions to common issues and influence your industry's safety culture.

110
MANAGING WORK HEALTH AND SAFETY IN YOUR BUSINESS
Access Workplace Health and Safety Queensland's resources

You may be eligible for a Workplace Health and Safety Queensland (WHSQ) small business advisor to visit your
workplace and assess your situation. They can give you advice on your safety management system and provide
information on solutions available to fix health and safety issues. Find out if you're eligible and arrange
a workplace consultation for your business.

111
 7
Avoiding Business Scam

112
Avoiding Business Scam
If your business is scammed or defrauded, you could lose money and suffer other consequences, such as
damage to your reputation.

Many businesses become victims of scams and fraud each year.

To protect your business, it is important that you can recognise common scams and know how to report them.

113
1
Scams and fraud

114
 Scams and fraud

Consumers Businesses
Common scams Personalised scams pose as • false billing
• malware and
opportunities
ransomware
• online shopping • door-to-door scams • unexpected prize and lottery
scams
• overpayment scams
scams • classifieds scams • pyramid schemes scams • phishing scams
• mobile phone plans • dating and romance • travel prize scams
• inheritance scams
• identity theft scams scams • investment scams
• reclaim scams. • charity scams. • Nigerian scams
• health and medical scams
• betting and sports investment
schemes
• remote access scams

115
2
Protect yourself against scams

116
Protect yourself against scams
• To protect your bank account:

• never give money, credit card details or online account details to anyone you don’t know and trust
• keep your receipts
• check your bank account and credit card statements
• report any unexplained transactions to your bank.
• keep your bank cards safe
• make sure nobody else knows your PIN number

117
Protect yourself against scams
• To protect yourself online:

• always check that you’re on a secure website before making a payment

• make sure that any website you visit to make transactions (such as your bank or online shopping provider)
has the correct website address in the address bar, including the correct extension (such as ‘.com.au’)
• never click on any links or open any attached files in a spam email
• always keep strict privacy settings on social networking sites
• don’t respond to text messages or missed calls that come from numbers you don’t recognise.

118
Protect yourself against scams
• To protect yourself while shopping:
• don’t pay any invoice unless the goods or services were both ordered and delivered
• if someone comes to your door
• you should check their identification
• you do not have to let them in
• they must leave if you ask them
• read and understand all of the terms and conditions before signing anything
• for major purchases, take the contract away with you overnight
• make sure you know how to stop any subscription service you sign up to
• always get independent advice if an offer requires a lot of your money or time.

119