What is a business continuity plan and why does it need to be tested?

A business continuity plan documents how an organisation will maintain or resume critical operations following a disruptive event. Testing is essential because a plan that has not been exercised against a realistic scenario will contain gaps that are only discovered during an actual disruption. Tabletop exercises, where key staff walk through the plan against a simulated emergency, are the minimum acceptable form of testing for organisations in high-risk geographies.

How should Caribbean businesses manage hurricane risk?

Hurricane risk management for Caribbean businesses requires: an annual review of business continuity plans with at least one tabletop exercise; annual insurance coverage review with verified replacement values; supply chain concentration assessment with at least one pre-qualified alternative for critical inputs; verified data backup recovery times; and critical process documentation sufficient to operate without reliance on any single key individual.

What is supply chain concentration risk?

Supply chain concentration risk is the exposure created when an organisation sources critical materials, components, or services from a single supplier or a small number of suppliers in the same geography. A disruptive event affecting that supplier or geography eliminates supply with no immediate alternative. The risk is managed by identifying alternative suppliers, qualifying them before they are needed, and documenting the qualification so procurement decisions under pressure have a reference point.

After Hurricane Melissa: What the Storm Revealed About Business Resilience

Q: What is the Caribbean Catastrophe Risk Insurance Facility (CCRIF)?

The Caribbean Catastrophe Risk Insurance Facility is a risk-pooling mechanism established by CARICOM member states that provides parametric insurance coverage against natural hazard events, including hurricanes and earthquakes. It pays out based on the modelled impact of an event rather than requiring loss assessment, which speeds the delivery of recovery capital to member governments.

By Salihah Budall, MSc., CFS, CRMP, CSSYB

Hurricane storm damage and business recovery

Two weeks after Hurricane Melissa made landfall in October 2024, the visible damage to infrastructure and property was being assessed and photographed. The less visible damage - the businesses that would not reopen in three months, the supply chains that would take six months to stabilise, and the firms that would discover their insurance coverage was materially inadequate - was already in motion but would not become fully apparent until the emergency response phase ended and the recovery phase began.

The businesses that came through the storm with their operations substantially intact shared characteristics that had nothing to do with luck and everything to do with decisions made, or not made, in the years before the storm arrived. The correlation between pre-storm risk governance and post-storm recovery outcomes is not a hypothesis. It is the documented pattern from every major hurricane event in the Caribbean over the past twenty years.

What Risk Management Did Not Prevent (and Was Never Supposed To)

Risk management cannot stop a Category 4 hurricane from hitting a coastal economy. This needs to be stated clearly because the failure to separate what risk management does from what it cannot do creates a version of the discipline that is either oversold or dismissed. Risk management for natural hazards is not about prevention. It is about reducing exposure before the event, increasing the speed of recovery during and after it, and ensuring that the organisation learns something from each event that improves its preparedness for the next one.

On this measure, many of the businesses that struggled most in the aftermath of Melissa had managed risk poorly for years. They had not, in most cases, been negligent or cavalier. They had prioritised operational demands over risk governance activities, which is a rational short-term trade-off that compounds into strategic fragility over time. The storm made the bill due.

The Five Gaps Melissa Exposed

1. Business Continuity Plans That Had Never Been Tested

A plan that exists on a server and has not been exercised in eighteen months is not a functioning continuity plan. It is a document. The difference between the two is enormous. Organisations that had conducted tabletop exercises in the twelve months before Melissa, where key staff walked through the plan against a simulated scenario and identified gaps, knew which parts of their recovery process worked before the storm told them. Organisations without this practice discovered their plan's failures at the worst possible time.

2. Insurance Policies That Had Not Been Reviewed Since Issuance

A common finding in post-hurricane loss assessments across the Caribbean is that insured values have not kept pace with asset replacement costs, because the policyholder has not reviewed coverage terms annually as the business grew and asset values changed. A business that insured its premises for J$12 million five years ago, and has since added equipment and infrastructure that raises the replacement cost to J$19 million, has a coverage gap of J$7 million that it will discover for the first time when it submits a claim.

3. Critical Process Documentation That Existed Only in People's Heads

Businesses where continuity depends on institutional knowledge held by one or two key staff face an acute vulnerability in a disaster scenario: those key staff may be injured, unable to travel, dealing with their own property damage, or simply overwhelmed. The organisations that resumed operations fastest after Melissa were those that had documented their critical processes sufficiently that a different, less familiar staff member could execute them.

4. Supply Chains Assessed Only for Cost, Not for Concentration

Caribbean businesses routinely source critical materials or components from a single regional distributor, because consolidation reduces procurement costs and simplifies logistics. This concentration is a risk that is invisible during normal operations and acutely visible when a storm disrupts port access, road infrastructure, or the supplier's own operating capacity simultaneously across the region. Businesses that had assessed their supply chains for concentration risk and had at least one pre-qualified alternative supplier were placing orders within days. Businesses that had not were making cold calls to suppliers they had never qualified, under time pressure, from a negotiating position of zero leverage.

5. Data Backup and Recovery Arrangements That Had Not Been Tested

Cloud backup is not synonymous with tested recovery. An organisation that has not confirmed it can restore its critical systems from backup, and measured how long that restoration actually takes, does not know its recovery time. It knows its intended recovery time, which is different. The businesses that suffered the longest operational disruptions after Melissa were frequently those whose IT recovery assumptions, formed during normal conditions, did not survive contact with an actual recovery scenario.

"A hurricane does not create business risk. It reveals risk that was already there. Every organisation in the Caribbean should treat a major storm event as a system test for risk management quality, regardless of whether that particular storm affected them directly."

- Salihah Budall, MSc., CFS, CRMP, CSSYB

The Risk Management Actions That Produced Recovery Advantage

The businesses that recovered fastest from Melissa had not done everything right. No organisation does. They had done several specific things that created material advantages in the recovery phase. They had documented and tested their business continuity plans within the previous twelve months. They had reviewed their insurance coverage with a broker in the previous eighteen months and adjusted limits where necessary. They had identified at least one secondary supplier for their two or three most critical inputs. They had verified their data backup recovery times at least once in the previous year.

These are not sophisticated risk management activities. They are basic, disciplined risk governance practices that require calendar time and management attention. The barrier to having them in place is not technical. It is the same barrier that prevents most organisations from building adequate risk management capability generally: the activities feel low priority until the moment they become urgent, and by the time they feel urgent, it is too late to do them properly.

Climate Risk as a Permanent Feature of Caribbean Business Planning

The frequency and intensity of Atlantic hurricane activity has increased over the past two decades, a pattern that climate scientists attribute to sea surface temperature changes in the Caribbean and Gulf of Mexico. The Caribbean Catastrophe Risk Insurance Facility, a regional risk-pooling mechanism established by CARICOM member states, reported that the 2024 Atlantic season produced a cluster of named storms in September and October that was statistically unusual even against the elevated recent baseline.

For Caribbean businesses, this means that hurricane risk is not a periodic disruption to plan around. It is a permanent and intensifying feature of the operating environment that belongs at the top of every risk register, with treatment plans that are reviewed annually and tested regularly. Organisations that continue to treat hurricane preparedness as a reactive activity, dusting off their continuity plans in August and reviewing insurance in October, are managing a climate reality that has already moved beyond the level of risk that seasonal attention can adequately address.

"The Caribbean is not uniquely vulnerable because it is small. It is uniquely positioned to build resilience because it has been practicing adaptation under constraint for generations. The question is whether that cultural capacity for improvisation gets formalised into risk management practice before the next storm, or whether we wait to demonstrate it again after."

- Salihah Budall, MSc., CFS, CRMP, CSSYB

Practical Steps You Can Take This Week

Step 1: Schedule a tabletop exercise of your business continuity plan within the next 60 days. Walk key staff through a simulated disruption scenario and document every gap you find.

Step 2: Review your insurance coverage this month. Confirm that insured values match current replacement costs, not the values from when the policy was first issued.

Step 3: Identify your three most critical suppliers. For each one, research and pre-qualify at least one alternative supplier before you need them under emergency conditions.

Step 4: Verify your data backup recovery. Run an actual test restore of your critical systems and measure how long it takes. Compare this to your assumed recovery time.

Step 5: Document your top 5 critical business processes in enough detail that someone other than the usual operator could execute them. Address key-person dependency now.

Step 6: Create a communication tree: who contacts whom, in what order, through which channels, when a disruption occurs. Test it once.

Step 7: Review your supply chain for geographic concentration. If your critical inputs all come through the same port or the same regional corridor, that is a single point of failure.

Step 8: Set a calendar reminder for an annual hurricane preparedness review in June, before the Atlantic season begins. Do not wait until a storm is forecast.

Build Your Financial Resilience

Understanding your credit health is part of building resilience. Try Credit Garden's World Credit Score Calculator.

Calculate My World Credit Score