Skip to Content Skip to Footer
How to Plan for Disaster in the Middle Market

How to Plan for Disaster in the Middle Market

Zach Brooke

middle market risk main

After 2017’s long string of natural disasters, middle market businesses need to ask themselves how susceptible they are to destruction. They cannot, however, limit themselves to floods and wildfires

Running a business is a stressful job in the best of times. When disaster strikes, the fallout can be enough to compel unprepared executives to close up shop. It’s easy to become complacent regarding risk exposure when operations are running without interruption. However, a new report from the National Center for the Middle Market shows that in the past two years, half of all middle market businesses experienced some sort of disruption—an unforeseen event outside the normal course of business that damages a company’s health.

Disaster is a straightforward word that signifies large-scale losses. Yet its association with catastrophic physical events can obscure other types of risks that middle market companies can incur. For clarity, the NCMM report breaks down threats facing middle market businesses into three distinct categories.

Operational Disruption


These are the incidents that wreak havoc on entire communities and show up on the nightly news. Think hurricanes in the Gulf Coast, or earthquakes and wildfires in the West. These forces of nature are unpreventable but predictable and therefore mitigated by readiness. Operational disruptions also include a class of less dramatic, human-led crises such as port closures or labor strikes.

Perhaps because they are the risks that property owners and managers are most keenly aware of, operational disruptions are the least impactful over the long term. They also tend to occur with regularity, giving operation managers experience in preparedness and crisis management. Business readiness is reflected in reported data. Operational disruptions are the second-most frequent of the three—21% of middle market companies report experiencing a disruption of this type within the last few years—but they leave a lower revenue impact and have the highest rate of full recovery.

Digital Disruption

A distinctly 21st-century risk, digital disruption encompasses data breaches and other cybersecurity threats. These disruptions are often targeted at specific entities, such as the city of Atlanta, which had its municipal operations held hostage for $50,000 in bitcoin in March. But digital disruptions can also be widely cast, as was the case with the far-reaching WannaCry ransomware attack in 2017. Digital disruption is the least frequent category of disaster, affecting 17% of respondents. However, the report notes that digital disruptions are likely significantly underreported, as companies take an average of 200 days to discover their computer systems have been comprised. Digital disruptions are estimated to sap 11.7% of revenue on average. Sixty percent of affected respondents report complete recovery.

Middle market businesses might be particularly vulnerable to digital attacks precisely because they believe they are too small to be a tempting target. “A lot of smaller businesses think, ‘The hackers aren’t after me. They want Target. They want Sony,’” says NCMM director Thomas Stewart. “Ransomware is a for-profit business. … [Hackers] are just trying to get a thousand bitcoin. They’ll hit anybody.”

Strategic Disruption

If the previous two categories are crises occurring at the speed of a flash, strategic disruptions occur at a glacial pace. “Strategic disruptions are slow-moving events that affect not only the business of today but the business of tomorrow,” Stewart says. “They are the things that upend the pillars of your strategy or undercut the premises of the business.”

Strategic disruption is a way to describe marketplace changes over time. Technological innovations, industry consolidation, resource abundance or scarcity and overall economic trends all present certain measures of risk that grow in challenging periods or over long stretches of in-house inertia. Retail is currently in the midst of a high-profile strategic disruption decades in the making. The same can be said of private automobile transportation companies such as taxis, car rentals and parking garages, all of which have come under enormous pressure due to the rise of Lyft and Uber. Multinational advertising and public relations firm WPP is currently dealing with an in-house strategic disruption caused by the departure of its founder. For businesses in some countries, new tariffs on steel and aluminum imposed by the U.S. represent a strategic challenge. Strategic disruption can also be self-inflicted, as was the case in the disastrous merger of Hewlett-Packard and Compaq. 

While strategic disruption does not carry the urgency of other potential disasters, it does pose the greatest threat. It’s a bit analogous to the human body: Physical trauma or viruses are acutely lethal, but chronic illness causes death in the majority of people. Strategic challenges are the most prevalent, the hardest to prevent and the most difficult to recover from. Twenty-seven percent of respondents report facing a strategic disruption in the past two years. Almost two-thirds say the effects of the disruption still hamper business, and they have not fully recovered.

Mitigating Risks

How should middle market companies prepare for these disasters? Each comes with its own subset of action items, but the uniting principle is access to money.

“In times of disruption, there is no greater importance than to have ample liquidity, for it provides the flexibility for actions that lead to recovery,” says Manuel M. Perdomo, head of international risk for SunTrust Banks.

The checklist for operational risk should include an annual assessment of natural disaster likelihood or supply chain disruption, as well as a review of all insurance and banking agreements. Backup plans for key suppliers should be drafted in case one or more vendors are taken out of commission by unforeseen circumstances. Aside from pure business concerns, make sure worker safety plans are in place to minimize injury or loss of life. Again, access to an ample supply of emergency funds will prove critical during any recovery period. 

“Natural disasters have a unique effect upon human capital. The stress that is created by anticipation (in the case of a hurricane) or by the sudden shock (earthquake, flash flood, etc.) and the aftermath brings out different reactions. Cash on hand, for example, can be used to support a stressed workforce and allow them to return to work sooner.”

Digital disruption requires the most skilled expertise. Cisco security architect Joseph Muniz says that a defense strategy for cyber vulnerabilities should be layered with different objectives before, during and after an attack.   

“Resilience is accomplished using high-availability concepts such as redundant hardware and networking,” Muniz says. “Also, denial of service technologies should be considered to avoid targeted attacks designed to interrupt service. Ultimately, digital threats change and grow rapidly, which means that executives must ensure that risk and resilience efforts remain robust and up to date.” 

Specific protection strategies include real-time threat monitoring, fully backed-up data stores, legal review of culpability in the event of a breach and a communication plan to share information with clients and vendors if a risk is detected.

As with digital disruption, successful navigation of strategic risk requires vigilance and early detection. Adam Schrock, managing director at Grant Thornton advocates for the formal adoption of enterprise risk management (ERM), a process that proactively identifies business risk. 

“In simple terms, ERM provides a top-down, holistic view of risks to effectively identify and manage threats to financial and strategic objectives,” Schrock says. “ERM seeks to move beyond the quantification of near-term potential losses to envision longer-term financial, strategic, operational and people risks. 

“ERM will effectively balance risk and growth opportunities, such as digital strategies, technology innovation, and Big Data analytics. Striking the right balance allows your organization to transform into a risk-aware culture that protects the business, improves performance and creates stakeholder value,” he says.

While shifts in business tend to be unforeseeable, one of the best ways to guard against finding oneself on the wrong side an economic tide is to conduct an annual board-level assessment of known industry changes and probable economic trends. Determine how available resources are for rapid investment should unforeseen competition emerge. Review and strengthen key relationships and succession plans, and develop capability to execute on them if called upon.

Zach Brooke is a former AMA staff writer turned freelance journalist. His work has been featured in Chicago magazine, Milwaukee Magazine, A.V. Club and VICE, among others. Follow him on Twitter @Zach_Brooke.