DSBM K4 Week 33

KŌNAE AKO 4

Seminar: Risk and Crisis Management

HE PAEMAHI KŌWHIRINGA THE ELECTIVE PROJECT

Introduction

“He taonga nui te tūpato.”1

- Māori Proverb

A risk is an uncertain event which, if it occurs, will have an effect on the achievement of your business’s objectives. Risks that have an adverse effect on your business are sometimes called ‘threats’, while risks that have a favourable effect on your business are sometimes called ‘opportunities’. In business, there is always an element of risk. Most of the risks you focus on when running a business are threats, and these risks relate to a wide range of factors – from the risk of your business being damaged by fire to the risk of losing your largest customer.

Developing and growing your business exposes you to more risk. However, while you should show caution when making business decisions, you need to remember that some risks are worth taking. Likewise, you should not avoid change just because you think it will help you avoid risk. Often doing nothing creates worse risks; failing to change may result in your business being overtaken by competitors and put at a competitive disadvantage. You always need to manage the risks your business faces, and this is even more important when you are implementing projects in your business. Risk management is the process of identifying, analysing, evaluating, and addressing risks to make sure your business achieves its objectives.2 You start by identifying a wide range of potential risks to your business. You then prioritise and evaluate these risks based on their likelihood to occur and the effect they would have on your business and business strategy. Finally you will evaluate the risks and work through the option of dealing with risks and creating a business continuity plan.

Due to the unpredictability of global events, many businesses attempt to identify potential crises before they occur to sketch out a plan to deal with them. Crisis is an unexpected event that suddenly dawns upon a business out of nowhere. A crisis can come in many different forms such as office fire, natural disaster, data breach, terror attack or even COVID-19 pandemic. These could lead to lost sales, damage to business properties, damage of business reputation or decrease in income. The stability of the business requires effective decision to be taken immediately. When and if crisis occurs, the business is able to deal it to come out of the favourable situation with rapid and effective decision. The plan that helps businesses deal with crisis situation is called crisis management plan.

This seminar has two parts. the first part will discuss risk management and the second part will discuss crisis management.

1 “Caution is highly prized.”

2 AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines is the s tandard on risk management, which provides organisations with guiding principles, a generic framework, and a process for managing risk. Standards New Zealand. (n.d.).

Contents

This seminar will cover the following topics:

Part One: Risk Management

Part A: Intellectual Property (IP) Risk

• What is Intellectual Property (IP)?

• Intellectual Property (IP) Rights

• IP Strategy

Part B: Protecting Internal Relationships

• What is an Internal Relationship?

• Employment Agreements and Restraint of Trade Clauses

• Confidentiality Agreements

• Shareholder Agreements

• Partnership Agreements

Part C: Protecting External Relationships

• What is an External Relationship?

• External Relationships Risk Management

• Contracts and External Relationships Risk

Part D: Information Technology (IT) Risk

• What is Information Technology (IT)?

• Business Continuity Planning (BCP)

• Cybersecurity

• Data Storage

• User Access

Part E Business Risk

• Evaluating Business Risks

• Business Continuity Plan

Part F: Business Insurance

• What is Business Insurance?

• Business Property and Asset Insurance

• Business Liability Insurance

• Commercial Vehicle Insurance

• Other Insurances

Part Two: Crisis Management

• Crisis Management

• Crisis Management Plan

• Steps to Make a Crisis Management Plan

• Stages to Crisis Management

Part A: Intellectual Property (IP) Risk

“Intellectual property is the oil of the 21st century.”

- Mark Getty

Intellectual property (IP) has become more and more important to businesses – even small businesses – and for many businesses it makes up a large percentage of their total value. This means that understanding IP and managing the risks associated with IP are vital skills to have.

TĪWHIRI:

This section provides an overview of intellectual property. For more information on patents, trade marks, designs, and copyright, refer to the ‘Guide to Business Law in New Zealand’ resource.

What is Intellectual Property (IP)?

There are two kinds of assets that a business can own: tangible and intangible. Tangible assets are assets that have a physical form, such as buildings, machinery, and furniture. Intangible assets, on the other hand, are nonphysical. Perhaps the most important intangible assets a business has is its intellectual property, which is often referred to by the letters ‘IP’.

DEFINITION:

Intellectual property (whakairo hinengaro): Creations and expressions of the mind.

Business Terms in Aotearoa. (2012).

IP covers a wide range of ‘creations of the mind’, such as inventions, literary and artistic works, designs, symbols, names and images, and even new varieties of plants. Although intangible, IP is still recognised as a form of property: it can be owned, sold, licensed, damaged, or infringed upon. IP is protected in law by patents, copyrights, design registrations, and trade marks, which allow people to earn credit or monetary benefit from what they invent or create while also encouraging innovation and creativity by protecting the owner’s investment.

A business’s competitive advantage is often built around its ideas, and competitors can benefit from getting access to these ideas. While very few people will actually want to steal your ideas, it does not mean that IP property risk does not exist. As your business grows, it is necessary to share ideas with other people, such as employees, investors, subcontractors, suppliers, and business associates. This can expose your business to risk. In particular, there is the risk that someone may infringe on your IP or that someone will claim that you have infringed on theirs.

You need to know how to manage your IP and the risks that go with it. If you make, use, sell, distribute, supply, import, or export a product or service that has features that give you a competitive advantage, you may face threats to your IP as well as the opportunity to benefit from IP. Entrepreneurs and small businesses cannot operate ‘under the radar’ anymore, and must consider the threats and opportunities of IP. This is especially important when operating within the global marketplace, something which is increasingly common and easy thanks to the internet.

Intellectual Property (IP) Rights

IP rights give legal recognition to the owners of inventions, brands, visual designs, original works, and new varieties of plants. These rights protect the expression of your idea in something you have made or created. By protecting your IP, you may gain a competitive advantage in the marketplace, enabling you to profit and grow your business.

DEFINITION:

Intellectual property rights (mana whakairo hinengaro): The rights that individuals and organisations have to protect expressions of the mind. Legal protection that is given to safeguard the use of components associated with intellectual property including things such as copyright law, trade marks and patents.

Business Terms in Aotearoa. (2012).

IP rights give creators exclusive rights over their brand, innovation, or expression of their idea for a certain period of time. As mentioned, this rewards the creators of IP by allowing them to profit from these ideas and by preventing others from copying or distributing those ideas without permission. It also encourages innovation by requiring people to share information about their creations and permitting the rest of society to benefit from the work. For example, a patent gives its owner the exclusive right to make, sell, or use an invention for up to 20 years. In return, the patent owner must share the details of the invention, which may enable other inventors to build on the innovation.3

Some types of IP are automatically protected by law from the moment of their creation, while others require a specific grant of rights from a government agency before they are protected by law. In addition, there are registered and unregistered forms of IP. In New Zealand, registered IP is a form of IP that has been registered with the Intellectual Property Office of New Zealand (IPONZ). Registered IP is only protected in the country it has been registered in. Unregistered IP is not registered with the IPONZ, but still offers some legal protection and can help protect secret information.

3 Ministry of Business, Innovation & Employment. (2015).

IP Registered / Unregistered Protects?

Patent Registered

Example

Inventions - products, processes, methods.

AJ Hackett’s bungy jump.

Copyright Unregistered

Trade Mark Registered or Unregistered

Design Registered

Plant Variety Rights Registered

Literary works, artistic works, computer software, industrial designs. A work with the © symbol.

Words and symbols that serve to identify different brands. A brand name or logo with the ® symbol (registered) or the ™ symbol (unregistered).

The appearance or shape of a manufactured article / product design.

A house design by an architect.

“Swanndri” for the weatherproof woollen shirt.

The shape of a car.

A new type of plant. A new kiwifruit variety.

Trade Secrets Unregistered

Products, processes, methods, information (such as a recipe or customer database). Can be protected by non-disclosure agreements (NDAs).

The recipe for CocaCola.

Web Domain and Social Media Registered or Unregistered

Your business name used in web address and on social media platform. license it through private sector

Farmers Store - www. farmers.co.nz

4 Figure created using information from: Business.govt.nz. (n.d.). Types of Intellectual Property. Retrieved 28 October, 2021 from https://www.business.govt.nz/risks-and-operations/intellectual-property-protection/types-of-intellectual-property/

A number of statutes offer protections for IP rights in New Zealand. The main five are:

1. Copyright Act 1994

2. Trade Marks Act 2002

3. Patents Act 2013

4. Designs Act 1953

5. Plant Variety Rights Act 1987

Both the Trade Marks Act 2002 and Patents Act 2013 require a Māori advisory committee to help protect mātauranga Māori (Māori knowledge). These committees can let the Commissioner of Patents, Trade Marks and Designs know if Māori interests are affected by a trade mark or patent application.

Other acts of legislation which can offer some protection include:

• Crimes Act 1961

• Fair Trading Act 1986

• Consumer Guarantees Act 1993

• Layout Designs Act 1994

For example, under the Fair Trading Act 1986, businesses cannot engage in misleading conduct. Therefore, if a business was to copy another business’s unregistered trademark in order to trick customers into going to them instead, this would be a breach of the Act.

USEFUL WEBSITES:

The Intellectual Property Office of New Zealand (IPONZ) is the Government organisation responsible for the administration of trade marks, patents, designs, and plant variety rights. It provides information about grants, and registers IP rights in New Zealand. Through this website, you can search through databases of New Zealand trade mark, design, and plant variety right registrations; apply to register or renew a patent, trade mark, design, or plant variety right; and, view forms, publications, and guides.5

• New Zealand Intellectual Property Office – https://www.iponz.govt.nz/about-iponz

The World Intellectual Property Organization (WIPO) is an international organisation that administers several international treaties in the field of intellectual property. These include the Patent Cooperation Treaty (allowing for international registration of patents), the Madrid Protocol (allowing for international registration of trade marks), the Hague Agreement Concerning the International Deposit of Industrial Designs (allowing for international registration of designs), and the Berne Convention (an international agreement governing copyright).

• World Intellectual Property Organization – http://www.wipo.int/portal/en/index.html

5 New Zealand Intellectual Property Office. Overview – About IP. Retrieved 22 August, 2017 from https://www.iponz.govt.nz/about-ip/overview

IP Strategy

Your business should have an intellectual property (IP) strategy to manage risks to your IP rights and to help your business grow and make money. Figure 2 shows the parts of an IP strategy. Note that the complexity of your IP strategy depends on the size of your business, the nature of the IP involved, and your tolerance for risk. The rest of this section will quickly cover the parts of this strategy, with a focus on three key points:

1. Ensuring you are protecting the IP most relevant to your business and its profitability, while not ignoring certain types of IP.

2. Ensuring your IP strategy is aimed at protecting commercial advantage – it should not be separate from your overall business strategy.

3. Ensuring you consider IP protection overseas right from the beginning.

Trade Mark

A trade mark is a recognisable sign which distinguishes the products or services of one business from those of other businesses. This could be a logo, shape, letter, numeral, word, expression, colour, sound, or smell, or any combination of these.

The main purpose of a trade mark is to create a distinctive brand that customers associate with your business. In fact, a trade mark is often referred to as a brand, and one of the most common aspects of a business to be trade marked is the business name. In New Zealand, trade marks are governed by the Trade Marks Act 2002.

DEFINITION:

Trade Mark (waitohu): A sign that distinguishes the goods and services of one business / organisation from those of others. A registered trade mark is one that is officially registered with the Intellectual Property Office of New Zealand (IPONZ).

Business Terms in Aotearoa. (2012).

If you register your trade mark, you have the sole rights to use that trade mark, and if someone else tries to use it you can take legal action. Once a trade mark is registered, the ® symbol may be used to show that it is registered. Registered trade marks provide protection for ten years, but can be renewed indefinitely.

You can also choose to leave your trade mark unregistered – using the ™ symbol – but it is much harder to protect it. Trade marks have some degree of protection under the Fair Trading Act 1986, but it can be difficult and expensive to prove reputation in your trade mark and to prove that you have actually suffered damage from an infringement. It is always safer to register your trade marks.

One part of an IP strategy that many small business owners fail to consider is the use of trade marks beyond New Zealand. A trade mark registered with IPONZ only protects you within New Zealand. You should think about protecting your trade mark as early as possible in overseas markets and when doing business over the internet. For example, if there is ever a chance your business will operate in or market to, say, China, register your trade mark and a translation of your trade mark in a Chinese language, such as Mandarin, as soon as you can. It also pays to do this early to determine if your chosen trade mark is suitable for foreign markets. For example, you may find that your trade mark is confusing or perhaps even offensive in another country.

You will need to apply for a trade mark in each country where you want your trade mark to be registered. Fortunately, you do not have to file a separate application in each country. Instead, using the Madrid Protocol, you can file one application and choose which countries (of those that are party to the Protocol) you would like your application to be lodged in. Each country’s trade mark office can then examine your application and approve (or reject) your request. It can be an expensive exercise to register in multiple countries, but the costs of enforcing nonregistered rights are far higher and very time-consuming.

HEI TAUIRA:

Example: Clementine

Clementine started a business called Dead Ringers, which produces custom-designed smartphone covers and other accessories. She makes sure she has New Zealand trade marks for her brand name and her logo – a bone-white cartoon phone-skeleton.

She successfully runs her business for several years in New Zealand. One day, when ‘googling’ her own business online, she comes across a business using the exact same brand name and logo, operating in the United States! Clementine researches this business and finds that it began operating after her own business did, and after she registered her trade marks.

Annoyed that another business was copying her idea, Clementine contacted her lawyer. Unfortunately for Clementine, she was told that her trade marks only gave her protection in New Zealand. It was legal for the other business to operate, and for it to get trade marks for the business name and logo in the United States (which it had done). Clementine suddenly realises that she needs to secure trade marks for Australia, which is where she wants to grow her market.

Copyright

Under the Copyright Act 1994, copyright gives exclusive rights to the creator of an original work. Copyright applies to a wide range of works, including books, music, paintings, films, computer programs, databases, advertisements, maps, and technical drawings, and allows copyright owners to control certain activities relating to the use and distribution of these works.

DEFINITION:

Copyright (manatārua): Exclusive rights that are automatically granted to original works such as literary, musical or artistic works.

Business Terms in Aotearoa. (2012).

If the work was commissioned or created as part of the creator’s job, the employer is considered the copyright owner. After all, the creator was paid for the work with wages. For example, if a business owner instructed a staff member to write a book for the business to sell, the resulting book would belong to the business, not the employee.

In New Zealand, as soon as a work of this type is created, it automatically gets copyright. There is no registration process. Even though copyright is automatic, you should stamp the work with the © symbol, the owner’s name and date to show who the work belongs to, and indicate that you are serious about protecting it. Generally, this copyright lasts for the creator’s lifetime plus fifty years. However, product designs and casting moulds, for example, are only covered for 16 years from the time the work is industrially applied.

Patent

A patent, as governed by the Patents Act 2013, is an exclusive right to use an invention. An invention could be, for example, a new product or a new manufacturing process. Generally, it needs to fulfil four main requirements: it must be new (and not obvious), include an inventive step, be able to be used in practice, and the details of your invention also cannot have been publicly disclosed before you apply for a patent.

A patent provides the patent owner the right to decide whether, and how, the invention can be made, used, sold, or distributed by others. In exchange for this right, the patent owner publicly discloses technical information about

the invention. This protection lasts for up to twenty years, after which the invention enters the public domain and anyone can use it. If a patented invention is used without consent, you can take legal action. However, by holding a patent you can license other people to use the invention, or even sell the right to the invention to someone else.

As with a trade mark, patents in New Zealand are registered with IPONZ, and only provide protection within New Zealand. If you want a patent in other countries, you must either apply to the national patent office in each country you want or make an application under the Patent Cooperation Treaty (PCT) system. The PCT system involves over 140 participating countries and allows you to make a single application that provides protection in as many of the member countries as you choose.6

Design

Many businesses are built on stylish and interesting products; on clever designs. A design is the new or original features of shape, configuration, pattern, or ornamentation that is applied to a product. It relates to the appearance of a product rather than the function of the product. A design registration (protected under the Designs Act 1953) gives the owner an exclusive right to make, import, sell, or license a design for up to fifteen years.

DEFINITION:

Design (hoahoa): The features and patterns of a piece of work.

Business Terms in Aotearoa. (2012).

Designs are a valuable intangible asset worth protecting because a design is often what makes a product attractive to customers and provides a competitive advantage to your business. The design needs to be mass-produced not just reproduced once or twice, appeal to the eye of the customer, and the design cannot have been applied to a product in New Zealand before the application to register the design is filed.7

As with other forms of IP, registering a design with IPONZ only provides protection within New Zealand. Also, be aware that when registering designs in other countries, this registration can be blocked if the object has been manufactured prior to the application being filed, even if the manufacturing occurs in New Zealand. You need to ensure your IP protection is in place even before commercialisation of the product begins in New Zealand. Failing to do this may result in you losing the ability to protect your design overseas.

Trade Secrets

A trade secret is confidential information that has economic value to your business. Under the Crimes Act 1961, ‘trade secret’ means any information that can be used industrially or commercially, is not publicly available, has economic value to the possessor of the information, and that is the subject of all reasonable efforts to preserve its secrecy. It could be a formula or recipe, employee or customer information, a practice or strategy, a process, a piece of technology, a pattern, or a collection of information. This is not a registrable IP right and there is no formal government protection.

The protection of trade secrets only applies where reasonable efforts have been made to keep the information secret. You must take measures to guard your own trade secrets. This could include locking trade secret materials away in a safe, making sure you have good computer security, and limiting access to secret information to only those people who need to know it. The main protection when disclosing valuable information to employees, suppliers, clients, or other businesses is a contract, known as a ‘confidentiality agreement’ or ‘non-disclosure agreement (NDA)’. NDAs are discussed more in Parts B and C.

6 New Zealand Intellectual Property Office. (n.d.b).

7 New Zealand Intellectual Property Office. (n.d.c).

TĪWHIRI:

Protecting confidential information is particularly important if you plan on applying for patent or design protection. This is because patents and registered designs cannot be acquired for products or processes which has been publicly disclosed. Even unintentional disclosure can be a major problem for IP.

HEI TAUIRA:

Example: Delilah

Delilah’s Donuts is a rapidly growing donut and coffee shop franchise. Delilah’s business started in a small Waikato town, but has expanded to include three more shops in several big cities. Her success is partly based on the unique and delicious taste of her donut. The recipe for these donuts is a trade secret. Delilah keeps the recipe in a password protected part of her laptop, and backed up online in a secure data facility.

Even though only the head baker at each shop is allowed to know the recipe, everyone who works at Delilah’s Donuts has to sign a non-disclosure agreement. This is just in case another employee somehow gets access to the recipe – perhaps by observing the head baker make the donuts.

Domain Name and Social Media

Another part of an effective IP strategy which contributes to your competitive advantage and profitability, is maintaining control over your branding online. You should make sure you register domain names (website addresses) and social media accounts using your brand.

Having a domain name helps distinguish your website and business from other similar businesses operating all over the world. Domain names are instantly available online – through private suppliers – and can be leased on plans of a year or longer. An important factor to consider is the domain name extensions you will register. For instance, if you only register a ‘.co.nz’ domain name, another business may register the same domain name, with the exception that the ‘.com’ or ‘.nz’ extensions are instead used.

As part of your engagement with online business (e-commerce) you also need to consider cybersecurity (see Part D).

Plant Variety Rights

This type of intellectual property is only really relevant to a limited number of businesses. A plant variety right – provided for under the Plant Variety Rights Act 1987 – gives exclusive rights to produce for sale and to sell propagating material of a new plant variety. That is, it lets you grow and sell the plant, and propagate the plant for the commercial production of fruit, flowers, or other products.

To be granted this right, the plant variety must be new, distinct, uniform, and stable, and have an acceptable variety name. Being distinct, uniform, and stable requires the plant variety to have a shape, colour, or physiology different from existing varieties, to maintain this distinct characteristic from plant to plant within the variety, and to maintain this distinct characteristic from generation to generation.

Other Parts of the IP Strategy

The last few things to consider for your IP strategy are a tiered IP strategy, protocols for IP capture, proof of chain of title, and IP insurance.

Some businesses used a tiered IP strategy to build and protect their brand. This may involve the following layers:

• A house mark: This is when a business attaches a particular trade mark to all the goods and services it provides. This is often the business name. For example, the Apple company attaches the word ‘Apple’ and the Apple logo to everything it sells.

• Second-tier marks: These are individual trade marks for products or services. Continuing with the Apple example, the iPad, iPod, and iPhone are all second-tier marks.

• Third-tier marks: Third-tier marks attach to some subset of the second-tier product or services, but not all of the business’s products. For example, Countdown supermarkets are just one of the brands operated by Woolworths NZ.

• Fourth-tier marks: These are typically slogans and non-traditional marks (such as sounds). For example, Nike’s “Just Do It” slogan is a valuable fourth-tier mark.

In regards to protocols for IP capture, this involves deciding what you will do if you discover that your IP rights are being infringed. These protocols will probably involve contacting a lawyer, and, once again, can be as complex or as simple as you want based on the nature of your business and your tolerance for risk. As soon as you find out an unauthorised party is misusing your IP, you need to act quickly. In addition to the fact that delaying action means another party is benefiting from your IP at your cost, it may also work against you if you do eventually take the other party to court – the fact that you did not value your IP enough to act immediately may result in a less favourable outcome.

If you will be purchasing IP, perhaps by buying another business, you need to make sure you keep proof of chain of title for your IP. This is the ‘paper trail’ of documents showing who has owned the IP and how this ownership has changed hands, with evidence usually supplied by written agreements. It shows that you do own the IP that you claim to own. This is also important when you are buying or getting a licence for IP from someone else – you need to check their ownership of that IP before making a deal.

The final part of the IP strategy is intellectual property insurance. It can be expensive to pursue another business who has infringed on your IP or to defend against IP claims from other businesses. However, there is insurance available to transfer the risk to an insurance company (see Part E). Make sure your insurance – in particular your liability insurance – can protect you against IP claims by others and help you pursue others who have stolen your IP.

Discussion Questions:

• Is an intellectual property strategy important for all businesses, or just certain types of businesses?

• What is the difference between a registered IP and an unregistered IP? Why does the difference matter to a business?

• What types of IP are most relevant to your business? Which ones are most important to your commercial strategy?

• What actions can you take if you are aware that someone is infringing on your IP rights? Are there any lowcost options?

• Why should you make sure you have proof of chain of title for your IP?

Part B: Protecting Internal Relationships

“Every great business is built in friendship.”

- James Cash Penney

Businesses are built on relationships. These include relationships with external stakeholders such as customers and suppliers, as well as those with internal stakeholders such as employees. Therefore, creating and protecting strong relationships is necessary to create and maintain strong businesses. These relationships are not easy, but they are important. Part B of this seminar will look at ways to protect your internal relationships and Part C will look at ways to protect your external relationships.

What is an Internal Relationship?

Internal relationships are relationships with people who are part of your business in one way or another. They may be your employees, managers, shareholders, or partners, for example. In comparison, external relationships are those with people who have an interest in your business, but are not part of it. Competitors, suppliers, lenders, and members of the community are good examples of external stakeholders. Both your internal and external stakeholders are essential to the success of your small business.

It may be useful at times to think of your internal and external stakeholders as customers. Customer service is very important to customers, of course, but the ‘customer service’ you provide to your internal and other external stakeholders is also important. If the customer service you provide to your employees is weak, your business is unlikely to be able to meet the expectations of your external customers. However, when you look after your employees, they will look after your customers and, in turn, your shareholders will also be looked after (through higher profits).

Employees who are happy in their employment provide better customer service because:8

• they care more about other people, including customers,

• they have more energy,

• they are happy,

• they are more fun to talk to and interact with, and

• they are more motivated.

In summary, if you would like your employees to provide great customer service, you must provide great customer service to your employees. If your employees are happy in their work, they are likely to show greater respect for you and your business and will serve your external customers better than disgruntled employees who feel unappreciated.

Employment Agreements and Restraint of Trade Clauses

An employment agreement, often referred to as an employment contract, is a legal document which sets out the agreed terms and conditions of the employment. In addition, an employment agreement includes details around the processes and obligations that each party are bound by. A clearly written employment agreement reduces the risk of misunderstandings and personal grievances.

The seminar on Employment Law covers employment agreements in more detail, including what they must contain. The focus in this seminar is on the risks involved in not having an employment agreement or having poorly written clauses within the agreement which are not legally enforceable. We will also look at how a ‘restraint of trade clause’ can protect your business.

As a small business owner, it is important that you effectively manage the risks involved in hiring your employees. At the very least, a written employment agreement should cover the parties involved, the nature of the work, and the amount of money the employee is paid. Unfortunately, despite it being a legal requirement, research suggests that more than 170,000 employees in New Zealand do not have a written employment agreement.9

If there is a legal dispute as to what was agreed between an employee and employer, and there is no written employment agreement in place, the Employment Relations Authority or Employment Court is likely to interpret the terms of employment against the employer and in favour of the employee.

The resignation of an employee with access to your business’s confidential and sensitive information is a significant risk to your business, especially if the employee leaves to join a competitor or sets up a business in competition with yours. To help protect your business against these risks, you may be able to include a restraint of trade clause in an employment agreement. A restraint of trade clause is also known as a ‘non-compete clause (NCC)’ or a ‘covenant not to compete (CNC)’.

Before you decide to include a restraint of trade clause in your employment agreements, you should seek legal advice from an expert in employment law. It is important that the conditions of the clause are sensible or they may not be legally enforceable. Depending on the nature of your small business, it may not be practical to include these clauses in your employees’ employment agreements. For example, it would not be reasonable to restrict an employee from taking on any job in the field that they have expertise in.

The two main types of restraint of trade clause in New Zealand are:

1. Non-competition: The former employee is prevented from working in a similar field to their former employer’s business.

2. Non-solicitation: The former employee can take another job in the same or similar industry, but they are not permitted to contact their former employer’s clients about their new business or employer. A non-solicitation clause prohibits employees from approaching customers or clients while employed and for a specified period after employment has ended. It also prohibits former employees from approaching current employees and encouraging them to leave the employer to instead work for them.

There are four main types of restraint of trade. They restrict a former employee from:10

` Working with former clients for a set period. For example, a hairdresser could not leave her job to instead start her own hair salon, and take her regular clients (from her employer) with her.

` Working in the same industry for a set period to protect trade secrets. For example, a business such as Fonterra could restrict a production manager who knew production secrets from working in a similar position for another dairy business such as Lewis Road Creamery.

` Working a second job in the same industry while still in their main job. For example, a business may restrict an employee in their marketing team from working in a marketing position for a competitor’s business while still employed by them.

` Working in the same industry nearby to their former employer. For example, a mechanic may allow a former employee to continue to be a mechanic, but not work for another mechanic business within a certain distance so that customers are less likely to follow the former employee to their new job.

HEI TAUIRA:

Example: Dr. Toothaker and Dr. Yankum

Dr. Toothaker, a dentist for 67 years, is the owner of a dental practice in Carterton. He hires Dr. Yankum as his assistant dentist. Dr. Toothaker is a very wise man and he knows the industry well. He has been around for a long time and he includes a restraint of trade clause in all his employment agreements.

The restraint of trade clause states that if an employee leaves Dr. Toothaker’s dental practice they are not allowed to contact their existing patients for a period of six months. The reason for this is that Dr. Toothaker has a very successful dental practice and during his 67-year career he has developed good relations with his patients, and has encouraged his staff to do so too. He knows that, the key to a successful business is having staff who look after customers well.

Through Dr. Toothaker’s training, Dr. Yankum and other employees have refined their customer relationship skills. As a result, customers of the dental practice who see Dr. Yankum are very happy to do so, and do not instead request to see Dr. Toothaker. The risk of this, however, is that if Dr. Yankum leaves Dr. Toothaker’s dental practice to work for another practice or to establish his own practice, his patients would likely want to follow the dentist to the new practice. This would lead to many patients leaving Dr. Toothaker’s practice to follow the departing dentist.

Dr. Toothaker and Dr. Yankum work well together and Dr. Yankum finally saves enough money to start his own dental practice. Dr. Yankum is concerned that he is going to spend thousands of dollars establishing a new dental practice of his own, but have no customers to look after. Therefore, during his last few weeks in his job, Dr. Yankum lets his patients know he is starting a new practice and shows them to his website. He also makes sure he prints a copy of his patient list so he can phone the remaining clients later on. After all, he feels it is only fair that his regular patients have the opportunity to be seen by their usual dentist.

Several patients loyal to Dr. Toothaker are very surprised to be contacted by Dr. Yankum, and inform Dr. Toothaker of what has happened. He believes he has no other option except to enforce the restraint of trade clause by pursuing legal action against Dr. Yankum. The Employment Court rules in Dr. Toothaker’s favour and Dr. Yankum is fined $20,000 (which is found to be a reasonable sum given the volume of customers he managed to take with him).

10 Employment New Zealand. (n.d.).

It is important that your employment agreements are written in ‘plain English’ to provide for good risk management. This is especially true when including restraint of trade clauses or any other clauses you feel are necessary to ensure that the expectations of both you and your employees are clear and to allow yourself maximum flexibility.

Confidentiality Agreements

A confidentiality agreement is a type of contract, or a clause in a contract, in which two or more parties agree not to disclose confidential information covered by the agreement. In the United States, a confidentiality agreement is more commonly referred to as a ‘non-disclosure agreement (NDA)’, but both refer to the same type of contract. Confidentiality agreements are regularly used to protect non-public and valuable business information, such as trade secrets, product ideas, and development plans.

You should have your employees sign a confidentiality agreement as a condition of their employment when they are signing their employment agreement. This will mean they are not legally allowed to disclose confidential information belonging to your business to anyone, especially a competitor.

As a small business owner, it is important that your employees understand their obligations in respect to confidentiality agreements. It is doubtful that an employee who signed a confidentiality agreement as part of their employment agreement will remember having signed one, especially as employees are often overwhelmed with different paperwork to sign as part of their induction process. It is more likely they will simply glance over the clauses and sign the agreement without really understanding their obligations.

As such, you should draw your employees’ attention to the clause and regularly communicate the importance of obeying their confidentiality agreements. This is to protect their own interests and those of your business. For example, you may use a monthly team meeting as an opportunity to remind your employees of their obligations. If implementing projects within your business, risks associated with disclosing confidential information can be part of the risk register and discussed in regular project meetings.

The seminar on Contracts and Negotiations covers contracts and confidentiality agreements in more detail, specifically the types of contracts that are available, how to write them, and what they should contain. In short, they need to clearly state what confidential information cannot be disclosed by your employees. This includes information they have direct access to, and information they may inadvertently hear or come across while working for your business.

Take the time to consider what information you would like to be protected by the confidentiality agreement and ensure that this is clearly specified in your employee agreements. A poorly written or vague confidentiality agreement might not protect you.

HEI TAUIRA:

Example: Dominic

Dominic is a certified machinist who has just got a job with a new business. His employer has a very innovative manufacturing process, and Dominic loves his new job. He finds the process and machinery really interesting, and he is very proud of the work he does.

One day, Dominic takes some photos for his friends. He takes a photo of the machine he uses with himself in front of it, smiling and pointing at it. At the bottom of the photo, he adds the words “my baby!!!” and draws in three hearts to show how much he loves it. He posts the photo on Facebook, and by the end of the day it has been shared several times and has received well over 100 ‘likes’. This has been a good day for Dominic!

Unfortunately, the next day is not so good. His employers saw the photo he put on Facebook, and they also saw something else. The photo clearly showed an important part of the innovative manufacturing process that has given them a competitive advantage. Dominic’s employment agreement had a confidentiality clause which specifically prohibits him from sharing information about the manufacturing system the business uses.

Dominic is now going to face disciplinary action, and may even lose his job, but this will not help his employers as it does not change the fact that their innovative manufacturing process has been revealed. If they had made sure all their employees were aware of the confidentiality clause, and knew how to follow it, this whole situation could have been avoided.

Shareholder Agreements

If your small business has more than one shareholder, you should prepare a shareholder agreement. Whilst this is not a legal requirement, not having one poses significant risk. This is even the case for whānau businesses. Although a shareholder agreement should be drawn up before you go into business, it is never too late to get one prepared.

A shareholder agreement is a private and confidential contract between shareholders in a business, which details how the shareholders are to undertake certain business-related transactions. A shareholder agreement provides shareholders with certainty about their rights and responsibilities, and what processes to follow in various situations. It can be as long (or as short) as the shareholders wish.

The reality is that disputes and conflict affect every business at some point. A shareholder agreement helps shareholders overcome these disputes and conflicts. Many disputes can be settled quickly if the shareholder agreement covers the cause of the dispute and provides a suitable resolution. In this way, a shareholder agreement provides clarity and helps business owners to mitigate and reduce risk.

A shareholder agreement usually includes information around:11

• The type of business to be engaged in,

• How the business will be managed,

• Who will be responsible for the areas of management, such as employment,

• The types of decisions that can be made by individuals,

• The types of decisions that require majority or unanimous agreement,

• How any of the parties leaving the business will be handled,

• How any disagreements or disputes that arise will be handled,

• The inclusion of non-competition clauses,

11 Sanderson. (2016).

• Appointment and retirement of directors,

• Professional indemnity insurance,

• Transfer of shares and pre-emptive rights (rights for a shareholder to be able to maintain their percentage of shareholding by purchasing new shares issued by the company),

• Disability and insurance, such as what happens in the case of injury or death, and

• Shareholder approvals, consent, and voting.

There may also be other details that should be included in the shareholder agreement. This will largely depend on the nature and structure of your small business and the products or services your business provides. It is important to consult a legal adviser before the shareholder agreement is confirmed.

HEI TAUIRA:

Example: Cyril and Hyacinth

Cyril and Hyacinth are co-owners of a manufacturer and distributor of martial arts supplies business in Mount Maunganui. As brother and sister, Cyril and Hyacinth have equal shares in the business and, as whānau, neither believed it was necessary to enter into a shareholder agreement.

Over the years, Cyril and Hyacinth manage their business well. It continues to be highly successful and profitable and becomes New Zealand’s leading retailer of martial arts supplies. However, a problem develops between Hyacinth and Cyril’s new wife, Mo, which has a significant impact on the business.

Without warning, Cyril abruptly dies of a sudden illness. His death leaves Mo with unpaid debts from their extravagant Las Vegas wedding and honeymoon in Hawaii. Mo desperately needs cash to pay for the expenses, but she only has Cyril’s shares in the business. Hyacinth did not want to issue dividends as she and Cyril had planned to reinvest the profits to continue to grow and develop their business.

Hyacinth never liked Mo, and she did not think Mo was good enough for Cyril, so their already troubled relationship becomes progressively worse. Mo decides to sell her shares to another person. As a result, Hyacinth is now co-owner of a business with a stranger.

Cyril and Hyacinth should have entered into a shareholder agreement. If it had the following clauses, these problems could have been avoided:

• When a Cyril or Hyacinth die, or at any time they wish to leave the business, their shares must be first offered to the existing shareholder to purchase.

• Details around dividends and the reinvestment of profits to maintain and grow the business.

• Insurance for Cyril and Hyacinth to provide cash for one party to be able to purchase the other party’s shares if they passed away.

• A process to value the shares to ensure any party leaving the business (or the whānau of the deceased person) receive a fair value for the shares paid.

Partnership Agreements

People who trust each other and want to do business together may decide to enter into a partnership agreement. These partnerships can be between whānau, friends, or simply two or more people who decide to work together. Partnership agreements are like shareholder agreements. The difference is that partners share ownership based on the number of partners, while shareholders share ownership based on the number of shares held and the ‘value’ of these shares. A partnership agreement sets out how the partners will share the profits, expenses, and daily workload required to run a business.

DEFINITION:

Partnership Agreement (kirimana hoa pakihi): A contract between two or more people who agree to form a partnership. The agreement sets out the key terms and conditions of the partnership and includes details such as how profits will be shared, rights of partners, and roles and responsibilities.

Business Terms in Aotearoa. (2012).

Like any business structure, a partnership has advantages and disadvantages. One of the disadvantages is that the partnership ends when a partner leaves. However, this can be overcome by a partnership agreement which sets out what is to happen when a partner dies (either suddenly or due to illness), decides to retire, wants to leave the business, or if the partners argue and find it difficult to continue in business together.

Ideally, business partners should resolve any disputes and disagreements between themselves so that partnership agreements can be locked away and never need to be used. Sadly, this is not always the case and there are times in which a partnership agreement provides certainty. This is especially true if one partner dies and the living partner finds him/herself negotiating with the deceased partner’s whānau.

TĪWHIRI:

A partnership agreement should be prepared by a lawyer. There is a risk that a partnership agreement that has been written without the assistance of a lawyer may not be clear and detailed enough, and may therefore be found to be null and void (not legally binding).

In New Zealand, partnerships are governed by the Partnership Act 1908, which is therefore over 100 years old. It has stood the test of time, but as is to be expected, it does not reflect how modern partnerships work. It is important that your partnership agreement does not simply improve on the existing provisions outlined, but also sets out in greater detail how your business will operate.

HEI TAUIRA:

Example: Ra’anui and Vainu’u

Ra’anui and Vainu’u are life-long friends and partners of a highly successful web design business. The business has a value of $750,000 and has contracts with large well-known businesses and government agencies throughout New Zealand. Ra’anui and Vainu’u each take on an equal share of responsibility in running the business with Ra’anui being responsible for marketing and Vainu’u responsible for administration and sales.

At the advice of a friend and life coach, Ra’anui and Vainu’u put a partnership agreement in place in case either of them dies unexpectedly. They include a provision in the partnership agreement in which each partner would have life insurance to at least the value of 50% of the business’s current value. The proceeds of the life insurance claim would be used to buy out the ownership of the deceased business partner from the business so their whānau would receive their share of the business value.

Regrettably, soon afterwards, Vainu’u passes away after his bicycle is clipped from behind on a public road. Luckily, the life insurance company pays out the claim value of $750,000, enabling Ra’anui to buy back the 50% ownership rights from the family of Vainu’u. The business ultimately survives without Vainu’u.

As a result of buying back the ownership rights, Ra’anui can continue running the business on his own without any further disruptions. Ra’anui was initially reluctant to take the advice of his life coach and thought about putting the partnership agreement off. However, he realised having protection and not needing it was more important than the cost of one day needing protection and not having it.

Discussion Questions:

• For which businesses and job positions would a restraint of trade clause be appropriate?

• When would a restraint of trade clause be unreasonable?

• What are some situations in which a non-disclosure agreement would be highly valuable?

• What are the risks of not having a shareholder or partnership agreement?

Part C: Protecting External Relationships

“Assumptions are the termites of relationships.”

- Henry Winkler

No business can operate in isolation; you will need to interact with suppliers, vendors, distributors, resellers, contractors, and so on. These external relationships are important to your success and growth, but also present potential risks.

What is an External Relationship?

An external relationship, sometimes called a third-party relationship, is any business arrangement between your business and another entity. This relationship could be with a contractual party – either ‘upstream’ (for example, a supplier) or ‘downstream’ (for example, a re-seller) – or a non-contractual party.

External parties can be categorised into four types of entities:12

Service Providers. These could include accountancy firms, IT providers, legal consultants, call centres, advertising and marketing companies, and debt collectors.

Supply-Side Partners. These could include suppliers, research and development partners, software development providers, production outsourcing, and website hosts.

Demand-Side Partners. These could include distributors, re-sellers, customers, and franchisees.

Other Relationships. These could include alliances, business partnerships, and joint ventures.

External relationships can benefit your business by providing competitive advantages, cost savings, process and time to market efficiencies, improved profitability, and high-quality services. However, with these benefits come risks. The risks associated with a business’s external relationships are increasingly important to business owners.

Two significant areas of risk which need to be considered are (1) the risks to your brand and image which are involved with being associated with the other party and their activities, (2) and intellectual property risks. If an external party has access to trade secrets and confidential information, they may be in a stronger position to exploit this knowledge than an individual employee would be. For example, if you approach a manufacturer with plans to develop your new product, they could have the resources to go ahead and develop your product without you.

External Relationships Risk Management

Your risk management plan needs to take into account external relationships. You need to determine which of your external relationships pose the highest risk and then put measures in place to mitigate or transfer these risks to a tolerable level.

The importance of external relationships risk management was elevated in 2013 when the U.S. Office of the Comptroller of the Currency (OCC) specified that all regulated banks had to manage the risks of all their third parties. The risk management process discussed in this seminar is based on this OCC Bulletin.

This process follows a continuous lifecycle for all relationships and includes the following stages (which are explained in more detail following Figure 3):13

1. Planning. This involves developing a plan to manage the relationship, and to identify and prioritise the risks that come along with that relationship. This is especially important for contracts with external parties which involve critical activities or revealing vital confidential information.

2. Selection. This involves using due diligence to review a potential external party before signing a contract. You need to ensure that you select an appropriate external party and understand the risks posed by the relationship, consistent with your risk tolerance.

3. Contracts. This involves negotiating and developing a contract that clearly defines the rights and responsibilities of all parties. You need to ensure that the contract is enforceable, that your liability is limited, and that disputes can be managed.

4. Monitoring. This involves performing ongoing monitoring of the external relationship once the contract is in place. This also includes managing and monitoring existing external relationships.

5. Termination. This involves having contingency plans for terminating the relationship.

Throughout the life cycle of this relationship, you also need to make sure that roles and responsibilities for managing external relationships are clearly assigned, that proper documentation and reporting takes place, and that reviews of the risk management process are periodically performed.

Stage 1: Planning

Before entering into an external relationship, you need to develop a plan to manage the relationship effectively and successfully. To begin with, you need to ensure that the proposed relationship is consistent with the overall business strategy.

Next, you should analyse the potential risks, benefits and costs, legal aspects, and information security implications associated with entering into an arrangement with an external party (in general). This risk analysis involves assessing the level of risks and how they could be managed. It also involves weighing up how critical an external relationship would be, against the sensitivity of the information the other party would have access to. Any alternative options to using an external relationship should also be considered.

14 Based on diagram from OCC Bulletin 2013-29. Office of the Comptroller of the Currency (U.S. Department of the Treasury). OCC Bulletin 2013-29: Third Party Relationships. Retrieved 30 August, 2017 from https://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html

Stage 2: Selection

Before selecting and entering into a contract with an external party, you need to conduct due diligence on each potential external party. The degree of this due diligence will be based on the level of risk and complexity of the external relationship. If the relationship involves critical activities, more extensive due diligence is necessary.

The OCC Bulletin suggests that you consider the following during due diligence:15

• Ensure the external party’s business strategy and goals does not conflict with yours

• Ensure that the external party complies with relevant laws and regulations

• Assess the external party’s financial condition

• Evaluate the external party’s business experience and reputation

• Evaluate the effectiveness of the external party’s risk management strategy

• Assess the external party’s information security system

• Assess the external party’s business continuity plans

• Evaluate the external party’s reliance on subcontractors and its management of risks arising from the use of subcontractors

• Verify that the external party has suitable insurance cover, including asset protection and liability insurance

Once you have reviewed the results of the due diligence, you can decide whether the external party is able to meet your expectations and whether you should proceed with the external relationship.

TĪWHIRI:

An essential step to managing existing external relationships is knowing who each party is and what risks are involved with engaging with them. Try to rank each potential party in regards to benefits, and also rank each party in regards to risk. Is there one which clearly offers the largest benefits for an acceptable level of risk?

Stage 3: Contracts

Once you have selected an external party, you need to negotiate a contract. This provides the foundation of this external relationship. Supplier relationships are the most common external relationships and are typically bound by legal agreements or contracts. The contract should clearly specify the rights and responsibilities of each party to the contract, and can serve to:

• allocate risk to the external party,

• limit your business’s liability,

• provide for measuring performance, and

• mitigate disputes.

The seminar on Contracts and Negotiations discusses business contracts, including the types of contracts, the negotiation of contracts, and the components of contracts. However, in terms of external relationships risk management, it is worth remembering that contracts should generally address the following:16

• Nature / scope of the arrangement

• Performance measures

15 Ibid.

16 Ibid.

• Providing, receiving, and retaining information

• Compliance with relevant laws and regulations

• Cost and compensation

• Ownership and licence of intellectual property

• Business contingency plans

• Indemnification

• Insurance coverage

• Dispute resolution

• Limits on liability

• Default and termination policy

• The use of subcontractors

In addition, make sure the contract clearly outlines the external party’s obligations to protect your sensitive or confidential information.

This stage of the external relationships risk management process also includes periodically reviewing existing contracts, to ensure they continue to provide the required risk protection. Contracts and confidentiality agreements are discussed later.

Stage 4: Monitoring

Once you have selected your external business partners and signed contracts with them, you need to continuously monitor this external relationship. Once again, if the external relationship involves critical activities, this monitoring needs to be more comprehensive. This monitoring includes tracking risks and incidents, and evaluating the value received from the relationship – doing so can determine when or whether the terms of an agreement need to be renegotiated or terminated.

Ongoing monitoring also includes assessing changes to the external party’s:

• business strategy,

• reputation (including litigation),

• compliance with legal and regulatory requirements,

• financial condition,

• insurance coverage,

• risk management,

• reliance on subcontractors,

• agreements with other parties that may pose risks to your business, and

• ability to maintain the confidentiality of information.

Stage 5: Termination

The external relationships risk management process includes making sure that you can effectively terminate the relationship when required. This is particularly important if the activities carried out by the other party need to be transitioned to another external party, or brought in-house.

You may terminate the relationship for various reasons, including the normal end of the contract (expiration or satisfaction of the contract), in response to breach or default of the contract, or in response to changes to your business strategy or the business strategy of the external party. Among the things to consider during the end of a relationship are the risks associated with information / data retention and destruction, and handling intellectual property.

Contracts and External Relationships Risk

Contractual Risk Transfer

One of the most effective ways to protect yourself against the risks inherent in external relationships is to transfer some or all of the risk from your business to the external party. The contract between you is the starting point for this contractual risk transfer. This risk transfer is accomplished through clauses relating to indemnification, limitation of liability, and insurance. In short:

` Indemnification clauses place indemnity obligations on the external party. That is, it allows you to seek redress or monetary reimbursement from the external party if you are forced to pay out as the result of an injury (physical or financial) caused by the external party.

` Limitation of liability clauses place a limit on how much exposure a business might face in the event of a claim made or legal action taken.

` Insurance clauses require the external party to have suitable insurance. This can include liability insurance, so the other party is able to cover the costs of damages and losses it incurs (and can therefore indemnify your business so you do not have to cover these costs). Make sure they are sufficiently insured to be able to cover the transferred risks.

Contracts can also be used to control risks to your information posed by cyber-attacks. Sometimes businesses have to share confidential information with external parties. These parties could suffer data breaches if they have poor cybersecurity. Contracts can therefore establish requirements for external parties to follow to reduce risk exposure.

For example, a contract may require the vendor to agree to certain cybersecurity practices or require them to have cyber insurance (see Part E). The contract could also have a clause which states that if the vendor suffers a cybersecurity incident, they must notify you and cooperate in any investigation necessary. Including things like this in a contract helps your business to reduce risks.

Confidentiality Agreements

Before a contract is signed, the best way to protect your intellectual property and other confidential information is to keep it secret. However, you may need to disclose some of your private or valuable ideas during the negotiation process in order to gain the other party’s interest and confidence.

You can do this, but make sure you use a confidentiality agreement, also known as a ‘non-disclosure agreement (NDA)’, and that you get it prepared by a lawyer. A confidentiality agreement is a formal contract in which two or more parties agree not to disclose information that is covered by the agreement. The information is only to be used for a specific purpose. It helps protect your business from internal and external privacy breaches.

DEFINITION:

Confidentiality (muna): Keeping information private. Business Terms in Aotearoa. (2012).

Also note that, although the Privacy Act 1993 promotes and protects personal information, you cannot rely on this for protection. The Act covers the collection, storage, use, distribution, and transfer of information relating to individuals by businesses. It does not cover information held about a business or other organisation. This means that information about your business held by another business is not protected by the Act.

Ideally, a confidentiality agreement should be signed before any confidential information is disclosed. However, it is possible that some information may need to be disclosed prior to the confidentiality agreement being signed. It is in the best interests of your business to ensure that any previously disclosed information is also covered by the confidentiality agreement and that those parties signing the agreement know this.

If the parties decide to enter into a final contract following their initiation discussion, the confidentiality agreement will be replaced by the confidentiality provisions of the final contract. An NDA is not intended to be used on an ongoing basis.

Below is a quick summary of why, when, and how confidentiality agreements / non-disclosure agreements should be used.17

There are three main purposes why you would use an NDA:

1. Protective. The most common is to ensure that your confidential information is adequately protected before you share that information with an external party.

2. Contractual. Obligations you already have to another party may require you to use an NDA when using their information for business (such as briefing subcontractors or ordering supplies).

3. Strategic. An NDA may be used to test how interested and serious an external party is about discussions with your business. If they question the need for an NDA, consider what that means.

There are five main things to consider when thinking about when to use an NDA:

1. What confidential information needs protection?

2. Who is disclosing what? The confidentiality agreement can be:

• one way – used when only one party is sharing information and the other agrees to keep it confidential, or

• mutual – used when both parties are sharing information with each other and both parties agree to keep it confidential.

3. Are there existing confidentiality terms? If so, their terms may be broad enough that a new agreement is not needed, or a term could be inserted in the new agreement to state it replaces previous ones. It is best not to have several confidentiality terms covering the same information which is shared with the same external party as doing so can easily lead to confusion and loopholes.

4. When will sharing begin? When choosing an external party to do business with, decide when you need to start sharing confidential information as this is the point you start using NDAs.

5. How much will be shared? Disclose information in increasing amounts only as the deal or negotiation progresses, and make sure the balance of the power remains relatively even in terms of commitments. In addition, disclose the minimum necessary to close the deal or gain the investment.

There are also a range of things to consider when thinking about how to use an NDA. You should ensure that:

• They are fair and balanced and do not favour one party over the other.

• The security obligations are clearly stated. For example, there could be an absolute obligation to keep the information secure and confidential, or lesser levels of ‘best endeavours’, ‘all reasonable endeavours’, or ‘reasonable endeavours’.

• They include a description of why the parties are sharing information – the permitted purpose – and what can, and cannot, be done with the confidential information.

• They include the relevant ‘non-disclosure period’ – the defined period of time during which the confidentiality obligation will apply to the confidential information. For example, if you are disclosing trade secrets, they should be kept confidential forever, or until the information enters the public domain.

• You should avoid sharing customer records or personally identifiable information under an NDA.

• The definition of confidential information is broad enough to cover all of the information that you are planning to share.

• You can control the onward transfer of your confidential information – this is done by clearly describing who else the information can be disclosed to.

• You should consider carefully whether to include an indemnity for breach. You already have the ability to claim damages for breaches, and the indemnity may not give much, if any, practical additional benefit (but may result in significant negotiations and cost).

Many confidentiality agreements used in practice are quite simple: containing the party details, specifying who is the discloser and who is the recipient, and outlining the permitted purpose of the information. Again, remember to consult an expert when preparing an NDA to ensure that your business and its confidential information are properly protected.

For more information on the workings of NDA in New Zealand, have a look at the website below:

• LawHawk, LawHawk Guide to Confidentiality Agreements – https://www.lawhawk.nz/resources/ document-guides/confidentiality-agreement-guide.

Discussion Questions:

• What are some examples of external relationships you may enter into in your business, along with the risks associated with those relationships?

• What types of things do you need to consider when selecting and entering into a contract with an external party for your particular business?

• Why should you continuously monitor your external relationships? How would you do this?

• How does ‘contractual risk transfer’ work? What kinds of clauses should you consider in contracts in order to transfer risk?

Part D: Information Technology (IT) Risk

“Information technology and business are becoming inextricably interwoven. I don’t think anybody can talk meaningfully about one without talking about the other.”

- Bill Gates

What is Information Technology (IT)?

Information technology (IT) is “the use of computers, storage, networking, and other physical devices, infrastructure and processes to create, process, store, secure and exchange all forms of electronic data”.18 Information technology has become a part of everyday life and it is regularly used for transmitting information and facilitating communication.

DEFINITION:

Information Technology: Set of tools, processes, methodologies (such as coding / programming, data communications, data conversion, storage and retrieval, systems analysis and design, systems control) and associated equipment employed to collect, process, and present information. In broad terms, IT also includes office automation, multimedia, and telecommunications.

BusinessDictionary.com. (2017).

Information technology is used by businesses of all sizes on a daily basis. It is used to make everyday tasks simpler, to support the day-to-day operations of a small business, and to enable a business to have a greater market presence than would otherwise be possible. Information technology has enabled small businesses to compete domestically and internationally against much larger and better-resourced businesses.

However, the increasing use of information technology in business is not without risks and threats. Thus, as with other sources of risk, you need systems in place to manage the risks associated with information technology. This includes identifying and evaluating risks, and finding ways to mitigate or avoid those risks.

As a small business owner, you have legal obligations in respect to privacy, electronic transactions, and the confidentiality of customer information. It is important this information is strictly confidential and that you have processes in place to protect this information. TĪWHIRI: 18 Techopedia. (2017).

Business Continuity Planning (BCP)

Business continuity planning is a process which identifies the potential risks and threats a business is likely to experience with the goal of ensuring the business is protected and still able to function in the event of a disaster. This part of the seminar will look at the risks and threats related to business continuity and information technology.

Your business continuity plan should cover the occurrence of the following events:19

General IT Threats

• Hardware and software failure (such as power loss or data corruption)

• Malware (malicious software designed to disrupt computer operation)

• Viruses (computer code that can copy itself and spread from one computer to another, disrupting computer operations)

• Spam, scams, and phishing (unsolicited email that attempts to fool people into revealing personal details or buying fraudulent goods)

• Human error (incorrect data processing, careless data disposal, or accidental opening of infected email attachments)

Criminal IT Threats

• Hackers (people who illegally break into computer systems)

• Fraud (using a computer to alter data for illegal benefit)

• Passwords theft (often a target for malicious hackers)

• Denial-of-service (online attacks that prevent website access for authorised users)

• Security breaches (includes physical break-ins as well as online intrusion)

• Staff dishonesty (theft of data or sensitive information, such as customer details)

Natural Disasters

• Fire

• Cyclone

• Earthquake

• Floods

Note that, although less likely, natural disasters need to be considered. They can cause significant damage to buildings and computer hardware, and restrict you from being able to enter your premises to retrieve information. If not properly protected, this can result in the complete loss or corruption of customer records and transactions which can cause concern and frustration not only for you and your employees, but also for your customers.

Creating a Business Continuity Plan

The purpose of a business continuity plan is to minimise the disruption a business experiences because of one of the above events, and to get business processes back to normal as quickly as possible.

The first step in creating a business continuity plan is to conduct a business vulnerability review, which identifies all the types of risks and threats that your business is exposed to. This includes the general IT threats, criminal IT threats, and natural disasters previously identified.

For each type of risk, there should be a response plan which sets out the response and processes that will be used to handle the situation and bring it under control. Once the emergency has been brought under control, the business continuity plan should cover how you will restore business activities.

To plan this you will need to evaluate the likely impact on the business. For example, it may be that the emergency will affect your ability to supply customers or the ability of your employees to carry out their work. If so, your plan should look at what you can (and will) do to either overcome these risks or mitigate them. Having data stored online, as well as having insurance to cover employee wages, are likely to be appropriate risk management strategies in this case.

If employees will have specific roles and responsibilities in the process of dealing with the emergency and / or getting the business back on track, the plan should also list all employees and their responsibilities. It should also identify any external contacts (other people and businesses outside your business) who can help with the response and recovery of your business along with their contact details.

Testing and Reviewing the Plan

Once the business continuity plan has been created, it is a good idea to run a simulation to test it. It is better to identify any limitations of the business continuity plan during the testing stage, so that the plan can be changed accordingly, rather than attempting to find solutions during a live emergency scenario. Practice makes perfect, so practice scenarios should be carried out regularly so that you and your employees have the experience of being exposed to a practice emergency scenario.

You should also review the business continuity plan at least once a year to ensure that it is up-to-date and relevant for the business. The business continuity plan should be updated whenever new risks or threats are identified, when employees leave the business or new employees are hired, or if there are significant changes to the structure of your business. If an emergency occurs, keep records of key events, actions, and results to assist you when it is time to review the business continuity plan.

Cybersecurity

Cybersecurity continues to be an issue for businesses. Research carried out by the Horizon Scan Report and published by the Business Continuity Institute identifies cyber-attacks as the greatest concern for businesses (88%) followed closely by data breaches (81%).20

DEFINITION:

Cybersecurity: The state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this.

Merriam-Webster Dictionary. (2017).

NZI, a major insurance company in New Zealand, interviewed 200 New Zealand business leaders and found that business leaders are not doing enough to protect their business from cyber-attacks. The research found that 88% of businesses in New Zealand are not prepared for a cyber-attack and only 6% of SMEs (Small-and-Medium Enterprises) in New Zealand have cyber insurance.

NZI’s research found that “connectivity and data protection is what is increasingly keeping business owners awake at night but few are taking steps to ensure their businesses could survive a cyber-attack. Of greater concern, smaller businesses that are less likely to bounce back from an attack, are the least likely to insure against them.”21 Cyber insurance is a useful way to reduce the risks associated with the theft or damage of hardware, software, or information. We will look at insurance in Part E.

Cyber-attacks

The term ‘cyber-attack’ is often used to describe any kind of attempt by hackers to gain unauthorised access to information technology systems, infrastructure, and equipment with a deliberate intention to cause malicious damage. Whilst cyber-attacks are, for the most part, unavoidable, there are several ways to protect against them.

Password Attacks

Password attacks involve a person attempting to gain unauthorised access to a computer by discovering (or ‘cracking’) a password. Unlike other cyber-attacks, this type of attack does not require any malicious software to run on the system. There is software that attackers can use to attempt to crack a password, but these software applications are usually run on their own computers rather than their victims’.

There are many different approaches software applications use to crack a password, including ‘brute force’ attacks. The software used in brute force attacks goes through hundreds of thousands of different words, numbers, and combinations of words and numbers to attempt to crack a password. Some will even go through every word in the dictionary (using a ‘dictionary file’) to locate a password.

TĪWHIRI:

Strong passwords are the best way to protect you against password attacks. A strong password is one which has a combination of upper-case and lower-case letters, symbols, and numbers, and is at least eight characters long. A brute force attack can unlock a lower-case password in minutes, especially if it is a common word found in the dictionary. It is good practice to change your passwords regularly.

20 Business Continuity Institute. (2017).

21 NZI. (2017).

Malware

Malware is a term used to refer to several types of cyber threats. These include viruses, ransomware, worms, and trojans. Malware affects a computer through email attachments and software downloads. If vulnerabilities exist in an operating system, the computer will also be open to attack by malware. To resolve the vulnerability, a security update is often released.

How malware affects a computer depends on the type of malware installed. Malware can, for example:

• Take control of your computer,

• Monitor your actions and keystrokes, and / or

• Send confidential data from your computer to another computer.

Four common types of malware are viruses, worms, trojans, and bots. These are discussed below:

1. Viruses: A virus is a type of malware that inserts a copy of itself into another program. It spreads from one computer to another. Some viruses can be mildly annoying; others can severely damage data and software. Viruses are usually attached to a file, so the virus will not be active until the file is opened. Viruses spread when the software or document they are attached to is transferred from one computer to another using the network, a disk, file sharing, or infected email attachments.

2. Worms: A worm is like a virus and it can cause the same type of damage. However, unlike viruses, worms do not need a file to ‘host’ the infection. A worm enters a computer through a vulnerability in the infected computer so it is important to make sure your operating system is up-to-date.

3. Trojans: A trojan is a harmful piece of software that a person is tricked into loading and running on their computer. Trojans can perform a range of malicious activities, from irritating the victim by playing annoying sounds to deleting files, stealing data, and spreading other malware, including viruses. Unlike viruses and worms, trojans do not infect other files and must be spread manually.

4. Bots: A bot is an automated process that performs tasks and provides information or services that would usually be performed by a person. Unlike other malware, bots can be used for either good or malicious purposes. A malicious bot can log keystrokes, steal passwords, capture and analyse data, gather financial information, and launch denial-of-service (DoS) attacks. A bot will often access a computer through the ‘back door’ of a computer that has already previously been infected by a virus or a worm.

The best way to protect against malware is to avoid clicking on links or downloading attachments from unknown people or businesses. Using anti-virus software and a firewall can also protect against attachments that may contain malware. In addition, ensure your operating system is up-to-date and has the latest security updates installed. These updates address any weaknesses in your computer and make it more difficult for your computer to be affected by a cyber-attack.

Be careful when clicking on a link to download a file or opening an attachment that may look harmless as malware could be hidden within the file. This is true even if the file has a recognised file extension (such as a Microsoft Word document or a PDF attachment). Malware can be hidden anywhere so you should make sure your anti-virus, anti-spyware, and firewall software are all up-to-date.

Phishing

Phishing is when someone attempts to obtain sensitive information by pretending to be a trustworthy person or business. For example, they could pretend to be a friend, another business, or even your bank. The information a ‘phisher’ attempts to obtain could be your user name, password, date of birth, or your credit card information. The phishing attack is usually initiated through an email or text message and many phishing attacks can look very realistic (which is why people fall for them).

Note that most phishing attacks will have some urgency to them. For example, it could be around the need to confirm your personal details to claim a prize or you may be informed that fraudulent activity has been detected on your account. The email will usually contain a link to click on or an attachment to download. If you open the attachment, malware will install itself on your computer. If you click on the link, you will be directed to a fraudulent website. You will be asked to enter your personal details to claim a prize or ‘protect’ your account by verifying the details ‘on file’ are correct.

Denial-of-Service (DoS) Attacks

A denial-of-service (DoS) attack disrupts the service to a network. This attack involves a person using multiple computers to send a high volume of data through a network until the network is overloaded and no longer able to function. As a small business owner, it is unlikely that your business will become the target of a DoS attack as the victims of these attacks are usually governments and large organisations.

As is the case with other types of cyber-attacks, the best way to keep your system secure is to install software updates, use online security systems (including anti-virus software and firewalls), and monitor your network to detect any unusual changes in traffic.

HEI TAUIRA:

Example: Aunt Ethel

Ethel lives with her niece, Gertrude. Ethel retired a number of years ago and is bored being on her own during the day while Gertrude is at work. Ethel decides to use Gertrude’s computer (which is not password-protected) to entertain herself before she starts the daily housework.

Ethel opens Gertrude’s email client (which has her password automatically saved) and downloads her mail from the server. Ethel finds an email from NZF Bank (neither Ethel nor Gertrude are customers of this bank) asking her to click on a link to be taken to the bank’s ‘website’. Ethel clicks on the link and is taken to a fraudulent website which looks like the actual NZF Bank website (at least it does to Ethel).

The website states Ethel has won a prize worth $500,000 for being a loyal ‘customer’. She is delighted as she will finally be able to have a holiday overseas! All she needs to do is ‘confirm’ her personal details and the money will be deposited into her bank account.

Ethel enters her personal information (full name, address, phone number, date of birth, bank account number, credit card number, and IRD number) into the website. Unfortunately, in doing so Ethel has fallen for the bait, and the cyber attacker walks away with her personal information to use however they wish. Gertrude is not happy when Ethel informs her of their ‘winnings’ and Ethel is not happy to discover she has been a victim of phishing, as she thought she was going to get a relaxing ocean cruise.

Automatic Downloads

An automatic download is malware in the form of software which is automatically downloaded to a computer whenever someone visits the website. Unlike other downloads, it does not require any type of action from the person visiting the website (through a download confirmation pop-up) to begin the download. It works by downloading code to the computer which, in turn, downloads the software.

The best way to prevent unauthorised software from automatically downloading to your computer is to make sure your operating system and software applications are up-to-date. This reduces the risk of your computer containing any vulnerabilities which could be used to introduce malware and malicious code. It is also recommended that you limit the number of browser add-ons you have installed.

Rogue Software

Rogue software is malicious software that acts as legitimate and necessary security software that will keep your computer and network safe. The software developers make pop-up windows and banner alerts that look genuine. These alerts usually advise the person viewing a website that their computer or network is unprotected and to ‘fix’ this they will need to download software or an operating system update to remain protected. By clicking ‘yes’, the software is downloaded to the computer.

The best protection against rogue software is to ensure your business has up-to-date anti-virus and anti-spyware software, as well as an updated firewall. It is still possible for rogue software and other types of cyber-attacks to sneak through your security software if it is not regularly updated. Therefore, make sure your security software is set to update automatically.

Ransomware

Ransomware prevents a person from accessing their system by locking the computer unless a ransom is paid. Once the ransom is paid, usually through an online payment, a decrypt key is sent to the victim to unlock their computer. Payment is often in cryptocurrency or iTunes and Amazon gift cards.22

DEFINITION:

Cryptocurrency: An encrypted data string that denotes a unit of currency. Trend Micro. (2017).

There are many ways for a person to encounter ransomware. It can be downloaded onto a computer through a malicious website or it can be downloaded by other malware. It can also be downloaded to a computer as an email attachment. Once it is executed, ransomware can lock a computer screen or encrypt certain files to prevent the victim from using their computer. The victim will be provided with information on how to pay the ransom and regain access to their computer upon payment.

Example: Moutere

Moutere is shopping online for a birthday gift for his mother when a pop-up window appears, informing him that his computer shows signs of viruses and malicious software. The pop-up window recommends the download of a free security scan, which will identify any vulnerabilities and malicious software.

Moutere is concerned about the security of his computer, so he downloads the software. It only takes a few seconds to scan his entire computer. The report identifies the presence of 35 viruses, 19 worms, 13 trojan horses, and 5 bots infecting Moutere’s computer. The scan provides a ‘free technical support’ number to contact immediately to have the malicious software removed by a certified technician.

Moutere speaks to ‘David Jones’ at ‘Microsoft Technical Support’ who confirms the presence of these infections. He informs Moutere that he will need his IP address to remove the infections and that it will require a yearly fee of $199 USD. Moutere feels this is a lot of money, but as his computer has photos of his family, as well as personal information, he decides he has no other option but to pay.

Fortunately, as Moutere is about to log in to the ‘Microsoft Technical Support’ website (a malicious website designed to look like an authentic Microsoft website), Taitimu, his father, arrives home and tells his son to hang up immediately. Taitimu informs Moutere of the scam and what could have happened to his computer (and credit card) if he allowed the ‘technician’ to connect.

Paying a ransom does not guarantee that you will receive the decryption key or unlock tool required to regain access to your computer. In fact, there may not even be one! It is not uncommon for cyber criminals to request a further ransom or to increase the price of a ransom again and again, even after multiple payments have been made.

Steps to Improve IT Security

There are several steps you should take to protect your small business’s systems and data, many of which have been mentioned in the previous discussions. A summary is as follows:23

• Make sure your computers, servers, and wireless networks are secure.

• Use anti-virus software.

• Use anti-spyware software.

• Use commercial, up-to-date, firewalls.

• Regularly update software to the latest versions.

• Use data backups that include remote storage.

• Secure your passwords.

• Train staff in information technology policies and procedures.

Unfortunately, not only is the level of cyber threat increasing in New Zealand, but the nature of these threats is becoming more complex. The National Cyber Security Centre recorded 338 incidents in the 2015/16 year compared with only 190 in the previous year.24 The fact New Zealand is geographically isolated from the rest of the world counts for very little when it comes to cybersecurity.

23 Business Queensland. (2016b).

24 Staying Ahead of the Cyber Criminals. (2017).

Data Storage

There are many ways you can store and protect your business’s data. The first step is to make sure you are aware of what types of data you have, and where it is currently stored. This includes both paper-based records and electronic documents that you have stored on a computer or server.

This data may include:

• Emails

• Invoices issued and received

• Receipts

• Accounting records (including those on accounting software)

• Email distribution lists

• Customer details

• Employment records

• Sales data

• Files created by you and your employees as part of your work

• Contracts

• Data on mobile phones and tablets

Storage Options

After identifying the data you have, the next step is to identify how you will store it. No business ever wants to lose data, but some data is so valuable to a small business that losing it could have disastrous and irreparable consequences.

Some storage options are listed below. In considering the types of storage you will use in your business, think about who will require access to the data, as well as the details of your business continuity plan. You will need a data storage solution that allows the right people access to the data, even following an emergency, without compromising the safety and security of your business.

Data storage options:

` Computer Hard Drive: If you do not have a large amount of data, the hard drive in your computer is an option. As it is probably connected to the internet, it is important to think about how you will protect your data against hackers. You will also need to think carefully about how the data is backed up.

` Server: A server is a powerful computer that provides a business with its own network. Depending on your needs, they can be quite expensive, and you will need IT support to set it up and maintain. Since it may store data from all employees’ computers, you also need to ensure access to files is restricted to those who need it.

` External hard drive: These often (not always) offer more storage than a standard hard drive, are inexpensive, and easy to transport. They are especially useful for backing up data and offsite storage, but like any hard drive, storing data on a hard drive is not without risk if it gets damaged or lost. If you carry them around, remember that they can be lost or stolen, so it is best to choose a hard drive which is password protected.

` USB drive: This is also known as a USB stick or a flash drive. Until recently, these could only store a moderate amount of data. However, they can now store much more data than most small businesses require, and are very inexpensive. Although USB drives are useful for storing and transporting your data, their small size means they are easily misplaced, lost, or damaged.

` Disc: DVDs and CDs are generally not good storage options. They only store relatively small amounts of data – a common amount is 4.5GB on a DVD, for example. Other disadvantages with discs are that it can take a significant amount of time to ‘burn’ data to DVDs and CDs, they are easily damaged and, due to better storage options now being available, it is common for new computers to not even have a DVD / CD option.

` Cloud storage: Cloud storage involves using servers on the internet which store and manage data. Cloud storage is generally the most recommended option for data storage and has significant advantages over ‘traditional’ data storage.

• For example, if you store your data ‘in the cloud’, you can access it from any location in the world with internet access. You do not need to carry around a physical storage device, like a portable hard drive or USB drive, and there is significantly less risk to your data being damaged should a natural disaster affect your business premises. Most cloud storage businesses provide some free cloud storage, with the option of paying for additional storage through a monthly or yearly payment plan.

USEFUL WEBSITES:

Some of the most popular online cloud storage providers are OneDrive, Google Drive, Dropbox, and iCloud.

• Microsoft OneDrive – http://www.onedrive.com

• Google Drive – http://www.googledrive.com.

• Dropbox – http://www.dropbox.com

• iCloud – http://www.icloud.com

Factor to Consider:

It is a legal requirement that some data is held for a specific amount of time. For example, New Zealand tax records must be kept for seven years before being destroyed. Furthermore, it needs to be held in New Zealand, unless approval has been given by the IRD for it to be held offshore.

Backing Up

You should regularly make copies of data (this is referred to as ‘backing up’) in case the original data is lost or stolen. It is a necessary part of data recovery. If you store data in a cloud storage facility then this should be automatically done for you, but you will need to check this is the case. If you do not store your original data online, you should choose an option that backs up data automatically, so that you do not have to keep remembering to do this.

The following are useful tips you should consider when backing up your data:25

` Do it regularly: If your backup is not automated, you should backup manually each day that you generate data. Consider the amount of data you create, and the risk you face from not having it backed up, when deciding how often to back up.

` Secure it: Protect files with passwords, which should be kept securely (at work and offsite).

` Back up everything: This includes data on any device used for your business (including mobile phones and tablets).

` Keep several copies: Store copies of backups in various locations to spread the risk.

` Test it: Check your backup process works by trying to retrieve stored data.

As a small business owner, data backup is one of the best types of insurance you can have. It does not need to be expensive, and some providers charge a flat annual fee rather than regular monthly payments.

User Access

It is important to limit access to data to the minimum that your employees need to do their job. Having up-to-date security software is important, but no amount of technology can provide your business with total protection against poor practices and malicious employees. Thus, by minimising access, you reduce the risks associated with each employee’s access to your business’s information technology systems.

Likewise, it is even more critical to remove a former employee’s access to your business’s information technology systems when they leave your business. When a former employee leaves your business, and they still have user access to your network, they can cause more harm than if they were still an employee of your business. This is particularly true if the employee has a feeling of resentment.

Passwords

We have already mentioned the importance of strong passwords to protect your devices, data, and, ultimately, your business. In addition, it is also important that you do not use the same passwords for all your devices. For example, keep a different password on your mobile phone, tablet, notebook computer, and desktop computer. Never use the same password twice.

If someone cracks the password on your tablet (for example), they will likely try the same password on other devices to attempt to access them. With different passwords on each device, there is less likelihood of a hacker getting access to your sensitive information in a single ‘hit’. If you believe a password or account has been compromised, it is important to change your passwords on all of your accounts and systems.

You should never leave default ‘factory’ or administrator passwords on your WiFi router or on other devices related to your business. These default passwords could be printed on a small sticker attached to the bottom of the router, and on other devices, such as a notebook computer. This makes it easy for an employee, contractor, or potentially a customer to have access to your WiFi and network.

As well as removing your former employees’ network access, it is important to change your business’s passwords every time an employee leaves your business, especially if the employee was dismissed or left on bad terms. For example, a former employee may access your network using a password s/he was provided with and, from there, could potentially erase an entire database of contacts. Another way to prevent this is to set your accounts to automatically ‘lock’ after three or so incorrect attempts.

25 Ibid.

Example: Des

Des was involuntarily dismissed by his employer for endangering the lives of customers and employees by recklessly driving a forklift through a wall when he was angry. This caused extensive physical and financial damage to the property and Des was not authorised to drive a forklift as he did not have a forklift licence. Due to the seriousness of the incident, Des was instantly dismissed.

Des feels he was unfairly dismissed, so he decides to get revenge on his former employer. He logs in to the store email system (using a password he was given in his role as store administrator) and sends an email full of bad language to every customer and business in the store’s address book. He signs the email with the store manager’s name so it appears that the disgusting email is from the store manager.

There are four steps you should take to protect your business when an employee leaves (particularly a disgruntled employee):26

1. Get your IT team or provider involved. You will need your IT team or provider to help you with the exit process. It is important they are told before you meet with the employee, so that they can block access to systems while your meeting with the employee happens.

2. Shut down access. This involves changing passwords.

3. De-board your former employee. This involves disabling your employee’s Office 365 and Google accounts and any other business applications. You should also remove licences or transfer them to a ‘pool’ for a new employee to use and ensure remote access and any other accounts that are accessible from outside the office have been disabled or blocked to prevent access. There should be a plan for obtaining the employee’s mobile phones, laptops, access cards, files, and other IT assets that belong to the business.

4. Check and clean up. You should check that the previous three steps have been taken. Once your former employee has formally exited your business, it is important to test email and server access to ensure nothing is left active. You should also monitor the situation over a period of time in case there is an attempt by the former employee to access files or other valuable information.

Discussion Questions:

• What sort of situations would a business continuity plan protect you from?

• What IT support do you need to ensure your business’s data is protected?

• If you need to give an employee notice that their employment will be terminated, how should you protect your data during the employee’s last few weeks at work?

Part E: Business Risk

Anything that threatens a business’s ability to achieve its financial goals is considered a business risk. Some of these risks can be costly and time-consuming while others have the ability to destroy a business. Therefore businesses usually assess potential risks and prepare a plan to overcome these regardless the size of the business. Some common types of risks that business face are:

Type of Risk

Economic Risks

Compliance Risks

Security and Fraud Risks

Examples

• Market fluctuations

• Reduced sales – due to decreasing purchase environments

• Noncompliance with laws and regulations resulting in fines and penalties

• Hacking

• Data breaches

• Identity theft

• Payment fraud

Financial Risks

Reputation Risk

Operational Risk

• Interest rate fluctuation

• Bad debts

• Global Pandemic – increased cost and business closures

• Unhappy customers

• Product failure

• Lawsuits

• Negative tweets or bad reviews in social media

• Natural disasters

• Machine breakdowns

• Technological problems such as power outage, Wifi issues

• Human mistakes (employee mistakes may cost time and money)

• Global Pandemic – shipping delays

Evaluating Business Risks

Evaluating business risks, or risk assessment is a process of identifying risks the business may face that will have a significant impact on the business. The evaluation a business can complete is given below.

1. Identify all or an many potential risks the business may face.

2. Determine the likelihood of the risk occurring.

3. Assign a dollar loss amount to the potential risk and calculate potential loss to the business at the fiscal year end.

4. Decide if the business can withstand the loss

5. Devise a way to minimize or eliminate the risk.

Preparing a Business Continuity Plan

Unexpected events such as natural disasters, loss of key staff, or global pandemic effect can impact your ability to run your business. As your business is critical to your financial wellbeing, it is important to plan for these events so you can respond and recover quickly. This plan is called a business continuity plan.

Business continuity plans generally include:

• A detailed list identifying risks that could disrupt your business.

• Actions to be taken if an unexpected event occurs.

• List of key stakeholders and their role in relation to the plan.

• Plans for relocation strategy if your premises should be inaccessible.

• Emergency contact details.

• Details of where first aid and key documents are stored.

• List of key documents.

• Communication plan.

• A guide as to when the plan will be activated.

Part F: Business Insurance

“Insurance is the only product that both the seller and buyer hope is never actually used.”

- Unknown

What is Business Insurance?

As we have seen, your business and its assets face a number of risks. Protecting against these risks is good business practice and helps ensure your business can keep growing and making money.

Remember that when dealing with risk you have three basic options:

1. Accept the risk,

2. Reduce the risk, or

3. Transfer the risk.

In Part C, it was noted that risk can be transferred to an external party in a contract. However, a more common way to transfer risk, which applies to a much wider range of situations, is to buy insurance. This can protect you from losses due to events that occur during the normal course of business, regardless of whether you are entering into an agreement with a third party.

Every business should buy insurance to help cover a range of possibilities, such as:

• Damage to stock or business vehicles.

• Business interruption through fire or breakdown.

• Injury to people.

• Damage to property caused by your or your employees.

• Medical costs and loss of income if you are ill.

• Theft by employees or customers.

• Accidentally breaking the law.

DEFINITION:

Insurance (rīanga): A method of protecting against risk. Generally refers to the situation where regular payments are made to a company in return for them agreeing to provide payment for certain services or a fixed amount of money in the event of a loss, damage, illness or injury suffered by the insured.

Business Terms in Aotearoa. (2012).

Finding the right insurance is a critical part of managing the risks involved in operating your business.

There are several reasons why your business needs insurance:27

` To follow the law. Some types of insurance are compulsory for many types of businesses. For instance, ACC levies are compulsory to insure against workplace injuries.

` To protect against legal action. In the event of a lawsuit or liability claim, even one you win, insurance may be needed to prevent you from going out of business because of the costs of legal defence.

` To keep your business up and running. If your business needs to stop operating because of, say, a natural disaster, insurance can protect you against loss of income and enable you to pay employees while you recover from the event.

` To make you look credible. Insurance can show your potential clients and customers that you take risks seriously and put effort into managing them.

` To protect your employees. Employees are just as important as your products / services, equipment, premises, and brand, and you should protect them in the event of an accident. In addition, protecting your employees’ interests can also protect yours – against lawsuits or liability claims.

` To protect your business against your absence. Insurance can cover the loss of income if you, the owner, stop ‘running’ the business because of an accident, medical condition, or some other unfortunate circumstance that takes you away from it.

` To meet contractual requirements. Some of the contracts you need to sign for your business may require you have insurance. This could include contracts to lease premises, borrow money from the bank, or carry out services for another business.

` To protect against uncertainty. The future is impossible to predict, so it is best to be insured to give yourself some peace of mind.

Your business insurance needs will vary based on the size and location of your business, the industry you operate in, the nature of your work, and your appetite for risk. A home-based hairdresser will face different risks to, for example, a coffee shop owner, a wedding photographer, or even a salon-based hairdresser.

There are a wide range of insurance types to protect against risk, and often the difficulty is in selecting which ones you will use (and which risks you are willing to face without insurance). You should perform a risk management analysis of your business regularly in case your situation changes and you require insurances that you previously did not consider necessary. Using the services of an insurance broker can be of value in this regard.

Here are some types of insurance for businesses, which will be briefly covered in the remainder of this seminar:

• Business property and asset insurance

• Business liability insurance

• Commercial vehicle insurance

• Business interruption insurance

• Business life and health insurance / workers’ compensation insurance

• Contract works insurance

• Machinery breakdown insurance

• Cyber insurance

27 Chaney. (2016).

USEFUL WEBSITES:

Business insurance coverage needs to suit you. It is recommended that you work with expert insurance brokers and ‘shop around’ in order to find the best coverage for your business. Below are a number of insurance companies and brokers to consider.

• AIG, Business Insurance – https://www.aig.co.nz/business/products.

• AMI Insurance, AMI Business Cover – https://www.ami.co.nz/business

• ANZ, Business Insurance – https://www.anz.co.nz/business/business-insurance/

• FMG Advice & Insurance, Commercial – https://www.fmg.co.nz/we-cover/businesses.

• NZI, Business Insurance – https://www.nzi.co.nz/en/what-we-cover/businesscover.html?PPC=1&gclid=Cj0KCQjwlOmLBhCHARIsAGiJg7mySC3KDZHSi_ S704mL1h0KsDuDijWSlrV0XYSqakZBO_UsCXpCBYkaAngGEALw_wcB&gclsrc=aw.ds.

• Tower Insurance, Business Insurance – https://www.tower.co.nz/business-insurance

• AIA, Business Insurance – https://www.aia.co.nz/en/life-and-disability/business-and-rural-insurance. html?gclid=Cj0KCQjwlOmLBhCHARIsAGiJg7kexviC3Uvx0yltLEhrzYQYLM5ScgCROArNR13FmLJ37WU9LlqYqkaAk7uEALw_wcB&gclsrc=aw.ds

• State Insurance, Business – https://www.state.co.nz/business

• Vero, Business Insurance – https://www.vero.co.nz/business-insurance.html.

• Vero Liability, Products – https://www.veroliability.co.nz/products.html

Business Property and Asset Insurance

Your business premises, equipment, contents, and stock are included in this type of insurance. However, this category is sometimes split into two different insurances covering:

1. property / buildings, and 2. assets / contents.

It works the same way as the property insurance and contents insurance you may have for your home and personal belongings.

Such cover normally means that if your business assets suffer sudden and accidental damage from something like fire or flood, you can get them fixed (or the cost of repairs paid for) or replaced. This cover can include your building, fixtures and fittings, furnishings and furniture, signs, plant and machinery, stock, tools, and employees’ belongings.

Contents can also be covered against theft, but generally this is if there has been forcible entry to or exit from the premises (as opposed to shoplifting). Damage to your building resulting from theft, or attempted theft, is also normally covered.

Business Liability Insurance

Liability insurance manages the risks of legal action being taken against your business. That is, it covers legal costs and expenses that may result from claims that your business activities, products, or employees have caused accidental property damage, physical injury, breaches of statute, or mistakes when providing professional advice.

DEFINITION:

Liability insurance (rīanga taunaha): A type of insurance that protects someone against claims regarding something that they were responsible for. For example, liability insurance can be used to protect a consultant who provides poor advice, protect a business that sells a product that causes damage to the purchaser’s property or protect against negligence, etc.

Business Terms in Aotearoa. (2012).

This type of insurance can protect your business from legal action initiated by customers, shareholders, and regulatory bodies. It can also protect directors and company officers from personal or business losses.

There are numerous types of liability insurance, with some of the most common forms being:

• Public liability insurance,

• Product liability insurance,

• Employers’ liability insurance,

• Statutory liability insurance,

• Professional indemnity insurance, and

• Directors’ and officers’ liability insurance.

Be aware that among these types of liability insurance, there are two different ways they are triggered:

• Some policies are ‘occurrence’ policies. These include public liability insurance, product liability insurance, employers’ liability insurance, and statutory liability insurance. These provide cover when the event that gives rise to the claim occurs within the period of insurance.

• Some policies are ‘claims made’ policies. These include professional indemnity insurance and directors’ and officers’ liability insurance. These provide cover when a claim is made within the period of insurance regardless of when the claim originally occurred.

Public Liability Insurance

In business, mistakes happen. These mistakes could be your fault or not, but either way you could be held responsible. Public liability insurance covers your legal liability for any accidental property damage, economic loss, or personal injury caused while you or your employees are doing business. It can also help with a claim against your business if someone is injured at your business premises or as a result of work carried out by your business. You are only liable if you are found to be negligent – that is, if you failed to act with the level of care expected from a “reasonably prudent person” under the circumstances.

If your business requires customers or members of the public to visit your business premises or home, or if you visit their premises or home to conduct work, public liability insurance is very important. It provides legal protection to a wide range of businesses, ranging from tradespeople like builders, painters, electricians, and plumbers, to consultants, retail operators, and property developers, among others. For some consultants and businesses this type of liability insurance is a necessity and may be a requirement of contracts held with customers.

This insurance not only covers the cost of compensation, but the claimant’s legal fees and your costs of defending the claim as well. This could potentially save you from costs of thousands of dollars – costs that could be enough to put a small business out of business!

HEI TAUIRA:

Example: Porini

Porini owns and runs a small construction business, Riveting Work Ltd. While carrying out renovations to the kitchen and dining room of a client’s house, one of Porini’s employees damages the dining table while joking around with his workmate. Fortunately, Porini has always kept his public liability insurance up-to-date, so his insurance company covers the cost of compensation to the client. Despite this accident, Riveting Work leaves the client happy with the work they have done.

Product Liability Insurance

If your business manufactures, imports, or supplies products for sale on the general market, product liability insurance needs to be considered. Even if you take every measure possible to reduce the risk of unsafe products, you can find yourself liable for defective products or damages caused by a product you have supplied. In addition, you can be responsible for the products you manufacture, import, and supply for a long time after the work is undertaken. Product liability insurance covers compensation costs and defence costs.

Employers’ Liability Insurance

This liability insurance provides cover for personal injuries to any employee (including temporary and part-time employees) of your business that are not covered by ACC. Everybody in New Zealand has ACC cover for personal injuries caused by accidents at work. ACC also covers gradual injuries, diseases, and infections caused by work.

However, ACC does not cover a number of work-related injuries, illnesses, and situations. These include:

• Occupational stress.

• Injury (such as heart attack or stroke) caused by stress or mental strain arising out of employment.

• Depression, anxiety, mental anguish, and other emotional issues not accompanied by physical injury.

• Disease or infection caused by air conditioning systems or passive smoking.

• Gradual injuries that are not due to a work task.

This insurance covers for any loss that your business may experience from a personal injury claim made by an employee, including legal defence costs and any fines and / or damages awarded.

Statutory Liability Insurance

No matter what work or industry your business is in, there are numerous pieces of legislation that you and your employees need to comply with. Statutory liability insurance covers your business for loss resulting from claims that you have breached the law. What this means is that if you unintentionally breach an Act of Parliament and, as a result, face prosecution, unforeseen legal expenses, fines, or penalties, your insurance will cover the costs of defending yourself and the costs of fines and penalties.

This insurance gives you cover for issues arising from breaches of laws such as:

• the Fair Trading Act 1986,

• the Resource Management Act 1991,

• the Consumer Guarantees Act 1993,

• the Building Act 2004,

• the Financial Reporting Act 2013,

• the Health and Safety at Work Act 2015, and

• many other laws.

In regard to the Health and Safety at Work Act 2015, businesses are prohibited by law from insuring for fines. However, statutory liability insurance does cover you for legal defence costs and for reparations (amounts to be paid to the victim or their family for emotional, property damage, or consequential losses) imposed by the courts under the Health and Safety at Work Act 2015

In addition, statutory liability insurance does not cover police prosecutions or Inland Revenue Department (IRD) proceedings, nor does it cover a reckless or deliberate breach of statutory requirements.

Professional Indemnity Insurance

This type of insurance provides protection against liability costs resulting from the provision of incorrect or faulty professional advice or services, and against costs associated with any legal action. It can also cover defamation, breach of confidentiality, unintentional infringement of intellectual property (IP) rights, and liability or loss through dishonesty by employees.

TĪWHIRI:

Public liability insurance (discussed earlier) does not provide protection if there is financial loss only. Normally it is restricted to just legal liability for injury to people and / or damage to property. It also does not provide protection if the cause of the loss was a breach of professional duty. Professional indemnity insurance does cover for these circumstances.

Remember that it is important you talk to an expert to find out which type(s) of liability insurance you need.

Professional indemnity insurance covers you against any action by clients who believe they received bad or negligent advice or services, and have incurred a loss as a result. This can happen to even the most careful and capable professionals. Even if you are not at fault, you may need to spend significant amounts of money to defend against a claim.

Anyone who supplies their opinion, advice, or other professional services to their clients should have professional indemnity insurance. This includes lawyers, real estate agents, property surveyors and valuers, doctors, engineers, architects, IT consultants, software and website designers, financial advisers, accountants, project managers, and insurance brokers.

This insurance covers claims made while the policy is in force, and usually includes claims relating to an event that occurred prior to the policy start date. This is important because claims can sometimes take a long time to surface.

Directors’ and Officers’ Liability Insurance

The final type of liability insurance discussed here is directors’ and officers’ liability insurance. Directors and senior executives of companies can be held accountable for the actions of the business, and this insurance provides cover for risks involved in undertaking their duties on behalf of the company.

Legislation such as the Fair Trading Act 1986 and the Companies Act 1993 mean that company directors and officers may find themselves accountable to shareholders, creditors, employees, competitors, and members of the public.

This insurance provides protection for directors and officers for wrongful acts committed within their role of leadership in a business. It covers the amount that the director or officers is legally obligated to pay, including the cost of defending any claims. It also covers reimbursements to the company for the costs of meeting its obligations under the director’s indemnity provisions in the company’s constitution.

Commercial Vehicle Insurance

As with owning a personal vehicle, owning a business vehicle involves a number of risks. When a car accident occurs, people may be injured and their vehicles or other property may be damaged, and vehicle damage or loss can also result from theft, vandalism, or natural disasters. Commercial vehicle insurance, like personal vehicle insurance, protects you against this risk and any liability if an accident occurs.

Commercial vehicle insurance can cover the repair or replacement of damaged or stolen vehicles and your legal liability if you, an employee, or someone else using the vehicle with your permission accidentally damages someone else’s property or injures someone. It also covers loss or damage to property or goods being carried in the vehicle at the time of an accident. If you rely on your work vehicle to earn an income, you should also seriously consider extending the insurance to provide for a rental vehicle while your car is being repaired or replaced.

If an employee is using their own car for business, their personal insurance will cover them in the event of an accident. An exception to this is if they are delivering goods or services for a fee. In this case, commercial vehicle insurance will cover them.

Other Insurances

Business Interruption Insurance

When your business suffers a physical loss of business assets, its normal business operations are interrupted

The losses could be the result of fire, flood, earthquake, theft, or accidents. Business property and asset insurance covers you for the physical loss. However, the financial losses resulting from an interruption of your business can be more harmful than the physical loss. For example, damage to your premises may mean you are not able to open for business and earn an income, yet may still need to pay employees and other expenses.

Business interruption insurance, sometimes known as ‘business continuity insurance’, helps you carry on through the event and after the damage has been repaired. It does this by making sure you have the funds to maintain your income stream, to cover increased operational expenses, and to meet your financial obligations to the bank, shareholders, and staff while your doors are closed. It covers the loss of gross profit: the reduction in turnover and the increased cost of running the business during a period of business interruption. This type of insurance is especially useful to businesses that need a physical location to do business, such as retail stores.

This insurance also covers you for:

• interruption to the supply of goods to your business,

• access to your premises being limited or cut off, and for

• the interruption of public or private gas, water, or electric utilities to your business.

HEI TAUIRA:

Example: Anushka

Anushka has a rural clothing store called ‘Look No Further’ which specialises in possum fur and sheep wool products. Her customer base predominately consists of people travelling through her small town. The business has interruption insurance, including cover for prevention of access.

After a period of heavy rain, the region around Anushka’s business is flooded and major slips cut off access to the small town in which she is located. For several weeks, traffic was diverted to other roads, and Anushka had no customers at all. Look No Further’s business interruption insurance covered for the income Anushka lost during this period.

Business Health Insurance

Your business is more likely to succeed and grow if your employees are happy and healthy. Thus, a health insurance scheme for your employees is something you may wish to consider. Business health insurance is insurance provided to employees by their employer, or offered to employees through their place of work. It offers medical treatment, disability, trauma, income protection, and death benefits in the event of an employee’s sickness, accidental injury, or even death. This can bring peace of mind to yourself, your employees, and their families.

There are several kinds of insurance benefits you can offer your employees. Remember to seek expert advice to help you select the most appropriate benefits or combination of benefits for your business. The kinds of insurance include:

• Life insurance, which pays a lump sum in the event of an employee’s death.

• Total permanent disablement cover, which pays a lump sum if an employee is unable to work again due to sickness or accident.

• Income protection, which provides an income if an employee cannot work for an extended time due to sickness or accident and helps employees to manage financially when sick-leave entitlements run out.

• Critical illness / trauma insurance, which pays a lump sum if an employee becomes critically ill with one of the defined (in the insurance policy) critical conditions, such as major stroke, heart attack, or cancer.

• Additional benefits available under some insurance schemes include cover for rehabilitation expenses, and spouse and dependent children benefits.

This type of insurance can be a voluntary scheme in which the employee pays premiums, a subsidised scheme in which the employer pays premiums, or a partly-subsidised scheme in which the employee and employer each pay part of the premiums.

Providing subsidised health insurance, or providing access to a voluntary scheme, to your employees can reduce costs associated with absence and sick leave due to illness and improve employee loyalty and morale. It may also help attract and retain skilled staff, which can help future-proof your business.

Contract Works Insurance

If you are in the construction business, whether doing home renovations or building skyscrapers, this type of insurance protects your construction projects.

It covers any financial loss due to property damage at the construction site and loss of profit due to delays to the project because of this damage. It also covers equipment / machinery and building materials located at the construction site and in transit, the cost of architects, engineers and other professionals engaged to help you repair or replace your contract works, and the cost of demolition and debris removal if you have to clear a site in order to repair or replace your contract works.

Machinery Breakdown Insurance

Some businesses rely on specialist machinery to operate, and this machinery can be a significant investment. Machinery breakdown insurance is for businesses which rely on machinery in their day-to-day operations, and covers the repair or replacement costs of the sudden and accidental breakdown of mechanical, electrical, or electronic equipment. It does not cover breakdown due to wear and tear, and it does not cover vehicles.

If you are in the food industry (for example, if you run a restaurant), machinery breakdown insurance can make sure that your refrigerated goods are covered if your fridge or freezer breaks down.

Cyber Insurance

The last type of insurance covered in this seminar is one that many businesses do not think about: cyber insurance. However, given businesses are increasingly reliant on computers, the Internet, and the data they store on these devices, it should be considered.

Cyber insurance differs between insurers, but can include cover for the following:

• The liability of losing or misappropriating confidential customer or employee data (either accidental, such as through employee error, or deliberate, such as through cyber-attack).

• The loss of profits and extra expenses incurred due to an interruption to a computer network following a cyber breach.

• The cost of restoring, replacing, recollecting, or recreating data, systems, or hardware after a leak or breach.

• The costs and expenses of an investigation or fines following a privacy breach.

• The costs of external IT forensic and security consultants.

• The damages and defence costs incurred in regard to an infringement of someone’s intellectual property.

• Costs due to accusations of libel, slander, and defamation.

• Any losses due to cybercrime.

• The cost of any ransom payments to third parties required to end a cyber / privacy extortion threat.

Discussion Questions:

• Should you get all types of insurance that are available for your business situation? If not, how do you choose which insurances you should get?

• How does having good insurance cover affect your employees?

• What does liability mean? Why should you insure yourself against liability?

• What kind of businesses most need professional indemnity insurance?

• What types of businesses would benefit most from business interruption insurance?

References

Anderson, G., Andolina, E., Czerwinski, J., Varney, R., Warren, P. (2011). Managing Third-Party Relationship Risk. https://www.crowehorwath.net/uploadedfiles/crowe-horwath-global/publications/pubs/ risk12907%20third-party%20risk%20white%20paper_hi.pdf. (p. 3)

Business.govt.nz. (n.d.). Types of Intellectual Property. https://www.business.govt.nz/risks-and-operations/ intellectual-property-protection/types-of-intellectual-property/

Business Continuity Institute. (2017). Building Resilience by Improving Cyber Security. http://www.bcifiles.com/ BCIBCAWReport.pdf

Business Queensland. (2016a). What is An Information Technology Risk? https://www.business.qld.gov.au/ running-business/protecting-business/risk-management/it-risk-management/defined

Business Queensland. (2016b). What is An Information Technology Risk? https://www.business.qld.gov.au/ running-business/protecting-business/risk-management/it-risk-management/reducing.

Chaney, P. (2016). Top 10 Reasons Why Your Business Needs Insurance https://smallbiztrends.com/2016/09/ business-insurance-benefits.html.

Cisco. (n.d.). What is the Difference: Viruses, Worms, Trojans, and Bots? https://www.cisco.com/c/en/us/about/ security-center/virus-differences.html.

Copeland Ashcroft Law. (n.d.). In Confidence: The Role of Confidentiality in an Employment Relationship http:// www.copelandashcroft.co.nz/news/confidence-role-confidentiality-employment-relationship.

Covered. (n.d.). Business Interruption https://www.covered.org.nz/commercial/types-of-commercial-insurance/ business-interruption.

Employment New Zealand. (n.d.). Restraint of Trade https://www.employment.govt.nz/workplace-policies/ restraint-of-trade.

Harmans Lawyers. (n.d.). The Need for a Shareholders’ Agreement https://www.harmans.co.nz/about-us/articles/ the-need-for-a-shareholders-agreement-2.

Heaton, C. & Goddard, J. (2016). Employment Agreements Must Be in Writing https://www.morrisonkent.co.nz/ news/106/24/Employment-Agreements-Must-Be-In-Writing.

Informatica. (2011). Best Practices for Ensuring Data Privacy in Production and Nonproduction Systems. https://www.informatica.com/downloads/6993_Data_Privacy_BestPractices_wp.pdf. Investopedia. (n.d.). Business Insurance. http://www.investopedia.com/terms/b/business-insurance.asp

Joseph, C. (2017). What Is an Internal Customer & an External Customer? http://smallbusiness.chron.com/internalcustomer-external-customer-11698.html

Kjerulf, A. (2014). Top 5 Reasons Why ‘The Customer Is Always Right’ Is Wrong. http://www.huffingtonpost.com/ alexander-kjerulf/top-5-reasons-customer-service_b_5145636.html

Knockless, T. (2016). 5 Types of Cyber Attacks and How They Can Affect Your Business. http://www. propertycasualty360.com/2016/06/22/5-types-of-cyber-attacks-and-how-they-can-affect-y

Lambert, E. (2016). The Why, When and How of Non-Disclosure Agreements. https://www.linkedin.com/pulse/whywhen-how-non-disclosure-agreements-eric-lambert

Lawlink. (2016). Your Business and the Law. http://www.lawlink.co.nz/wp-content/uploads/2016/04/BusinessLaws-September-2016.1.pdf

LegalNature LLC. (2016). How to Make Your Partnership Work with a Shareholder Agreement. https://www. legalnature.com/article-center/shareholder-agreement/how-to-make-your-partnership-work-with-ashareholders-agreement

Lynch, S. (2016). Shareholder Agreements and Constitutions: Why Have Both? http://www.lynchandco.co.nz/wpcontent/uploads/2016/06/Shareholder-Agreements-Constitutions.pdf

Ministry of Business, Innovation and Employment. (n.d.a). Business Structure Overview. https://www.business. govt.nz/getting-started/choosing-the-right-business-structure/business-structure-overview

Ministry of Business, Innovation and Employment. (2015). Intellectual Property Rights. http://www.mbie.govt.nz/ info-services/business/intellectual-property/intellectual-property-rights

Ministry of Business, Innovation and Employment. (2016). Small and Medium Businesses in New Zealand. http:// www.mbie.govt.nz/info-services/business/business-growth-and-internationalisation/documents-imagelibrary/sbdg-2016-report.pdf

Ministry of Business, Innovation and Employment. (n.d.b). Storing and Protecting Data https://www.business. govt.nz/risks-and-operations/it-risk-and-avoiding-scams/storing-and-protecting-data

Mino IT Managed Services. (2017). Is your Business Protected? https://www.minoit.com.au/how-to-guides/is-yourbusiness-protected

Net Lawman. (n.d.). Confidentiality Agreements – Mutual Confidentiality Agreement https://www.netlawman. co.nz/d/confidentiality-agreement

New Zealand Intellectual Property Office. (n.d.). Overview – About IP https://www.iponz.govt.nz/about-ip/ overview/

New Zealand Intellectual Property Office. (n.d.c). Designs https://www.iponz.govt.nz/about-ip/designs

New Zealand Intellectual Property Office. (n.d.b). Filing a Treaty Application from New Zealand https://www.iponz. govt.nz/about-ip/patents/international/filing-a-treaty-application-from-new-zealand.

New Zealand Intellectual Property Office. (n.d.a). International Trade Marks https://www.iponz.govt.nz/about-ip/ trade-marks/international/.

Niesche, C. (2012). Howdy Partner: How to Stay on Good Terms. http://www.smh.com.au/small-business/ managing/howdy-partner-how-to-stay-on-good-terms-20120718-229ry.html.

NZI. (2017). 88% of NZ Businesses Unprepared for Cyber Attack http://www.nzi.co.nz/blog/pages/88-of-nzbusinesses-unprepared-for-cyberattack.aspx.

Office of the Comptroller of the Currency (U.S. Department of the Treasury). (2013). OCC Bulletin 2013-29: Third Party Relationships. https://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html. Rapid7. (n.d.). Common Types of Cybersecurity Attacks: A Look Inside the Attacker’s Toolkit. https://www.rapid7. com/fundamentals/types-of-attacks.

Sanderson, C. (2016). When Friends Fall Out – Shareholder Agreements. https://www.mvp.co.nz/mcdonald-vaguearticles/when-friends-fall-out-shareholder-agreements

SANS Institute. (2002). Introduction to Business Continuity Planning. https://www.sans.org/reading-room/ whitepapers/recovery/introduction-business-continuity-planning-559

Small Business Development Corporation (n,d.). Risk management. https://www.smallbusiness.wa.gov.au/legalrisk/risk-management

Standards New Zealand. (n.d.). Risk Management https://www.standards.govt.nz/search-and-buy-standards/ standards-information/risk-managment.

Staying Ahead of the Cyber Criminals. (2017). NZBusiness Magazine, 64(01), M12-M15

Suckling, Sheri. (n.d.) Business Continuity Planning: The Show Must Go On http://www.nzsafety.co.nz/graphics/ nzsafety/pdf/businesscontinuityplanning.pdf

Sullivan, M. (2017). 8 Types of Cyber Attacks Your Business Needs to Avoid. https://quickbooks.intuit.com/r/ technology-and-security/8-types-of-cyber-attacks-your-business-needs-to-avoid

Techopedia. (2017). Dictionary. What is Information Technology (IT)? https://www.techopedia.com/definition/626/ information-technology-it

Trend Micro Incorporated. (n.d.). Definitions – Ransomware https://www.trendmicro.com/vinfo/us/security/ definition/ransomware

Wheeler, E. (2011). Security Risk Management. Waltham, MA, U.S.A: Elsevier.

Williams, J. (n.d.). How to evaluate business risks. https://smallbusiness.chron.com/evaluate-decision-treemodel-22381.html

Disclaimer

The information in this publication is not intended as a substitute for professional advice. Te Wānanga o Aotearoa expressly disclaims all liability to any person / organisation arising directly or indirectly from the use of or reliance on, or for any errors or omissions in, the information in this publication, including any references to third parties. Whilst efforts have been made by Te Wānanga o Aotearoa to ensure the accuracy of the information provided, the adoption and application of this information is at the reader’s discretion and is his or her sole responsibility.

Copyright © Te Wānanga o Aotearoa, 2018. All rights reserved. No part of this material may be reproduced or copied in any form or by any means (graphic, electronic or mechanical, including photocopying, recording, taping or information retrieval systems) without the prior permission of Te Wānanga o Aotearoa. For further information and contact details refer to www.twoa.ac.nz.

This publication was revised in October 2021.

Business