Tuesday, 18 March 2014

Counting the costs and benefits of business continuity, a Non-Executive Director's perspective

Essentially the Non-Executive Director's role is to provide a creative contribution to the board by providing objective criticism. So I recommend that all Non-Executive Directors consider challenging the board to count the costs involved in deploying business continuity management and balancing these costs against quantifiable benefits gained from its Business Continuity Management System and Programme.

The Good Practice Guidelines suggest that embedding BCM is hard to measure, but secretly I believe that Executive Directors deep down in their hearts and minds know full well if they are merely trying to be compliant.

In the busy world of the Executive, maybe they only have time to ask if the business is adequately covered from a risk and business continuity perspective. Is it the difference between plausible deniability and culpable liability? To paraphrase a well-known political interviewer: “Did you know there was a problem, in which case you are culpable or did you genuinely not know in which case you were incompetent, which is it?”

Apply that logic to the board and ask them if they understand the relationship between, in some cases, hundreds of thousands they spend on business continuity management believing that it will deliver benefits should it be needed, without insisting on seeing the cost benefit analysis that proves the case, only to find that in reality, plans are hardly invoked or utilised even in a real event.

I can only suggest from experience that Top Management Executives are unlikely to ask the question: “Show me the costs associated with maintaining our Business Continuity Management System/Programme and tell us how much deploying our strategy for resumption will cost if invoked and the savings, yes, savings to the business in reducing the impacts to the business over a known time scale.”

If business continuity professionals were pressed to answer this question, they would have to take a more commercial view of business continuity, they would have to truly align to risk disciplines and share common risk and impact scales and they just may invite procurement professionals to assist in quantifying response strategies and tactic and resource requirements.

This would lead to Top Management Executives having a genuine opinion, to give a mandate and possibly believing that business continuity does indeed add commercial advantage to your business.
So, I implore Non-Executive Directors and Heads of Audit Committees, challenge your Top Management Executives to prove the commercial case for undertaking business continuity management for your business.

Ask your Chief Risk Officer or their equivalent in your business:

  • How much do we spend annually on business continuity management, without an incident taking place?
  • How much would you estimate we would spend on deploying our strategy and tactics during a disruption and in achieving the timescales for resumption how much cost avoidance would we achieve in monetary terms?

Even as I write this, the national news talks of under spending and being under prepared for severe disruptions, they offer the costs associated with preparedness and with failure, within days or weeks of an event.

So I will say it one more time, why do we not estimate these impacts in monetary terms using the same methods as undertaken post event – but do this in advance. Why can we not offer Top Management Executives fixed and variable costs (including invocation) set against the cost of impacts over time? Let them decide their Maximum Attitude to Disruption M.A.D.

Finally, why don’t Top Management Executives ask these questions, rather than simply are we covered?

By David Window
Non Executive Director at Continuity 22301 Ltd

Counting the costs and benefits of business continuity, the BCI Technical Director's perspective

For those of you who think BCM is expensive, try operating without it.

Business Continuity has often been treated almost as an ‘act of faith’. Common sense has suggested that well prepared companies are likely to recover from an unexpected interruption quicker than unprepared ones; that they are likely to lose much less money by being productive again more quickly.

In times of financial restraint, with organizations looking to squeeze costs wherever possible this position is hard to defend, in some cases it simply no longer works. It is not too difficult to find out how much is directly lost as a result of disruptive incidents; in fact our friends from the insurance world have facts and figures about all types of incident – the amounts claimed, the amounts paid out and the actuarial data that supports the likelihood of every type of known problem.

This does however, leave difficulties for the BCM practitioner. Given the increasing attention paid to ‘black swans’, ‘unknown-unknowns’ or generally unpredictable events (illustrated again by the Malaysian aircraft disappearance), conventional risk pricing that requires forecasting both probability and loss expectancy is meaningless. For BCM people, how can we hope to quantify the potential loss connected to brand and reputation damage, market-share loss, share value collapse and more aggressive targeting by competitors?

Even if we can argue successfully (without detailed facts and figures) that we need to protect ourselves from the potentially terminal consequences of unexpected incidents, can we make a strong enough case for BCM as the solution? It is one thing to point out a problem, it is an entirely different thing to show you have the answer. For many years the BCI and other similar bodies have conducted regular surveys that demonstrate that the cost of business disruptions is significant. This has increased in line with trends such as ‘JIT’ manufacturing, complex and extended supply chains, increased off-shoring of services and purely cost driven out-sourcing of operations.

A soon to be released global survey indicates that almost 30% of respondents have experienced business losses of over $5 million as a result of a disruptive incident. This was up from less than 20% three years ago. The challenge for BCM professionals is not so much to shout about those facts (although that approach can help sometimes) but to show why Business Continuity can help both reduce the likelihood of suffering that loss at all, but if it should happen that the loss can be dramatically mitigated.

The wider dialogue taking place about resiliency throughout industry and government actually helps our case. In some ways recovery is simply a failure to be resilient, although total protection from everything is clearly impossible. The need to balance measures that make us inherently more able to withstand rapid changes in risk (political, environment, social and technological) with our ability to adopt and response as needed is the future for BCM thinking. What value do you put on success and what cost do you put on failure? Does effective BCM make the former a more likely outcome than the latter? The answer to those questions provide the justification for Business Continuity – in my view it is a modest investment for corporate decision takers who understand the real questions.

By Lyndon Bird
Technical Director at the Business Continuity Institute