Right now, business continuity is in fashion. Organizations, having performed post-mortems on their COVID response, reason that their preparations were inadequate; that they need to be more proactive in ensuring that mission-critical operations continue to work during unplanned disruptions.
It hasn’t always been like that. For a long time, organizations failed to resource business continuity programs adequately, viewing those programs as pure costs to the business.
Unfortunately, it’s not unlikely that this thinking will remerge once the present crisis threat recedes.
When that happens, how will business continuity practitioners get funding and prioritization for their programs?
We argue that practitioners will have to get comfortable making ROI-based arguments for business continuity management. Not sure how? This guide seeks to help practitioners deliver an executive-targeted business case for digital business continuity strategies and software platforms.
Let’s start at the beginning.
Outside of moments of crisis, executives fail to prioritize business continuity, because benefits derived from the program tend to be less visible than those derived from other mission-critical units.
Business continuity practitioners, as such, will have to push against this tendency to see business continuity as an expense. Instead, they must demonstrate to higher ups how their programs can be an asset.
This, of course, entails showing how the return will be greater than the overall cost. The easiest way to do so is calculate program ROI. The business continuity ROI showed to executives is the estimated cost of the program (including associated tools and resources) subtracted from projected revenue loss risked a disruptive event occurring without proper business continuity safeguards.
But not just any disruptive event. Practitioners, here, must determine which risks pertain to their business.
Those risks, likely to change over time, will be based on factors such as geography, industry, political and regulatory climate, customer base, etc.
Generic risk indicators are a good place to start. For instance, the most recent Allianz Risk Barometeri (2022) amassed a list of the top global risks; threats include the following:
Countries and regions face their own microeconomic developments, and so, risk often varies in predictable patterns.
In many advanced European, North American, and APAC economies, for instance, Allianz concludes the top risk is business interruptionii. Meanwhile, cyber incidents are considered the most pressing risk in powerful emerging economieslike India and Braziliii.
Of course, executives don’t just want to know what’s likely to happen. They’ll demand to know how much unplanned downtime from that disruption is likely to cost them.
Costs, here, are likely to be higher than the C-suite thinks. What’s more, unplanned downtime is much likelier to happen than the C-suite imagines.
How much more likely? According to industry data, 82 per cent of companies have experienced at least one unplanned downtime incident over the past three years; most, in fact, have suffered multipleiv.
Meanwhile, the costs associated with these incidents, calculated using a combination of direct and indirect costs, keep getting higher.
|Direct Costs||Indirect Costs|
Unplanned cost estimates will often vary by industry; unplanned interruption in heavy industry, for example, entails higher machine costs.
Cross-industry estimates, though, can provide reliable data. Practitioners, for their part, can feed some of that data into ROI calculations. For instance:
Server downtime. The hourly cost of server downtime tops $1 million for 44 per cent of enterprisesv.
Data breach. In 2021, the cost of a data breach was $4.24 million, representing a 10 per cent jump in two years. Lost business (including increased customer turnover, lost revenue due to system downtime and the increasing cost of acquiring new business due to diminished reputation) constituted 38 per cent of the total, or $1.59 million.
Among other business interruption incidents, Allianz estimates that:
Labor costs equal the sum of direct, incidental, and recovery costs associated with employees during unplanned incidents.
Similarly, idled technology that must be rebooted also costs the business. These recovery costs often include overtime, out-of-warranty acquisition costs, outside-vendor and consulting costs. Costs associated with system restoration also come into play.
Typically calculated as gross revenue divided by total minutes in a work year, these costs represent lost gross revenue from disruption. For instance, CNBC calculated that Apple made over $690 thousand per minute. An interruption of one hour would cost the business over $41 million.
An intangible cost, loss of customer confidence and service value often results from unplanned disruption.
Indeed, the costs of disruptions are increasing. Investing in digital business continuity strategies and software is meant to lower costs to the business – often even to put money back into the business when business continuity interventions identify expensive deficiencies before disruptions occur.
Of course, not all policy interventions will have the necessary ROI. Which ones will?
From the best-practice literature, we conclude that practitioners must coax senior leadership to demonstrate commitment to resourcing the following business continuity management activities:
The business impact analysis (BIA) will also be the cornerstone of any risk management program liable to prepare for, respond to, and recover from disruptions this year. Here, organizations should use this process for analyzing business impacts to determine their priorities and requirements.
According to best-practice standard, ISO 22301, that process should involve the following:
These measures feed into the business continuity plan (BCP). The BCP provides guidance and information to assist teams to respond to a disruption and to assist the organization with response and recovery. Again, according to best-practice guidance, that plan should include the following components:
It’s not enough, however, to simply develop a BCP.
Reviewing and testing the plan is crucial, too, to evaluate suitability, adequacy, and effectiveness of its business impact analysis, risk assessment, strategies, solutions, plans, and procedures.
How to do it? Organizations will need to undertake evaluations through reviews, analysis, exercises, tests, post-incident reports, and performance evaluations.
From there, firm should also conduct evaluations of the business continuity capabilities of relevant partners and suppliers. Other measures include:
Best-practice strategies are only one part of the ROI calculus. Digital business continuity management software is the other.
Not all such platforms enhance ROI. Instead, practitioners will have to do due diligence to scout platforms that automate key business continuity management functions, to make business continuity planning and management easy by applying industry standards drawn from the latest versions of ISO 22301, ISO 22313, and ISO 22317.
The aim, here, should be to increase ROI with a platform that helps managers and executives determine disruption impacts and develop plans and recovery strategies to address risks. ROI is also derived from platforms that scale up to any incident and back down to business as usual.
Consider investing in business continuity management software that supports the following:
Built-in BIA tools provide a step-by-step process to identify critical activities, determine maximum periods of disruption, assess the risk and impact of disruptions, collect and document recommendations, and report across the business.
Collecting and aggregating data to highlight any critical activities, processes, assets, and resources lacking recovery strategies as well as untested recovery strategies that put the business at risk.
Quickly identify dependencies between business activities and supporting assets or vendors and stay informed when one is at risk.
Business continuity plans, recovery strategies, and crisis response plans can all be developed, tracked, and reviewed to ensure optimal coverage.
Supports tests and exercises to help business continuity and crisis teams refine and improve their response.
Built with crisis management principles to include response teams and embedded notifications workflows. Activities, process registers, and dependency dashboards. Get a consolidated view of all business activities, critical dependencies, or the status of BIAs to stay up to date and make better informed decisions.
Manage key details of staff, contractors, customers, suppliers, regulators, and external parties. See reliant activities and related recovery strategies at-a-glance, to know which ones are potential risks to the business.
Display key information where (and when) it’s needed using flexible dashboards, analytics, and reporting that caters to stakeholders.
Finally, business continuity is in vogue now. But executives have long doubted whether they’re getting their money’s worth.
Further, there’s reason to believe that this thinking will return as the acute crisis phase of the pandemic recedes and recessionary storm clouds come into view.
Business continuity practitioners, in their turn, will have to get comfortable speaking the language of ROI, getting acquainted with how much unplanned disruption will cost the business.
From there, practitioners can make executive-targeted arguments for business continuity ROI.
ROI, here, won’t just come from strategies but also from business continuity management software solutions, like Noggin, that help companies get the best bang for their buck by running every aspect of the program effortlessly as well as ramp up during moments of crisis and back down to business as usual.
i. Allianz Global Corporate & Specialty: Allianz Risk Barometer 2022. Available at https://www.agcs.allianz.com/content/dam/onemarketing/agcs/agcs/ reports/Allianz-Risk-Barometer-2022.pdf.
iv. Sundeep Ravande, Forbes: Unplanned Downtime Costs More Than You Think. Available at https://www.forbes.com/sites/ forbestechcouncil/2022/02/22/unplanned-downtime-costs-more-than-you-think/?sh=d60c93636f7e.
v. Laura DiDio, Tech Channel: The Cost of Enterprise Downtime. Available at https://techchannel.com/IT-Strategy/09/2021/cost-enterprise-downtime.
Published: 28 September 2023