Calculating the ROI of Business Continuity Management

Digital strategies & software to get your money's worth

Right now, business continuity is in fashion. Organizations, having performed post-mortems on their COVID response, reason that their preparations were inadequate; that they need to be more proactive in ensuring that mission-critical operations continue to work during unplanned disruptions.

It hasn’t always been like that. For a long time, organizations failed to resource business continuity programs adequately, viewing those programs as pure costs to the business.

Unfortunately, it’s not unlikely that this thinking will remerge once the present crisis threat recedes.

When that happens, how will business continuity practitioners get funding and prioritization for their programs?

We argue that practitioners will have to get comfortable making ROI-based arguments for business continuity management. Not sure how? This guide seeks to help practitioners deliver an executive-targeted business case for digital business continuity strategies and software platforms.

Why business continuity management is a business benefit

Let’s start at the beginning.

Outside of moments of crisis, executives fail to prioritize business continuity, because benefits derived from the program tend to be less visible than those derived from other mission-critical units.

Business continuity practitioners, as such, will have to push against this tendency to see business continuity as an expense. Instead, they must demonstrate to higher ups how their programs can be an asset.

This, of course, entails showing how the return will be greater than the overall cost. The easiest way to do so is calculate program ROI. The business continuity ROI showed to executives is the estimated cost of the program (including associated tools and resources) subtracted from projected revenue loss risked a disruptive event occurring without proper business continuity safeguards.

Top business risks to prepare for

But not just any disruptive event. Practitioners, here, must determine which risks pertain to their business.

Those risks, likely to change over time, will be based on factors such as geography, industry, political and regulatory climate, customer base, etc.

Generic risk indicators are a good place to start. For instance, the most recent Allianz Risk Barometerⁱ (2022) amassed a list of the top global risks; threats include the following:

• Cyber incidents
• Business interruption, including supply-chain disruption
• Natural catastrophes
• Pandemic outbreak
• Changes in legislation and regulation
• Climate change
• Fire, explosion
• Market developments
• Shortage of skilled workforce
• Macroeconomic developments, e.g., monetary policies, austerity programs, commodity price increase, deflation, inflation

Countries and regions face their own microeconomic developments, and so, risk often varies in predictable patterns.

In many advanced European, North American, and APAC economies, for instance, Allianz concludes the top risk is business interruptionⁱⁱ. Meanwhile, cyber incidents are considered the most pressing risk in powerful emerging economieslike India and Brazilⁱⁱⁱ.

The cost of unplanned downtime

Of course, executives don’t just want to know what’s likely to happen. They’ll demand to know how much unplanned downtime from that disruption is likely to cost them.

Costs, here, are likely to be higher than the C-suite thinks. What’s more, unplanned downtime is much likelier to happen than the C-suite imagines.

How much more likely? According to industry data, 82 per cent of companies have experienced at least one unplanned downtime incident over the past three years; most, in fact, have suffered multiple^iv.

Meanwhile, the costs associated with these incidents, calculated using a combination of direct and indirect costs, keep getting higher.

Unplanned cost estimates will often vary by industry; unplanned interruption in heavy industry, for example, entails higher machine costs.

Cross-industry estimates, though, can provide reliable data. Practitioners, for their part, can feed some of that data into ROI calculations. For instance:

Server downtime. The hourly cost of server downtime tops $1 million for 44 per cent of enterprises^v.

Data breach. In 2021, the cost of a data breach was $4.24 million, representing a 10 per cent jump in two years. Lost business (including increased customer turnover, lost revenue due to system downtime and the increasing cost of acquiring new business due to diminished reputation) constituted 38 per cent of the total, or $1.59 million.

Among other business interruption incidents, Allianz estimates that:

• The average value of a fire/explosion-related insurance claim comes in around $6.7 million.
• The average value of a storm-related insurance claim comes in around $4.4 million.
• The average value of an earthquake-related insurance claim comes in around $1.6 million.
• The average value of a machinery breakdown-related insurance claim comes in around $.62 million
• The average value of a water damage-related insurance claim comes in around $.55 million

Factors to consider when building your own ROI calculator for business continuity strategies and software

Labor costs

Labor costs equal the sum of direct, incidental, and recovery costs associated with employees during unplanned incidents.

• Direct costs are the total costs for employees impacted by a disruption
• Incidental costs equal idle time that employees are not working during a disruption
• Recovery costs constitute the time needed for employees to recover from an incident; recovery time often involves overtime.

Technology recovery costs

Similarly, idled technology that must be rebooted also costs the business. These recovery costs often include overtime, out-of-warranty acquisition costs, outside-vendor and consulting costs. Costs associated with system restoration also come into play.

Loss of business costs

Typically calculated as gross revenue divided by total minutes in a work year, these costs represent lost gross revenue from disruption. For instance, CNBC calculated that Apple made over $690 thousand per minute. An interruption of one hour would cost the business over $41 million.

Cost of customer confidence/service value

An intangible cost, loss of customer confidence and service value often results from unplanned disruption.

Best-practice business continuity strategies

Indeed, the costs of disruptions are increasing. Investing in digital business continuity strategies and software is meant to lower costs to the business – often even to put money back into the business when business continuity interventions identify expensive deficiencies before disruptions occur.

Of course, not all policy interventions will have the necessary ROI. Which ones will?

From the best-practice literature, we conclude that practitioners must coax senior leadership to demonstrate commitment to resourcing the following business continuity management activities:

• Ensuring that the business continuity policy and business continuity objectives are established and are compatible with the strategic direction of the organization.
• The business continuity policy should be:
  • Be available as documented information
  • Be communicated within the organization
  • Be available to interested parties, as appropriate.
• Ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization, with emphasis on the responsibility and authority for:
  • Ensuring that the BCMS conforms to the requirements of the document
  • Reporting on the performance of the BCMS

The business impact analysis (BIA) will also be the cornerstone of any risk management program liable to prepare for, respond to, and recover from disruptions this year. Here, organizations should use this process for analyzing business impacts to determine their priorities and requirements.

According to best-practice standard, ISO 22301, that process should involve the following:

• Define the impact types and criteria relevant to the organization’s context
• Identify the activities that support the provision of products and services
• Use the impact types and criteria for assessing the impacts over time resulting from the disruption of these activities.
• Identify the time frame within which the impacts of not resuming activities would become unacceptable to the organization
• Set prioritized time frames within the time identified in
• For resuming disrupted activities at a specified minimum acceptable capacity
• Use this analysis to identify prioritized activities
• Determine which resources are needed to support prioritized activities
• Determine the dependencies, including partners and suppliers, and interdependencies of prioritized activities.

These measures feed into the business continuity plan (BCP). The BCP provides guidance and information to assist teams to respond to a disruption and to assist the organization with response and recovery. Again, according to best-practice guidance, that plan should include the following components:

• The purpose, scope, and objectives
• The roles and responsibilities of the team that will implement the plan
• Actions to implement the solutions
• Supporting information needed to activate (including activation criteria), operate, coordinate, and communicate the team’s actions
• Internal and external interdependencies
• The resource requirements
• The reporting requirements
• A process for standing down

It’s not enough, however, to simply develop a BCP.

Reviewing and testing the plan is crucial, too, to evaluate suitability, adequacy, and effectiveness of its business impact analysis, risk assessment, strategies, solutions, plans, and procedures.

How to do it? Organizations will need to undertake evaluations through reviews, analysis, exercises, tests, post-incident reports, and performance evaluations.

From there, firm should also conduct evaluations of the business continuity capabilities of relevant partners and suppliers. Other measures include:

• Evaluating compliance with applicable legal and regulatory requirements, industry best practices, and conformity with its own business continuity policy and objectives
• Updating documentation and procedures in a timely manner, e.g., at planned intervals, after an incident or activation, and when significant changes occur

Digital software to help run every aspect of business continuity effortlessly

Best-practice strategies are only one part of the ROI calculus. Digital business continuity management software is the other.

Not all such platforms enhance ROI. Instead, practitioners will have to do due diligence to scout platforms that automate key business continuity management functions, to make business continuity planning and management easy by applying industry standards drawn from the latest versions of ISO 22301, ISO 22313, and ISO 22317.

The aim, here, should be to increase ROI with a platform that helps managers and executives determine disruption impacts and develop plans and recovery strategies to address risks. ROI is also derived from platforms that scale up to any incident and back down to business as usual.

When it comes to enhancing ROI, what other software capabilities matter?

Consider investing in business continuity management software that supports the following:

Business impact analysis

Built-in BIA tools provide a step-by-step process to identify critical activities, determine maximum periods of disruption, assess the risk and impact of disruptions, collect and document recommendations, and report across the business.

Find gaps easily

Collecting and aggregating data to highlight any critical activities, processes, assets, and resources lacking recovery strategies as well as untested recovery strategies that put the business at risk.

Monitor critical dependencies

Quickly identify dependencies between business activities and supporting assets or vendors and stay informed when one is at risk.

A central location for all plans

Business continuity plans, recovery strategies, and crisis response plans can all be developed, tracked, and reviewed to ensure optimal coverage.

Battle-test your recovery strategies

Supports tests and exercises to help business continuity and crisis teams refine and improve their response.

Integrated crisis and incident management

Built with crisis management principles to include response teams and embedded notifications workflows. Activities, process registers, and dependency dashboards. Get a consolidated view of all business activities, critical dependencies, or the status of BIAs to stay up to date and make better informed decisions.

Contact, asset, and vendor management

Manage key details of staff, contractors, customers, suppliers, regulators, and external parties. See reliant activities and related recovery strategies at-a-glance, to know which ones are potential risks to the business.

Monitoring dashboards

Display key information where (and when) it’s needed using flexible dashboards, analytics, and reporting that caters to stakeholders.

Finally, business continuity is in vogue now. But executives have long doubted whether they’re getting their money’s worth.

Further, there’s reason to believe that this thinking will return as the acute crisis phase of the pandemic recedes and recessionary storm clouds come into view.

Business continuity practitioners, in their turn, will have to get comfortable speaking the language of ROI, getting acquainted with how much unplanned disruption will cost the business.

From there, practitioners can make executive-targeted arguments for business continuity ROI.

ROI, here, won’t just come from strategies but also from business continuity management software solutions, like Noggin, that help companies get the best bang for their buck by running every aspect of the program effortlessly as well as ramp up during moments of crisis and back down to business as usual.

Sources

i. Allianz Global Corporate & Specialty: Allianz Risk Barometer 2022. Available at https://www.agcs.allianz.com/content/dam/onemarketing/agcs/agcs/ reports/Allianz-Risk-Barometer-2022.pdf.

ii. Ibid.

iii. Ibid.

iv. Sundeep Ravande, Forbes: Unplanned Downtime Costs More Than You Think. Available at https://www.forbes.com/sites/ forbestechcouncil/2022/02/22/unplanned-downtime-costs-more-than-you-think/?sh=d60c93636f7e.

v. Laura DiDio, Tech Channel: The Cost of Enterprise Downtime. Available at https://techchannel.com/IT-Strategy/09/2021/cost-enterprise-downtime.