By Saul Midler – CEO of Linus and BCI International Consultant of the Year 2013
Organisations don’t know if they have right-sized their business continuity (BC) capability. This is an issue as they may be under-spending on their BC capability and exposing their organisation to operational risk, or over-spending and wasting their precious budget on BC capability which will not help them respond and recover efficiently.
My experience is that most organisations under-spend on their BC capabilities and many of those over-spend on their ITDR capabilities. Some organisations arrive at their position with very little rhyme and reason while others are convinced that they have steered a true and trusted course, when in reality they haven’t.
To confirm that you need a business continuity capability, you first need to understand what the magnitude of loss can be due to an operational disruption.
While there are many causes of operational disruption, one of the most prevalent is the loss of IT. Regardless of the cause, the loss of IT Systems and Services typically results in significant financial loss. While it’s not always about money, the magnitude of impact is typically expressed in financial terms. A survey from late 2013 estimated the average financial cost of an IT Systems disruption over three outage periods as:
- Outage of 20 minutes resulted in a loss of $1.05M
- Outage of 2 hours resulted in a loss of $4.25M
- Outage of 7 hours resulted in a loss of $14.25M
The survey found that just over 75% of the financial impact of an IT disruption of up to 7 hours resulted in business costs such as reputation and brand damage, lost productivity, lost revenue and compliance and regulatory failure.
Clearly you need protection – but how do you right-size your investment?
In many cases, I’ve seen the implementation of ITDR nearly to the exclusion of broader Business Continuity capabilities. IT is very tangible, very obvious and its loss is very painful and widespread across the organisation. Other resources seem not as critical as IT, for example, work from home is a typical strategy these days for loss of office space (i.e. desks, chairs, workstations and various office equipment). If you lose a supplier then find another. If you lose a vehicle, order another etc. I call these ad-hoc strategies, not plans, even though they are typically written into plan documentation.
My experience is that organisations typically implement ITDR according to a Service Level Agreement selected to meet available budget, which is less than required because business management don’t know what they are protecting.
In other cases, the CIO goes cap-in-hand requesting approval to buy ITDR capability with a business case structured around the capability desired instead of the loss to be avoided.
Alternatively, I’ve seen ITDR funding requests approved to deliver capability far beyond what the business actually needs. This is usually the case when business managers can’t or won’t tell IT what capability they need, so IT – usually with the assistance of the technology vendor (they are great salespeople!) – over-compensates by over-engineering the ITDR solution.
I see confusion in organisations that believe Risk Treatments are the same as business continuity capabilities. Spending money to remove identified risks still leaves the organisation exposed to the risks that weren’t or can’t be considered.
Some may say, regardless of what you need and how much you have to spend, risk appetites and commercial realities will come into play and result in an under-spend for business continuity capability. However, if you define business-driven BC requirements correctly then the target capability becomes very clear. To mix two concepts: When the impact is greater than the likelihood, the only solution is to implement the right capability. This is why Call Centres are often replicated and separated geographically. Does the organisation really believe that they will lose the call centre on the 8th floor of a CBD building this year? No, but they are prepared to spend the money because the impact would be “business over”.
To right-size your business continuity capability you need to consider the Goldilocks Principle. Spend too little and the organisation is exposed, spend too much and the organisation has wasted funds. The objective is to spend an amount that is “just right”.
The target for right-sizing your BC capability should be the delivery of the right level of capability, not the cost of the solution. There’s more than one way to deliver the capability – the question is; what is the most efficient way to ensure that you can respond and recover effectively.