|
The results of Continuity Central’s
survey into whether a return on investment calculation is made as
a part of the BC process.
One of the most common questions
asked through Continuity Central's FAQ service
is how to calculate the return on investment made in business continuity
activities and processes. Continuity Central therefore decided to
conduct an anonymous survey to discover what global trends there
might be in this area.
The survey found that very few business continuity
managers are making a return on investment figure calculation. Only
16.3 percent of respondents have done so.
Survey respondents who did not make ROI calculations
were asked why they didn’t do so, and those that did were
asked to give a short summary of how they went about it. Some of
the responses were as follows:
Reasons why an ROI calculation is not
made
Responses could be grouped into broad areas:
* Difficulties in making the calculation
“It's extremely difficult to calculate empirically.”
“The impacts are mainly intangible and therefore extremely
difficult to quantify.”
“It’s not possible to quantify the benefits of business
continuity activities.”
“Seems too difficult to calculate. The value is realised during
and after a crisis.”
“We are not sure how to calculate it.”
“Difficult to quantify the value of intangibles.”
“Not enough data or information.”
“Almost impossible to calculate where business continuity/resilience/normal
processes start and disaster recovery stops. Any ROI figure would
not reflect total input to business continuity and would only be
meaningful to justify certain projects. Ultimately a proportion
of the IT budget has to be spent on business continuity but that
proportion is sometimes questionable.”
“It is too complex a discussion and calculation.”
“We feel there are too many non-tangibles to get a true ROI
picture.”
* Lack of information on how to do it
“Lack of knowledge”
“I don't know how to calculate it.”
“We don't have tools for the calculation.”
“Unable to figure out how this calculation should be made.”
“Unsure how to calculate. Business areas rarely understand
or know the financial impact of losing their business. Would like
a simple to understand and adopt solution.”
“We are moving from disaster recovery to business continuity
and I am not sure how to do it yet.”
“Don't know how to determine ROI for DR.”
* Lack of commitment to the process
“It has never been taken seriously.”
“Business has not though of doing it.”
* Not an important issue
“Not considered.”
“Not considered to be a factor, considering plans would only
be invoked in a crisis.
“Wasn't considered critical.”
“Not required by the executive.”
“The requirement is regulatory and whilst we may be able to
calculate loss of business for the whole of the company stopping
due to disaster, the 'return' is more to do with meeting regulatory
obligations. We see cost of business continuity activities as a
necessary working cost.”
“Business continuity is an essential requirement that needs
no additional justification.”
“Decisions to spend money are based more on the concept that
if it is worth doing, it is worth paying for. Management places
a great deal of trust in the employees to make the correct decisions.”
“Business continuity is mandated by regulators so a ROI is
unnecessary.”
“BCM is seen as an essential part of what we do and therefore
does not need a ROI.”
“There is no return until you have a crisis.”
“As a local authority, we tend to respond to legislative requirements,
and (hopefully) the needs of the public, rather than strict financial
analysis. Also BCP is currently funded from our civil contingencies
budget, i.e. from the Home Office.”
“We are a very strategic organisation and very focused on
the operations and marketing aspects. I think our executive management
takes it for granted that disaster recovery and business continuity
are in place.”
“Public service requires availability, continuity, and uniform
service levels as justification for our existence and public taxpayer
support. This is why it is seen s a cost center and not profit center,
and no ROI is required.”
“It has been considered an expense, not an investment.”
“A budget is allocated to the business continuity and disaster
recovery functions, based on what is regarded as "prudent"
and "appropriate for due diligence purposes". No attempt
is made to assess whether the budget is value for money, adequate,
generous. It is assessed, when annual renewal is due, on the returns
supplied by the senior manager responsible.”
“We are a production based company and everyone is well aware
that any time that we are not able to do our primary business functions
we are losing money, so everything we are able to do to keep the
business up and running is a good return on investment.”
* Lack of resources
“No time.... we would need more staffing to do any more than
we're already doing and there are no funds for that right now. Good
idea, though!”
How to conduct a return on investment
Given the small percentage of respondents doing a ROI calculation,
there was relatively little information supplied on this area. Useful
responses include:
“We work at establishing both future
asset price and future value of assets: including training of employees;
product liability; financial stability; customer service; business
ethics; supply chain management; corporate image; cash flow; supplier
quality; trade practices and anti competitive trading; and privacy
legislation. These are all established as both assts and liabilities.”
“Risk register compiled and then plotted
against the probability and cost of doing nothing. Also the impact
is plotted against cost.”
“How much revenue would be lost for an
unplanned outage period for any given system?”
“Cost saving from implementations of
new technologies. An example would be the cost savings of going
from DAS to NAS. We were paying 84 cents per megabyte in a DAS environment.
We are now paying 35 cents per megabyte in a NAS environment. Another
example is implementing ANS. By doing this we saved 50 percent on
our administrative costs.”
To add more detail, Continuity Central
asked business continuity consultant, John Robinson, to explain
how he would go about making a ROI calculation:
“Successful organisations
generally focus on delivering benefit to their stakeholders, from
customers to suppliers, regulators to employees; all need to be
satisfied for business interaction to continue taking place. When
these win-win criteria are not met, relationships may break down
and one or both parties caused to suffer in various ways. So, if
an operational failure means your organisation fails to deliver
its product to customers, then it may lose revenue, reputation,
opportunity and other valued commodities. Business continuity is
at its most successful when it spends a small amount to demonstrably
prevent the loss of a much larger amount. The difference between
the two is a saving and the ratio of the two numbers defines the
corresponding ROI.
To elaborate, take a simple example such as the addition of an uninterruptible
power supply (UPS) to support an otherwise unprotected firewall
server. With no UPS in place, the server remains vulnerable to power
failures of a few hours each year and power surges which may cause
component failure costing perhaps a day every five years. Dynamic
modelling allows us to assess the financial and qualitative impact
arising from of this order of failure, effectively closing internet
access to the organisation whilst the server remains inactive. On
average, we can estimate that something like a half-day will be
lost each year with a resulting loss potential for the organisation
of around, $100k. The UPS cost $5k to purchase with $330 per annum
maintenance and will be depreciated over 3 years. Crudely, therefore,
it costs around $2k per annum to offset an expected loss of $100k
per annum, a worthwhile return on investment of 5000 percent.
This is of course a very simplistic example and makes assumptions
which may prove hard to substantiate. Firstly, it assumes that we
know the current failure rate for the equipment - easy in this example
- but how do we establish compound failure rates where many internal
and external threats combine? For example, how often should we estimate
that the entire computer room will be destroyed? Will it be every
10 years or every 100? Secondly, it assumes we are in a position
to calculate impact with reasonable accuracy, accounting for 'soft'
unquantifiable impacts such as public welfare and absenteeism. And
thirdly, it ignores the complex matter of assessing marginal benefit
in an organisation that is already well-protected.
Notwithstanding these arguments, all of which can be addressed using
estimating and modelling techniques, the ability to demonstrate
ROI has immense appeal in the continuity context. Budget holders
are accountable and expect clear stakeholder benefit to be demonstrated
before releasing monies; emotional appeal cuts little ice. Hand
them instead a well-argued business case with approximate but credible
numbers and your chances of successfully protecting your organisation
increase dramatically. Consequently, ROI is something of a holy
grail for continuity managers and consultants. “
John Robinson is managing consultant with JRCPL, a specialist
consultancy offering quantitative business impact analysis, providing
a basis for calculating return on continuity investments. www.jrcpl.com
•Date:
17th October 2003 •Region: Worldwide •Type:
Article •Topic: BC
general
Rate this article or
make a comment - click
here
|
