Is not having a business continuity plan ever an acceptable risk?
Many enterprises, particularly SMEs (SMBs) do not have a business continuity plan (BCP). This paper attempts to quantify the risk that these enterprises are taking, and asks if is this an acceptable risk to take. Measuring the risk • The likelihood is the chance of an event occurring that would have resulted in a business continuity plan being invoked; Break-even gamble C = P x I So, for example, if the impact on the enterprise is £50,000 and the probability of an event occurring that would result in a business continuity plan being invoked is 0.2 (20 percent chance), then the break-even point for the gamble is £50,000 x 0.2, which is when cost of developing an effective BCP is £10,000. If the cost of developing a BCP is less than £10,000 then it is worth developing the BCP, but if it is above £10,000 then it is worth accepting the risk. Estimating likelihood and cost The European Union has defined SMEs as those enterprises with a headcount of less than 250 and a turnover of less than or equal to €50m or balance sheet total of less than or equal to €43m. In the author’s experience, the average cost of external consultancy to develop a business continuity plan for such an enterprise is about £3,500. Using an average cost of developing a business continuity plan of £3,500 and a likelihood of 10 percent, then the impact break-even point of the gamble in the first year, assuming that the BCP remains effective for the year, is £35,000 (£3,500/0.1). This figure will, of course, vary between enterprises, and although the actual cost of developing a BCP will be higher as there will be internal resources used, the likelihood of an event occurring in any one year that would invoke a BCP is, in the author’s experience, significantly greater that 10 percent (which would imply that an enterprise can expect one invocation in ten years). It would therefore appear reasonable for an SME to take the risk of not having a business continuity plan for a year if the expected cost of the impact on the enterprise of not having a BCP when an event occurs that would require the invocation of the BCP is less than £35,000. Measuring the impact • Take longer to respond to the event; Although these are the things that make up the impact of not having a business continuity plan, the real cost to the enterprise will be confined to those things that are not, or cannot, be insured. Some enterprises do not insure against such things as terrorism or denial of access, and although insurance can cover physical loss, cost of additional working, and lost revenue from business interruption, it does not normally cover the loss of: • Customers Accepting the risk If they are, then why do so many SMEs appear to be happy to accept the risk by not investing in developing an effective business continuity plan? Does the typical owner or chief executive of an SME have a large appetite for risk? Mel Gosling is a Member of the Business Continuity Institute, and managing director of Merrycon Ltd, which specialises in providing business continuity products and services. He can be contacted by email at melgosling@merrycon.co.uk Reader comment Mr. Gosling's analysis has merit. Certainly the cost effectiveness of any program should be demonstrable to senior management. However, he considers only the quantitative aspects of failure to have a business continuity plan. There are also qualitative impacts such as loss of public reputation or loss of stockholder or employee confidence that could produce long term loss. He also does not consider that a loss of less than £35,000 might well be significant to an SME with limited cash flow. Approaching business continuity from a strictly quantitative viewpoint does not really address all aspects of the problem.
•Date: 28th June 2007• Region: UK/World •Type: Article •Topic: BC general |
