demonstrating the value of your business continuity ... · demonstrating the value of your business...
TRANSCRIPT
.
Demonstrating The Value Of Your Business Continuity Program To Management
Here’s what our research shows: A high percentage of business continuity (BC) practitioners feel that
management teams don’t understand their needs and show little interest in the BC program. As a result,
those practitioners face a continual uphill climb in terms of getting funding for the program,
gaining needed support from the organization’s workforce, and simply doing their job effectively.
Why does business continuity suffer a different fate than other areas of the company? While other
departments routinely measure return on investment (ROI) to determine their profitability—a
measurement that’s both versatile and simple—the same cannot be said of business continuity.
Traditionally, organizations use ROI to justify the use of resources, fund new projects, and
demonstrate the contributions of teams and departments. But ROI also has drawbacks: Its
focus on dollar return doesn’t account for the value of intangibles, making it difficult to
evaluate initiatives that don’t add hard numbers to the bottom line, like BC. Using only ROI as
a performance measure is limited in scope, and it undermines an organization’s efforts to be
competitive in the marketplace.
So then how best to convey the value of your BC program to management? Focus the conversation
on a different methodology: value on investment (VOI)—the measure of intangible benefits that
contribute heavily to an organization’s performance. VOI gives you a framework for talking about
your program based on the value of what it delivers today.
It’s the best way to talk about business continuity because, while the most important value of
BC is the ability to recover from a disruption—which would translate to a potentially significant
dollar amount if a disruption ever occurs—a good BC program also has a number of impactful
intangible payoffs that deliver value in the here and now.
That doesn’t mean traditional ROI is in no way applicable to BC—you need every tool at your
disposal if you hope to successfully convey the value of your program to higher-ups. Let’s
first consider the reasons why demonstrating value is important, then move on to ways to
communicate it.
Introduction
Demonstrating The Value Of Your Business Continuity Program To Management
© 2017 BCMMetrics™ Page 2
Page 3
The most important benefit of business continuity can be summed up with one simple
question: Will the program work when needed? You can definitively answer yes or no if
you take the time to do things right. No matter your answer, assessing your program’s value is
the key to solving the problem most BC practitioners face, and it will re-engage management in
what should be a critical issue: protecting the health and longevity of the organization.
There are six good reasons why you should care about your program’s value:
Whatever methodology you choose—and it will likely be a combination of VOI and ROI—
think of it as a planning tool to help build your roadmap for improvement. With it, you
can drive the program toward specific goals, ultimately making it stronger. Without it,
you’re driving aimlessly. Knowing whether your program offers the company a high,
moderate, or low level of return or value on its investment gives you an overview of the
program and the information you need to keep moving forward.
Need funding to improve the program? Management teams always respond more
favorably to budget requests that are accompanied by clear and certain justification. By
taking the time to prepare a thoughtful value assessment of your program, you can make
a solid business case for your monetary needs.
Why should you care about demonstrating the value of your business continuity program?
1. It will help you continually improve the BCM initiative.
2. It helps you secure funding.
© 2017 BCMMetrics™
Demonstrating The Value Of Your Business Continuity Program To Management
If your value assessment is less than compelling, use that information to implement new
business initiatives that will make your program better. If calculations show you’re doing
well in crisis management but are weak in business recovery strategies, for instance,
generate new initiatives to address the weaker area and project how your value will be
impacted as a result.
When you assess your program for the first time, your results may not be where you’d
like them to be. While high value is certainly the goal, simply being aware of the state
of your program is half the battle. Awareness shows you have a good grasp on your
company’s strengths and weaknesses, and people will be more willing to participate when
they can see how their contributions will affect the organization. Management will also be
more willing to give you resources if you come across as knowledgeable and capable and
state clearly the goals you’re working toward.
It’s not always about throwing resources at the weakest parts of the program; further
bolstering the strongest parts in an effort to achieve excellence is also an admirable goal.
Again, you won’t know which parts those are without doing the work.
Knowing where your strengths and weaknesses lie will help direct your resources. They’ll
occasionally need shuffling for maximum effectiveness, whether it’s spending more
money, using more personnel to support a weak area, or bringing in additional resources
(internally or externally) to cover more bases. Use your value assessment to determine
where you need the most help, and you can run your program more efficiently.
3. It helps you implement new initiatives.
4. It helps build support among members of the organization.
5. It helps you expand the successful aspects of the program.
6. It helps optimize your resource allocation.
Page 4© 2017 BCMMetrics™
Demonstrating The Value Of Your Business Continuity Program To Management
Calculating the intangibles may be the best way to frame your program’s value, but by
now you might be asking: Can I put an ROI-like value on it? We think you can.
Your program’s functional recovery capability is its most significant value. Therefore
it’s crucial that you can show your recovery plans will work. There are two characteristics
that, if present, always indicate a high-performing business continuity program: 1) a
high level of compliance/alignment with industry standards, and 2) low residual risk as
it applies to your recovery plans for critical business units. If you have those two things in
concert—a high compliance level and low residual risk—your plan (and your program) has a
high level of recoverability, and therefore a high level of value that you can demonstrate as an
ROI.
Let’s take a look at each in detail.
Is there a way to determine an ROI-like value of my program to validate that time, money, and resources have been well spent?
There’s a simple reason that high standards compliance demonstrates high value:
Because business continuity standards—no matter which set you use—are a blueprint for
building a successful program.
High Level Of Standards Compliance
Page 5© 2017 BCMMetrics™
Demonstrating The Value Of Your Business Continuity Program To Management
Industry standards draw on the considerable expertise of numerous practicing
professionals who have turned the complexities of business continuity into a science.
They’ve been down that road before so they know what works. Think of it in terms of
building a home: There’s not a successful builder in the industry who builds homes
without any regard for building codes. Those codes were created for a reason—to protect
the safety of a building’s occupants. Any builder who doesn’t follow them surely won’t be
in business for long. A similar case can be made for business continuity.
Because they set the bar high, standards are an excellent tool for building a quality
program. Compliance always implies a higher level of rigor in the program as well as
a stronger commitment by those who manage it. Meeting the standards requires a
fair investment of time and resources, but in the end your program will hold up under
scrutiny. On top of that:
There are several well-known business continuity standards, including the ISO standards
for business continuity, the NFPA 1600, the BCI Good Practice Guidelines, the Federal
Financial Institutions Examination Council, and many more. When you adopt one or more
sets of standards, it means you make a commitment to developing your program using
It’s easier to build your program. Standards really are a blueprint—use
them. It’s much harder to create your own blueprint for a successful BC
program.
It provides proof to stakeholders that you’re running your business
responsibly. If your customers knew that survival was low on your
company’s priority list, would they still want to do business with you?
Recovery potential is higher. Companies that use standards as the guide for
their programs are much more prepared to keep their critical functions up
and running in the event of a disruption.
Page 6© 2017 BCMMetrics™
Demonstrating The Value Of Your Business Continuity Program To Management
those standards as a framework. Companies that do not embrace standards may still have
business continuity programs, but often they are made up of elements that are more
likely chosen for their ease of completion than for any real interest in business continuity.
If your efforts to mitigate risk are effective, then your calculations for residual risk will
tell you definitively if the business continuity program you’ve spent time, money, and
resources on can be executed effectively. Those same calculations will also tell you where
your organization may be exceeding the recovery needs of the business, allowing you to
make adjustments and conserve resources. Residual risk calculations are an excellent way
of validating your program and give you actual data to present to the management team.
The concept of inherent vs. residual risk can—and should—be applied to your business
continuity program as a way of evaluating how well your business recovery plans will
work.
Low Residual Risk
Residual risk is the amount of risk that remains after all efforts have
been made to identify and eliminate risk (i.e., mitigating controls). Your
efforts to identify and eliminate risk must include a real understanding
and consideration of management’s risk tolerance: What amount of risk
is the management team willing to tolerate? Your efforts must also take
into consideration the quality of your mitigating controls: How well is
your program addressing and executing foundational BC activities like
the business impact analysis, recovery strategies, recovery exercises, and
training?
Inherent risk refers to the risk of the entity you’re trying to measure—
without mitigating controls. It is what it is, and is formed by the realities that
exist before you’ve made any attempt to address them.
Page 7© 2017 BCMMetrics™
Demonstrating The Value Of Your Business Continuity Program To Management
Remember, the ability to recover is the ultimate value of your BC program. Aside from
the method described above, there are two additional ways of showing that your business
continuity program works:
What other methods can you use to demonstrate recovery capability?
Testing. Not enough business continuity practitioners regularly test their
programs, which means they’re missing an opportunity to demonstrate the
program’s performance to management. Plus, you’re giving yourself a leg up in
the case of a real disruption, since a tested plan has a much higher probability
of succeeding.
To do testing right, you should conduct increasingly complex tests over time
that integrate each of the key components of the program—crisis management,
business recovery, and disaster recovery. Document test results after every
testing scenario, and use them to make targeted improvements. Eventually, you
will be able to verify that your organization can respond, recover, and resume
business and technology operations with minimal impacts.
Real-life recovery situations. There’s no better way to demonstrate the value
of a business continuity program than successfully guiding the organization
through a real disruptive event. Disruptions that require the activation of one
or more program components (crisis management, business recovery, and
disaster recovery) can provide proof of an organization’s ability to respond,
recover, and resume business operations with little to no impact to its
stakeholders.
Page 8© 2017 BCMMetrics™
Demonstrating The Value Of Your Business Continuity Program To Management
Organizations that commit to business continuity planning actually see benefits reflected
in a number of different ways outside the BC program itself. The factors that play a
critical role in determining value are:
How do the intangible benefits of your business continuity program contribute to its value?
Aside from the reduction of costs that would be incurred during a crisis event, many of
the activities associated with building a business continuity program have the added
benefit of uncovering cost-saving opportunities. For example, the development of
business recovery plans may reveal an opportunity for one or more teams with similar
equipment or software requirements to coordinate purchases and/or upgrades to realize
demonstrable cost savings. Among the other kinds of cost savings we’ve seen come out of
BC programs are:
Similarly, business continuity activities also naturally reveal inefficiencies associated with
workflow. The Business Impact Analysis (BIA), for instance, delves deep into the processes
Cost Savings
Process Efficiencies
Equipment and software consolidation.
Decreased insurance premiums.
Decreased expenditures due to audit issues.
Savings on future staffing needs.
Page 9© 2017 BCMMetrics™
Demonstrating The Value Of Your Business Continuity Program To Management
and responsibilities of various business units, often uncovering details that would have
gone otherwise unnoticed. For example, questionnaires and interviews may show an
overlap of responsibilities among multiple business units. If processes can be consolidated
and improved, that’s money saved. Other kinds of process efficiency savings we’ve seen
come out of BC programs are:
Reduction of redundant processes.
Elimination of obsolete processes.
Increased automation.
Increased process understanding.
Decreased process errors.
Regulations vary by industry, but no matter what your organization’s requirements are,
it’s highly likely that business continuity activities will touch on compliance issues at
one point or another. For example, in some industries, organizations that do not meet
regulatory standards for data security or reporting requirements may incur fines; when
those compliance issues are uncovered by your BC activities, that’s a golden opportunity
to put a price tag on the value of your program. Among the savings we’ve seen with
regard to regulatory compliance are:
Regulatory Compliance
Increased governance or oversight. Increased data protection.
Improved reporting processes.
Decreased audit findings.
Decreased reportable events.
Decreased audit time.
Page 10© 2017 BCMMetrics™
Demonstrating The Value Of Your Business Continuity Program To Management
The risk of reputational damage during a crisis is high. If the public perceives that an
organization is not handling things well it impacts their level of trust in the company
as well as their willingness to do business with the company in the future. The value of
the BC program in this area cannot be overstated; because it directs how your company
responds and recovers during a disruption, it plays a huge role in minimizing reputational
damage. The cost benefits we’ve seen with regard to BC and reputational damage include:
In addition to the four major factors identified above, other intangible benefits of a strong
business continuity program that you may be able to identify within your organization are:
Reputational Damage
Reduced impact of a disruption on customers. Reduced impact on revenue.
Reduced vendor impact. Reduced regulatory impact.
Reduced negative public presence.
Increased confidence from all stakeholders.
Succession planning. By nature, business continuity planning involves a
deep understanding of critical members of the organization and their roles
and responsibilities. As a result, organizations are more readily prepared
to identify backup individuals who can continue to perform the tasks with
minimal impact to operations.
Development of workarounds. When business continuity is top of mind
for all employees, they begin to apply BC concepts automatically whenever
they develop a new product or service; or they are quicker to adapt when a
process goes awry.
Page 11© 2017 BCMMetrics™
Demonstrating The Value Of Your Business Continuity Program To Management
Valuable business data. BC activities produce tons of data; it’s like having
an encyclopedia of valuable information about your company’s operations.
That data can also be used for things like process improvement and
strategic development.
Competitive advantage. Your clients or customers demand quick response
around the clock and have very little tolerance for unavailability of data,
goods, or services they need. Plus, losing a client’s data will likely have
tremendous negative impact on them. The presence of a good business
continuity program shows that you can be relied upon as a partner, making
you the more attractive choice over competitors.
See the next two pages for a sample checklist.
Page 12© 2017 BCMMetrics™
Demonstrating The Value Of Your Business Continuity Program To Management
The following checklist names the necessary components of a high-value business
continuity program. If you have done all of the following, you will be armed with
everything you need to gain management support:
A Checklist To Demonstrate The Value Of Your Program
Component How It Adds Value
You have adopted a specific set of industry standards to align with and build your program on an ongoing basis.
Organizations with BC programs and plans that meet audit, regulatory, and customer requirements have a high probability of successful recovery.
You have conducted a Business Impact Analysis (BIA) and can readily identify:
• Business units and processes that are most critical to your company.
• Timeframes in which those critical processes must be restored to minimize material impact.
Organizations that know the details of their company value chain save money by:
• Focusing resources only where they are needed.
• Identifying and addressing process inefficiencies.
• Identifying opportunities for cost savings.
• Ensuring regulatory compliance.
You have integrated the highest levels of testing, clearly demonstrating that you have the ability to recover critical people, processes, and technology within the required timeframes.
Organizations that use testing benefit from:
• Demonstrating high functional recovery capability.
• Increasing employee competence and confidence by practicing recovery procedures.
• Ensuring that critical services are available to stakeholders with minimal or no interruption.
• Safeguarding the company’s revenue stream and brand.
Page 13© 2017 BCMMetrics™
Demonstrating The Value Of Your Business Continuity Program To Management
Page 14
Component How It Adds Value
You have demonstrated the ability to successfully respond, recover, and resume critical business and technology operations following real, unplanned disruptions to the organization.
Real-life response evaluation ensures that any gaps in planning are addressed and corrected, assuring continuous improvement and a high functional recovery capability.
You have calculated your residual risk levels and implemented the appropriate controls (recovery strategies, recovery exercises, etc.) to minimize any remaining risk.
Understanding residual risk enables management and the BC team to focus their efforts where they will have the greatest impact.
Demonstrating The Value Of Your Business Continuity Program To Management
Demonstrating your program’s worth starts with having a good grasp on all of its
components—everything from critical processes to recovery time objectives to standards
alignment to residual risk. There are a lot of moving parts to a good business continuity
program, but taking control of them all doesn’t have to be complicated.
BCMMetrics™ is a set of online tools that can help you manage all aspects of business
recovery planning, and provide you with the data you need to approach management
confidently. Our tools include:
Still have questions? We’re happy to get the information you need. Contact us via our
website at www.mha-it.com/contact-us, or call 888-689-2290.
Get Started Proving The Value Of Your Program
Page 15© 2017 BCMMetrics™
BIA On-Demand (BIAOD), which manages the Business Impact
Analysis process to identify your critical business processes,
system, and resource requirements.
Compliance Confidence (C2), which scores your continuity
program on its alignment with industry standards and identifies
areas for improvement.
Residual Risk (R2), which walks you through the residual risk
calculation process and evaluates the state of your mitigating
controls.
Schedule a free demo today.
Demonstrating The Value Of Your Business Continuity Program To Management