Cost versus benefit and price versus performance
Since around 2011 I have had what I thought was a potentially common-sense approach to business continuity management, that did not seem to always attract a consensus. My background prior to embarking on a career of business continuity management was in procurement and logistics. Built in to the DNA of the procurement professional is “value for money” rather than low cost. Therefore, showing a “return on investment” seems infinitely logical to me.
Show me the money
For many years I have suggested that Top Management need to challenge BC professionals to “show me the money” Sometimes known as “proof of concept” something you would do instinctively in your private life with your own funds .Something organisations do instinctively when embarking on a new venture.
It’s not about the money
The counter argument has often been that not all organisations function on that basis, the 3rd sector, charitable organisations, the public sector whose focus is on service delivery. Often the retort in class by some is “it’s not about the money David”.
Not for profit organisations still need to create a surplus to enable them to operate and function efficiently. Public sector bodies rely on funding out of government coffers that have their genesis in taxes collected from society and ISO 22301 is Societal Security and Business Continuity Management. There seems to me, to be an obligation to understand the costs associated with resilience and the likely benefit from the investment in resilience.
Top Management Buy-in
Emphasis is placed heavily on Top Management “buy-in” so is it not obvious that if they can see the return on investment by undertaking good business continuity management that buy in generally will increase?
Several years ago, I remember reading an article posted by the Institute of Internal Auditors that suggested that it was no longer enough to simply score risks within risk matrices using basic maths and colour coding, then creating risk mitigations without being challenged about the return on investment, in those mitigations.
Take your medicine it’s good for you
Is it feasible to continue telling Top Management to take the medicine that is business continuity management, which may taste bad, but it is good for you? Is it reasonable to achieve buy in, by striking fear into Top Management of Armageddon if something goes wrong or simply to achieve compliance to a standard to meet a regulatory requirements or to pacify a client who insists that the organisation must hold a certification before the client will do business with them.
Consider the Good Practice Guidelines 2018 that talk of the business continuity management budget and the senior sponsor who holds that budget, do they really have a bottomless pit of funds and not require any proof of the efficacy of undertaking business continuity management?
Price versus performance and cost versus benefit
Expand the debate to cover resilience and not merely business continuity management and we engage the risk management costs into the equation, which can be seen during professional practice 4 in the Good Practice Guidelines. Go even further and capture the costs associated with achieving resilience in your priority supply chains and include the risk mitigations that you pay for in contract together with the response mitigations that you insist on through your flexible service levels promoted in the guidelines and you begin to see the true cost of risk management and business continuity management and eventually overall resilience, which will include preventative business controls and responsive business controls, throughout all the facets of the organisation in the spirit of collaboration also emphasised in the Good Practice Guidelines 2018.
Take the holistic approach we are advised, undertake a cost benefit analysis when designing your solutions, when entering into contracts for supply chain dependencies and before agreeing to create projects to put risk mitigations in place as preventative measures.
The only way to get true buy in.
So, am I suggesting it cannot be done, no quite the opposite, I still strongly believe it is the only way to obtain true Top Management buy in?
What is the starting point? I believe that the “fixed cost” is the first step, the total cost of preventative controls and the total cost of responsive controls, this can be anything from duplicate resources to business protocols such as password controls or financial controls, things that the organisation pays for each year regardless of any disruptions.
Risk Management of course ties these costs to “risk appetite” and therefore the cost spent could be too much or too little depending on the organisations attitude to risk. So many risks still manifest themselves where insufficient controls are in place, even when controls are considered efficient and the risk register shows them as “adequately controlled” then we turn to the responsive controls and the mitigations in place through business continuity plans.
Controls however also fall into the 3 lines of defence and this should also assist the organisation to estimate the costs involved. The first of the three are the resilience controls at operational level and the 2nd are the oversight functions monitoring them, lastly a form of independent assurance through (as the GPG 2018 suggests) audit and depending on the organisation independent assessments, also on quality.
Preventative and responsive
If we consider preventative controls to be things that attract a cost, regardless of a breach of the control, so a fixed cost, then the breach of the control will attract a variable negative cost. To correct the issue various responsive controls including business continuity responses are deployed.
All together this management information with regards to the cost of controls and the cost of the breach of the control and the adverse impacts plus the designed solutions to rectify it should be calculated to reveal the investment cost in resilience and expose the adverse impact costs.
For commercial entities it will surely be about the money, for the 3rd sector, its about the surplus required to operate for the public sector it is about the negative increase in operating cost that depicts a level of inefficiency surely?
No, I hear you say its reputational, so tell me, when did a loss of reputation become cost free? A drop in your reputation has a direct financial cost somewhere, operating costs, loss of sales, loss of share value, loss of charitable funding and donations. No organisation has a bottomless pit of funds for resilience.
Return on Investment
A basic Return on Investment calculation is Profit/Investment x 100. So back to the non-profit organisations. What they all have in common is their operating costs.
Maybe therefore the return on an investment in resilience is the total cost of controls pre incident and the total cost of controls proactively in place for your response. Set against the loss through the adverse impacts?
Measuring the benefit could also include management information regarding the reduction in the number of incidents with direct correlations to the breach of preventative controls and the reduction in the time of the incident, measured against the objectives set for recovery (RTO) the success in providing the minimum service during the incident (MBCO) and how close the organisation was to the approved tolerances (MTPD).
Also required would be an agreed understanding of which controls to measure, which would surely include all the disciplines we work in conjunction with in business continuity management. A collaborative approach to resilience with full transparency of the costs and the benefits and the price versus performance.
David J. Window MBCI
Director Continuity Shop
About the author