Saul Midler Executive of Business Continuity and Resilience at Terra Firma Consulting
Many organisations don’t know if they have right-sized their Business Continuity (BC) capability. This is an issue as they may be under-spending on their BC and IT capability and exposing their organisation to operational risk, or over-spending and wasting their precious budget on BC and IT capability which will not help them respond and recover efficiently.
How do you know whether your organisation has the right amount of Business Continuity capability in place? Very few organisations can say, hand on heart, that they know.
My experience is that most organisations under-spend on their BC capabilities and many of those over-spend on their ITDR capabilities. Some organisations arrive at their position with very little rhyme or reason while others are convinced that they have steered a trusted and true course, when in reality they haven’t.
To confirm that you need a Business Continuity capability, you first need to understand what the magnitude of impact will result from an operational disruption.
Impact of operational disruption
While there are many causes of operation disruption, The BCI Horizon Scan report 2022 identified IT disruption (including outages, attacks, and breaches) in the Top 10 risk score index. Regardless of the cause, the loss of IT Systems and Services typically results in significant financial loss. While it’s not always about money, the magnitude of impact is typically expressed in financial terms.
The BCI Horizon Scan report 2022 highlighted the leading consequence of operational disruption is negative impact on staff morale, wellbeing, and mental health. As a result, 62% of organisations have reported loss of productivity, and 44% of staff loss or displacement. The World Health Organisation estimates circa $1 trillion is lost annually due to mental health issues across the globe.
Cyber-attack and data breach grew in risk (increasing to a risk score of 6.9) in the BCI Horizon Scan report 2022, whilst other non-physical disruptions remained predominant in the top 12, such as IT and telecom outage (4.9) and introduction of new technology (4.1).
Black Swan events such as non-occupational disease (pandemic 24.5), extreme weather (6.3), critical infrastructure failure (2.4) and political change (1.6); remain a consistent and relevant risk in the coming twelve months. Although considered unlikely, these events are highly disruptive and carry a substantial financial cost to an organisation.
Clearly you need protection – but how much should you spend?
For the organisations surveyed of the horizon scan, ISO 22301 remains the business continuity benchmark for nine out of ten organizations. Although certification levels fell slightly during 2021, the number of organizations using ISO 22301 as a framework increased by 11 percentage points over the year.
Although organizations report ISO 22301 helps increase organizational resilience and better manage incidents, many cite that it benefits their organization externally: it allows them to demonstrate the effectiveness of their business continuity programme, aids relationships within supply chains and helps to align with industry peers.
Cost remains a deterrent to certification for many companies, although interviewees reported that with the experiences of the pandemic, management teams were pressing for certification for the first time.
In many cases, I’ve seen the implementation of ITDR nearly to the exclusion of broader Business Continuity capability. IT is very tangible, very obvious and its loss is very painful and widespread across the organisation. Other resources seem not as critical as IT, for example, work from home is a typical strategy these days for loss of office space (i.e. desks, chairs, workstations and office equipment). If you lose a supplier, then find another. If you lose a vehicle, order another, etc. I call these ad-hoc strategies, not plans, even though they are typically written into plan documentation.
My experience is that organisations typically implement ITDR to the extent provided under a Service Level Agreement selected to meet available budget, which is less than required because business management don’t know what they are protecting.
In other cases, the CIO goes cap-in-hand requesting approval to buy ITDR capability with a business case structured around the capability desired instead of the loss to be avoided.
Alternatively, I’ve seen ITDR funding requests approved to deliver capability far beyond what the business actually needs. This is usually the case when business managers can’t or won’t tell IT what capability they need, so IT – usually with the assistance of the technology vendor (they are great salespeople!) – over-compensates by over-engineering the ITDR solution.
I see confusion in organisations that believe Risk Treatments are the same as business continuity capabilities. Spending money to remove identified risks still leaves the organisation exposed to the risks that weren’t or can’t be considered.
In summary, while parts of your overall BC capability may be over engineered (e.g. ITDR) other parts will be inadequate, leading to an overall position of being under-prepared for any unplanned operational disruption.
Some may say, regardless of what you need and how much you have to spend, risk appetites and commercial realities will come into play and result in an under-spend for business continuity capability. However, if you define business-driven BC requirements correctly then the target capability becomes very clear. To mix two concepts: When the impact is greater than the likelihood, the only solution is to implement the right capability. This is why Call Centres are often replicated and separated geographically. Does the organisation really believe that they will lose the call centre on the 8th floor of a CBD building this year? No, but they are prepared to spend the money because the impact would be “business over”.
To right-size your business continuity capability you need to consider the Goldilocks Principle. Spend too little and the organisation is exposed, spend too much and the organisation has wasted funds. The objective is to spend an amount that is “just right”.
Spend Efficiency (ε) Vs quantum of money spent ($)
The target for right-sizing your BC capability should be the delivery of the right level of capability, not the cost of the solution. There’s more than one way to deliver the capability – the question is; what the most efficient way to ensure that you can respond and recover effectively.