Demonstrating The Value Of Your Business Continuity ... · Demonstrating The Value Of Your Business...

.

Demonstrating The Value Of Your Business Continuity Program To Management

Here’s what our research shows: A high percentage of business continuity (BC) practitioners feel that

management teams don’t understand their needs and show little interest in the BC program. As a result,

those practitioners face a continual uphill climb in terms of getting funding for the program,

gaining needed support from the organization’s workforce, and simply doing their job effectively.

Why does business continuity suffer a different fate than other areas of the company? While other

departments routinely measure return on investment (ROI) to determine their profitability—a

measurement that’s both versatile and simple—the same cannot be said of business continuity.

Traditionally, organizations use ROI to justify the use of resources, fund new projects, and

demonstrate the contributions of teams and departments. But ROI also has drawbacks: Its

focus on dollar return doesn’t account for the value of intangibles, making it difficult to

evaluate initiatives that don’t add hard numbers to the bottom line, like BC. Using only ROI as

a performance measure is limited in scope, and it undermines an organization’s efforts to be

competitive in the marketplace.

So then how best to convey the value of your BC program to management? Focus the conversation

on a different methodology: value on investment (VOI)—the measure of intangible benefits that

contribute heavily to an organization’s performance. VOI gives you a framework for talking about

your program based on the value of what it delivers today.

It’s the best way to talk about business continuity because, while the most important value of

BC is the ability to recover from a disruption—which would translate to a potentially significant

dollar amount if a disruption ever occurs—a good BC program also has a number of impactful

intangible payoffs that deliver value in the here and now.

That doesn’t mean traditional ROI is in no way applicable to BC—you need every tool at your

disposal if you hope to successfully convey the value of your program to higher-ups. Let’s

first consider the reasons why demonstrating value is important, then move on to ways to

communicate it.

Introduction


© 2017 BCMMetrics™

The most important benefit of business continuity can be summed up with one simple

question: Will the program work when needed? You can definitively answer yes or no if

you take the time to do things right. No matter your answer, assessing your program’s value is

the key to solving the problem most BC practitioners face, and it will re-engage management in

what should be a critical issue: protecting the health and longevity of the organization.

There are six good reasons why you should care about your program’s value:

Whatever methodology you choose—and it will likely be a combination of VOI and ROI—

think of it as a planning tool to help build your roadmap for improvement. With it, you

can drive the program toward specific goals, ultimately making it stronger. Without it,

you’re driving aimlessly. Knowing whether your program offers the company a high,

moderate, or low level of return or value on its investment gives you an overview of the

program and the information you need to keep moving forward.

Need funding to improve the program? Management teams always respond more

favorably to budget requests that are accompanied by clear and certain justification. By

taking the time to prepare a thoughtful value assessment of your program, you can make

a solid business case for your monetary needs.

Why should you care about demonstrating the value of your business continuity program?

1. It will help you continually improve the BCM initiative.

2. It helps you secure funding.



If your value assessment is less than compelling, use that information to implement new

business initiatives that will make your program better. If calculations show you’re doing

well in crisis management but are weak in business recovery strategies, for instance,

generate new initiatives to address the weaker area and project how your value will be

impacted as a result.

When you assess your program for the first time, your results may not be where you’d

like them to be. While high value is certainly the goal, simply being aware of the state

of your program is half the battle. Awareness shows you have a good grasp on your

company’s strengths and weaknesses, and people will be more willing to participate when

they can see how their contributions will affect the organization. Management will also be

more willing to give you resources if you come across as knowledgeable and capable and

state clearly the goals you’re working toward.

It’s not always about throwing resources at the weakest parts of the program; further

bolstering the strongest parts in an effort to achieve excellence is also an admirable goal.

Again, you won’t know which parts those are without doing the work.

Knowing where your strengths and weaknesses lie will help direct your resources. They’ll

occasionally need shuffling for maximum effectiveness, whether it’s spending more

money, using more personnel to support a weak area, or bringing in additional resources

(internally or externally) to cover more bases. Use your value assessment to determine

where you need the most help, and you can run your program more efficiently.

3. It helps you implement new initiatives.

4. It helps build support among members of the organization.

5. It helps you expand the successful aspects of the program.

6. It helps optimize your resource allocation.



Calculating the intangibles may be the best way to frame your program’s value, but by

now you might be asking: Can I put an ROI-like value on it? We think you can.

Your program’s functional recovery capability is its most significant value. Therefore

it’s crucial that you can show your recovery plans will work. There are two characteristics

that, if present, always indicate a high-performing business continuity program: 1) a

high level of compliance/alignment with industry standards, and 2) low residual risk as

it applies to your recovery plans for critical business units. If you have those two things in

concert—a high compliance level and low residual risk—your plan (and your program) has a

high level of recoverability, and therefore a high level of value that you can demonstrate as an

ROI.

Let’s take a look at each in detail.

Is there a way to determine an ROI-like value of my program to validate that time, money, and resources have been well spent?

There’s a simple reason that high standards compliance demonstrates high value:

Because business continuity standards—no matter which set you use—are a blueprint for

building a successful program.

High Level Of Standards Compliance



Industry standards draw on the considerable expertise of numerous practicing

professionals who have turned the complexities of business continuity into a science.

They’ve been down that road before so they know what works. Think of it in terms of

building a home: There’s not a successful builder in the industry who builds homes

without any regard for building codes. Those codes were created for a reason—to protect

the safety of a building’s occupants. Any builder who doesn’t follow them surely won’t be

in business for long. A similar case can be made for business continuity.

Because they set the bar high, standards are an excellent tool for building a quality

program. Compliance always implies a higher level of rigor in the program as well as

a stronger commitment by those who manage it. Meeting the standards requires a

fair investment of time and resources, but in the end your program will hold up under

scrutiny. On top of that:

There are several well-known business continuity standards, including the ISO standards

for business continuity, the NFPA 1600, the BCI Good Practice Guidelines, the Federal

Financial Institutions Examination Council, and many more. When you adopt one or more

sets of standards, it means you make a commitment to developing your program using

It’s easier to build your program. Standards really are a blueprint—use

them. It’s much harder to create your own blueprint for a successful BC

program.

It provides proof to stakeholders that you’re running your business

responsibly. If your customers knew that survival was low on your

company’s priority list, would they still want to do business with you?

Recovery potential is higher. Companies that use standards as the guide for

their programs are much more prepared to keep their critical functions up

and running in the event of a disruption.



those standards as a framework. Companies that do not embrace standards may still have

business continuity programs, but often they are made up of elements that are more

likely chosen for their ease of completion than for any real interest in business continuity.

If your efforts to mitigate risk are effective, then your calculations for residual risk will

tell you definitively if the business continuity program you’ve spent time, money, and

resources on can be executed effectively. Those same calculations will also tell you where

your organization may be exceeding the recovery needs of the business, allowing you to

make adjustments and conserve resources. Residual risk calculations are an excellent way

of validating your program and give you actual data to present to the management team.

The concept of inherent vs. residual risk can—and should—be applied to your business

continuity program as a way of evaluating how well your business recovery plans will

work.

Low Residual Risk

Residual risk is the amount of risk that remains after all efforts have

been made to identify and eliminate risk (i.e., mitigating controls). Your

efforts to identify and eliminate risk must include a real understanding

and consideration of management’s risk tolerance: What amount of risk

is the management team willing to tolerate? Your efforts must also take

into consideration the quality of your mitigating controls: How well is

your program addressing and executing foundational BC activities like

the business impact analysis, recovery strategies, recovery exercises, and

training?

Inherent risk refers to the risk of the entity you’re trying to measure—

without mitigating controls. It is what it is, and is formed by the realities that

exist before you’ve made any attempt to address them.



Remember, the ability to recover is the ultimate value of your BC program. Aside from

the method described above, there are two additional ways of showing that your business

continuity program works:

What other methods can you use to demonstrate recovery capability?

Testing. Not enough business continuity practitioners regularly test their

programs, which means they’re missing an opportunity to demonstrate the

program’s performance to management. Plus, you’re giving yourself a leg up in

the case of a real disruption, since a tested plan has a much higher probability

of succeeding.

To do testing right, you should conduct increasingly complex tests over time

that integrate each of the key components of the program—crisis management,

business recovery, and disaster recovery. Document test results after every

testing scenario, and use them to make targeted improvements. Eventually, you

will be able to verify that your organization can respond, recover, and resume

business and technology operations with minimal impacts.

Real-life recovery situations. There’s no better way to demonstrate the value

of a business continuity program than successfully guiding the organization

through a real disruptive event. Disruptions that require the activation of one

or more program components (crisis management, business recovery, and

disaster recovery) can provide proof of an organization’s ability to respond,

recover, and resume business operations with little to no impact to its

stakeholders.



Organizations that commit to business continuity planning actually see benefits reflected

in a number of different ways outside the BC program itself. The factors that play a

critical role in determining value are:

How do the intangible benefits of your business continuity program contribute to its value?

Aside from the reduction of costs that would be incurred during a crisis event, many of

the activities associated with building a business continuity program have the added

benefit of uncovering cost-saving opportunities. For example, the development of

business recovery plans may reveal an opportunity for one or more teams with similar

equipment or software requirements to coordinate purchases and/or upgrades to realize

demonstrable cost savings. Among the other kinds of cost savings we’ve seen come out of

BC programs are:

Similarly, business continuity activities also naturally reveal inefficiencies associated with

workflow. The Business Impact Analysis (BIA), for instance, delves deep into the processes

Cost Savings

Process Efficiencies

Equipment and software consolidation.

Decreased insurance premiums.

Decreased expenditures due to audit issues.

Savings on future staffing needs.



and responsibilities of various business units, often uncovering details that would have

gone otherwise unnoticed. For example, questionnaires and interviews may show an

overlap of responsibilities among multiple business units. If processes can be consolidated

and improved, that’s money saved. Other kinds of process efficiency savings we’ve seen

come out of BC programs are:

Reduction of redundant processes.

Elimination of obsolete processes.

Increased automation.

Increased process understanding.

Decreased process errors.

Regulations vary by industry, but no matter what your organization’s requirements are,

it’s highly likely that business continuity activities will touch on compliance issues at

one point or another. For example, in some industries, organizations that do not meet

regulatory standards for data security or reporting requirements may incur fines; when

those compliance issues are uncovered by your BC activities, that’s a golden opportunity

to put a price tag on the value of your program. Among the savings we’ve seen with

regard to regulatory compliance are:

Regulatory Compliance

Increased governance or oversight. Increased data protection.

Improved reporting processes.

Decreased audit findings.

Decreased reportable events.

Decreased audit time.



The risk of reputational damage during a crisis is high. If the public perceives that an

organization is not handling things well it impacts their level of trust in the company

as well as their willingness to do business with the company in the future. The value of

the BC program in this area cannot be overstated; because it directs how your company

responds and recovers during a disruption, it plays a huge role in minimizing reputational

damage. The cost benefits we’ve seen with regard to BC and reputational damage include:

In addition to the four major factors identified above, other intangible benefits of a strong

business continuity program that you may be able to identify within your organization are:

Reputational Damage

Reduced impact of a disruption on customers. Reduced impact on revenue.

Reduced vendor impact. Reduced regulatory impact.

Reduced negative public presence.

Increased confidence from all stakeholders.

Succession planning. By nature, business continuity planning involves a

deep understanding of critical members of the organization and their roles

and responsibilities. As a result, organizations are more readily prepared

to identify backup individuals who can continue to perform the tasks with

minimal impact to operations.

Development of workarounds. When business continuity is top of mind

for all employees, they begin to apply BC concepts automatically whenever

they develop a new product or service; or they are quicker to adapt when a

process goes awry.



Valuable business data. BC activities produce tons of data; it’s like having

an encyclopedia of valuable information about your company’s operations.

That data can also be used for things like process improvement and

strategic development.

Competitive advantage. Your clients or customers demand quick response

around the clock and have very little tolerance for unavailability of data,

goods, or services they need. Plus, losing a client’s data will likely have

tremendous negative impact on them. The presence of a good business

continuity program shows that you can be relied upon as a partner, making

you the more attractive choice over competitors.

See the next two pages for a sample checklist.



The following checklist names the necessary components of a high-value business

continuity program. If you have done all of the following, you will be armed with

everything you need to gain management support:

A Checklist To Demonstrate The Value Of Your Program

Component How It Adds Value

You have adopted a specific set of industry standards to align with and build your program on an ongoing basis.

Organizations with BC programs and plans that meet audit, regulatory, and customer requirements have a high probability of successful recovery.

You have conducted a Business Impact Analysis (BIA) and can readily identify:

• Business units and processes that are most critical to your company.

• Timeframes in which those critical processes must be restored to minimize material impact.

Organizations that know the details of their company value chain save money by:

• Focusing resources only where they are needed.

• Identifying and addressing process inefficiencies.

• Identifying opportunities for cost savings.

• Ensuring regulatory compliance.

You have integrated the highest levels of testing, clearly demonstrating that you have the ability to recover critical people, processes, and technology within the required timeframes.

Organizations that use testing benefit from:

• Demonstrating high functional recovery capability.

• Increasing employee competence and confidence by practicing recovery procedures.

• Ensuring that critical services are available to stakeholders with minimal or no interruption.

• Safeguarding the company’s revenue stream and brand.



Component How It Adds Value

You have demonstrated the ability to successfully respond, recover, and resume critical business and technology operations following real, unplanned disruptions to the organization.

Real-life response evaluation ensures that any gaps in planning are addressed and corrected, assuring continuous improvement and a high functional recovery capability.

You have calculated your residual risk levels and implemented the appropriate controls (recovery strategies, recovery exercises, etc.) to minimize any remaining risk.

Understanding residual risk enables management and the BC team to focus their efforts where they will have the greatest impact.


Demonstrating your program’s worth starts with having a good grasp on all of its

components—everything from critical processes to recovery time objectives to standards

alignment to residual risk. There are a lot of moving parts to a good business continuity

program, but taking control of them all doesn’t have to be complicated.

BCMMetrics™ is a set of online tools that can help you manage all aspects of business

recovery planning, and provide you with the data you need to approach management

confidently. Our tools include:

Still have questions? We’re happy to get the information you need. Contact us via our

website at www.mha-it.com/contact-us, or call 888-689-2290.

Get Started Proving The Value Of Your Program


BIA On-Demand (BIAOD), which manages the Business Impact

Analysis process to identify your critical business processes,

system, and resource requirements.

Compliance Confidence (C2), which scores your continuity

program on its alignment with industry standards and identifies

areas for improvement.

Residual Risk (R2), which walks you through the residual risk

calculation process and evaluates the state of your mitigating

controls.

Schedule a free demo today.


https://bcmmetrics.com/

http://www.mha-it.com/contact-us

https://bcmmetrics.com/bia-on-demand/

https://www.bcmmetrics.com/compliance-confidence/

https://bcmmetrics.com/residual-risk/

https://calendly.com/consultingmha/bcmmetrics-demo/

https://calendly.com/consultingmha/bcmmetrics-demo/

https://calendly.com/consultingmha/bcmmetrics-demo/04-11-2017

Demonstrating The Value Of Your Business Continuity ... · Demonstrating The Value Of Your Business...

Documents

Transcript of Demonstrating The Value Of Your Business Continuity ... · Demonstrating The Value Of Your Business...