By now most business professionals have at least heard of Business Continuity (BC) and understand the concepts to some extent. The terms Disaster Recovery, Business Impact Analysis, Recovery Point/Recovery Time Objectives, and BC Plan are in just about every CTO’s vocabulary. So if we know what BC is, then:
Q: Why do only half of us have a BC Plan in place1?
A: Because of ignorance and/or apathy – you, or your management don’t know or care (including the willingness of being risk tolerant) about BC and therefore cannot justify the resources required to initiate a BC Program.
That sounds harsh but it is absolutely true. Management buy-in doesn’t occur because they are typically unaware of the threats and risks to and the vulnerability of their critical processes. If they are aware of these risks and threats and vulnerabilities, they may not be in a position to invest in a BC Program this quarter because short-term profits understandably take priority. Usually, BC is treated as an insurance policy and every quarter you don’t pay the premium, you’ve saved your organization money and time. In some cases management may feel their backup/recovery system is their BC Program and may have false expectations on the quality, reliability and ability of their backups to get them out of a disruption.
Q: So what needs to happen to get my BC Program off the ground?
A: 1) scare the crap out of your management and 2) make them answer one fundamental question
Here are the numbers:
43% of companies that experienced major business data loss never re-open2
51% close within 2 years2
75% of companies without BC Plans fail within 3 years after facing a disaster1
Organizations that have a well-managed BC Program can prevent outages that cost the company in terms of operational disruption, reputation, and ultimately customers and money.
A few outages in the airline industry this year were extremely expensive for Delta and Southwest Airlines. Delta had a computer outage that caused it to cancel 2300 flights, cost $100 million in lost revenue and preceded a stock price drop of 19%. Southwest also lost revenue and had $54 million in losses associated with a similar outage in July3.
Do you think a well-oiled BC Program would have been a competitive advantage for either of those two companies? And you can be sure their loss was their competitors’ gain.
The sad fact of the matter is that risk does exist because threats are everywhere.
We aren’t quite finished with hurricane season this year in The Atlantic but we’ve already reached historical highs in terms of assessed damage. The losses so far are likely over $100 billion. If we see the same percentage of business interruption losses as we did for Katrina in 2005 (of the $25 billion in insured commercial losses, it is estimated that somewhere between 6 and 9 billion dollars was attributed to business interruption loss) then about 25 to 40% of the total loss will be due to business interruption4.
And it’s not just the threat of natural disasters that pose the biggest risk. These days, human-induced threats are more devastating and more frequent than in years past. These threats are not just possible and probable; it is a near-certainty that your organization will be the target of cyber-attack.
Having a BC Program will minimize the chaos that occurs after a disruptive event and allow your business to recover much more quickly than if you didn’t have one.
The question that management needs to ask themselves is:
“Is my business or mission worth protecting?”
Get as high as you can in the organization and make someone answer you. Good luck finding anyone in the C-Suite that says, “No.” More than likely you will find an executive sponsor who agrees with you and is willing to allow you to be a champion for your company’s long-term survival.
Chief Technology Officer