Bulletin / Demonstrating business continuity's...

Demonstrating business continuity's return on investment

Author: Charlie Maclean-Bristol, Training Director, FBCI, FEPS

Worried about your business continuity budget? This week Charlie discusses how to demonstrate BC's return on investment within your organisation.

Every year you get a budget of £20,000 (some of you are already saying “I wish”) and you have this money to deliver your business continuity programme. Your organisation buys into business continuity as it feels it protects value within the organisation and there is a demand from numerous suppliers to have it in place, so it is assured that it will be needed within the organisation. As times are now tight, those looking to save money are reviewing your budget and finance is thinking does, he/she really need all that money, and could it be better spent elsewhere or cut all together? You have been given the task to justify the budget and prove that it is needed and that the money you are spending is actually providing value and continual improvement.

One of the ways you could demonstrate value is that the money is being spent on providing the organisation with a capability, which critical to the organisation's recovery. Money spent on work area recovery could be justified in that the organisation can get our call centres, trading desks or complaints’ handlers back up and running within their RTOs, which could not be met with an in-house solution or would be more expensive to provide. You could also have a contract whereby an organisation could provide 1000 laptops within 24 hours, so that if a large office has an incident occur and computers were left in the office, these laptops could be used to recover the operations carried out in the office. These capabilities and recovery within the RTOs would not be available if a third party didn’t provide them. It has to be noted that work area recovery since COVID-19 is on the decline, as people have the ability to work from home.

A second way in proving return on investment is to demonstrate that the business continuity provision within the organisation is continually getting better. One way of demonstrating that business continuity provision is improving is by writing more plans. Once you have a generic plan (see bulletin here) you can start writing contingency plans for specific incidents in-line with your risk profile. Plans for specific incidents could include, loss of building, cyber plans for specific incidents, product recall, loss of an IT application, suppliers, or a particular key person. I believe there is only a limited number of plans which are worth writing and there are is no point in writing plans for every eventuality which could possibly take place.

I think to truly demonstrate return on investment you must look at making sure that those whose role is to manage an incident have the knowledge, capabilities and skills required. As there will always be a shift in staff, this is a constant job. As soon as you have got an experienced and well-exercised team, then several members will move on and you must start building knowledge, capability and skills within the team again. Therefore, there is a need to measure these items and then use the measurement to demonstrate that improvement is taking place and that your organisation's ability to manage an incident is advancing.

There are two ways to measure this, individual or team assessment. For individual assessment, firstly, you have to identify the knowledge, capabilities and skills which each individual member of the team should have. Then you need to assess them against these criteria. I believe this is best done by self-assessment. We have developed a matrix for several clients which allows each member of the team to self-assess themselves against a number of criteria. The measurement is quantitative, so each item of their required knowledge, capability and skills is scored, followed by adding these up to present a personal overall score. If this assessment is done annually, you will be able to identify the training gaps where either individuals or several members within a team have low scores. By looking at the average team score against the previous year, you can see whether their level of knowledge, capabilities and skills are increasing or decreasing. Using these scores, you can demonstrate that individuals and incident teams are improving.

Team assessment is looking at the performance of the team as a whole and their ability to manage an incident. Making use of academic literature and good business continuity practice, we have developed six criteria for assessing an incident team. The assessment takes place during an exercise and the assessment is done by a combination of umpire and team members’ assessment. Those in the incident team self-assess their ability as a team in order to work together and respond to an incident as well as their assessment of their plan. The umpires assess the team’s ability to use their plans, communicate, manage the recovery and to demonstrate any incident management skills taught to them. As with the individual assessment, they identify the team’s strengths and weaknesses, and these can be used to identify their training requirements. As the assessment is again quantitative, a score per team assessed can be produced. This can be compared with the score from the previous year and continual improvement can be determined.

Business continuity readiness and return on investment on the whole is difficult to prove, as it is really tested in a real incident, which can sometimes be the only way to find out that it actually works. The next best thing to a real incident to prove that business continuity works is to check the knowledge, capability and skills of those who will respond. By measuring the ability of either an individual or a team, you will be able to demonstrate continual improvement and that you need your budget to keep business continuity diving forward and to make sure that your ability to manage an incident does not regress.

This bulletin was inspired by a conversation with Tommy Lynch.

You might be interested in the following stories

Credential Stuffing - A different type of cyber attack

Beware of the self-wiggling mouse – Cyber vulnerabilities in the water industry

The changing face of journalism and how it should be reflected in our plans

You may be interested in the following course

CBCI Certification Course (Good Practice Guidelines) course