How To Calculate & Prove Business Continuity ROI

In your role as business continuity (BC) manager, when was the last time you were asked what fellow continuity planning advisor Regina Phelps refers to as “the dreaded question”:

What’s the return on investment (ROI) of your continuity planning efforts?

If you haven’t already been asked (and likely struggled to answer), then you will be soon. ROI has long been considered a concrete indicator of performance—but cracks in the ROI foundation began forming as far back as 1969. Its limitations as a business metric were pointed out in a Harvard Business Review article by John Dearden, who wrote:

“…evidence shows that this control system has serious limitations, which result from the inability to use ROI to make correct evaluations. The author [Dearden] notes that any criticism of the use of ROI is met with the response, ‘I agree it is not perfect, but it is the best system available.’”

Which is why ROI is—and will continue to be—an important key performance indicator in virtually every business.

And why ROI should be of special concern to you, whose BC program neither makes money nor saves money—and will always lose the ROI game as a result.

But it’s time to shift the conversation about BC from investment to value.

Determining the true value of your business continuity program lies in your ability to answer a single question definitively: Will it work when I need it?

Your BC program is like insurance.

It’s a guarantee that, if a disruption of any kind or severity level occurs, your company will survive with the least amount of impact possible. If you can show that to be true, you’ll have justified the resources spent and changed the conversation about BC from dollars to value. And in a world where there are more threats today than ever before, a guarantee of that magnitude can’t be taken lightly by any CEO worth his or her salt.

Going forward, BC practitioners need a new methodology, comparable to ROI, that will help answer the above question—and provide the necessary justification to management.

A New Way To Think About Business Continuity ROI

The traditional way to calculate ROI is to divide the benefit (or return) of an investment by the cost of your investment. This traditional method works well for profit-centers, but doesn’t work as well for business continuity programs. Future valuations of BC programs should be based on an entirely new methodology—one that evaluates the strength of the program’s protection against loss.

Here’s a comparable way to show business continuity ROI:

1. First, assess the compliance level of your program with business continuity standards.
2. Next, evaluate your program’s residual risk.
3. Based on the first two evaluations, assess your BCM program’s ROI:
    
   • High compliance/low residual risk = High ROI
   • Low compliance/high residual risk = Low ROI

Let’s take a look at what’s behind each of these components.

Assessing Compliance Level

Compliance with relevant business continuity standards is essential to building a BC program that works. I’ve heard every reason in the book as to why BC managers don’t embrace standards, but the fact is this: Recovery potential is higher for companies that use business continuity standards as a guide for their program. Even if you’re not required to comply with any particular set of standards, following a roadmap that was created by experts is the only way to be sure that your program includes all the necessary elements. Otherwise, you’re making it up as you go along—an unproven strategy that will not serve as the protection guarantee your CEO is looking for.

There’s more than one way to assess your compliance. BCMMetrics™ Compliance Confidence (C²) tool guides you through a questionnaire based on today’s best practices, then provides a number, similar to a consumer credit score, of your BCM program. Because our C² tool aligns with eight industry standards (including FFIEC and ISO 22301), you can be sure that whatever score you get accurately reflects where your BC program stands on the compliance scale.

You could also hire a consultant to assess your organization’s BC program, often against a single standard. Any consultant you hire should be an expert on the standard you’re trying to comply with and should have plenty of experience in implementing the requirements (particularly in your industry), making the assessment process faster and easier for you.

Assessing Residual Risk

I’ve written before about how to calculate residual risk, which is the amount of risk that remains after all efforts have been made to identify and eliminate it. Any residual risk calculation must take into consideration two things:

• Management’s risk tolerance (which varies by business unit).
• The quality and status of the following: business impact analysis, your recovery strategy, your recovery exercises, the recovery plan, training/awareness, and third-party supplier risk.

This calculation serves as justification for the time and resources required to support your recovery needs. It also exposes areas where some risk still exists—maybe more than management is comfortable with—and needs to be fixed.

Our Residual Risk (R²) tool can be used to identify where those pockets of risk exist and help you determine whether they are within or outside management’s risk appetite. Other options for determining residual risk include calculating it yourself, or enlisting the help of an outside consultant.

The ROI Calculation

As stated above, the combination of the above two factors—as determined by either self-assessment tools or outside consultants—translates to the following in terms of business continuity ROI:

• High compliance/low residual risk = High ROI
• Low compliance/high residual risk = Low ROI

If your program has a high ROI, it will protect the company in the event of a disruption. A program with a low ROI will not.

Highlighting your results in this exercise shows value in a way the CEO can appreciate.

For you, the business continuity manager, the facts you may uncover with regard to compliance and risk are just as important as the final calculation. A compliance assessment will show the elements of your program that aren’t up to industry standards. For example, you may have a well-designed recovery strategy with all the necessary components, but discover that your training and testing program is lacking. Even the best strategy in the world won’t work if employees don’t know what to do in case of emergency.

If your BC program isn’t compliant in the training/awareness area, it can’t act as the safety net your company needs.

Similarly, your risk assessment will highlight areas of remaining risk.

If the risk in those areas is more than what management is comfortable with, you can use that as a talking point for requesting and targeting future BC funds.

The Future Of Business Continuity ROI

To answer the “dreaded question” of return on investment of your BC efforts in a way that satisfies management, you’ll need every tool at your disposal. That’s why it’s also important to have a good grasp on not just the recoverability calculation discussed above, but also the numerous intangible payoffs of your BC program, like the cost savings and process efficiencies it promotes. If you can’t give management the assurance they’ve allocated resources wisely, then it’s all for nothing.

If you’d like to know more about BCMMetrics™ business continuity tools and how they can help you prove your BC program’s value, schedule a free demo of our cloud-based software. I’ll walk you through it and answer any questions you have about how it’s used, how other companies are using it, and how you can use it to raise the profile of your business continuity program.