.png)
.png)
In your role as a business continuity (BC) professional, there’s one question that’s guaranteed to come up and it usually doesn’t come gently:
“What’s the ROI of all this?”
It’s a tough question. Your program doesn’t generate revenue. It doesn’t cut obvious costs. And for the most part, it’s working when nothing happens.
So how do you show return on investment?
Here’s how to answer that question with clarity, confidence, and credibility.
How to Actually Calculate Business Continuity ROI
Let’s start with the traditional formula, adapted for BC:
ROI = (Estimated Loss Avoided – BCM Program Cost) ÷ BCM Program Cost
Estimate the Cost of Downtime
Begin with lost revenue. Divide your organization’s gross annual revenue by 1,950 — the average number of work hours in a year:
Lost Revenue per Hour = Gross Annual Revenue ÷ 1,950
Next, estimate lost productivity. Multiply the average employee salary by the number of employees, then divide by 1,950:
Lost Productivity per Hour = (Average Salary × Number of Employees) ÷ 1,950
Add these together to get the total direct cost of downtime:
Total Direct Downtime Cost = Lost Revenue per Hour + Lost Productivity per Hour
But the true cost is usually higher. You'll also want to factor in:
- Incidental costs: the operational drag during and after the event (≈ 50% of the direct cost).
- Recovery costs: restoration, overtime, external support (≈ 75% of the direct cost).
So your full hourly cost becomes:
True Cost of One-Hour Outage = Direct Cost + (0.50 × Direct Cost) + (0.75 × Direct Cost) = 2.25 × Direct Cost (approximate)
Now, multiply that number by the estimated hours of downtime your BCM program helps avoid annually:
Annual Loss Avoided = True Cost per Hour × Downtime Hours Avoided
Subtract Your BCM Costs
To complete your ROI calculation, subtract the total annual cost of running your BCM program. This should include:
- Labor (personnel dedicated to business continuity).
- Software and tool subscriptions.
- Plan maintenance and updates.
- Training and exercises.
Then, plug your numbers into the final formula:
ROI (%) = ((Loss Avoided – BCM Program Cost) ÷ BCM Program Cost) × 100
Example:
|
Metric |
Amount |
|
True Cost per Hour |
$18,000 |
|
Downtime Avoided (per year) |
10 hours |
|
Loss Avoided |
$180,000 |
|
BCM Program Cost |
$50,000 |
|
ROI |
260% |
It’s a number your CFO can digest. But as you'll see in the next section, ROI alone doesn’t tell the whole story.
Why Traditional ROI Doesn’t Fully Apply to Business Continuity
As Regina Phelps put it, this is “the dreaded question” — not because it’s unfair, but because traditional ROI doesn’t account for what BC is really for.
Your program is like insurance. It’s there to make sure that if something goes wrong, your company survives — with minimal disruption. It doesn’t create revenue. And most of the time, it doesn’t save money either. That means by classic ROI logic, you’ll always lose the game.
But that’s not the right game to be playing.
As early as 1969, ROI was being challenged as inadequate for strategic evaluation. In a Harvard Business Review article by John Dearden, who wrote:
“…evidence shows that this control system has serious limitations, which result from the inability to use ROI to make correct evaluations. The author [Dearden] notes that any criticism of the use of ROI is met with the response, ‘I agree it is not perfect, but it is the best system available.”
ROI Alone Isn’t Enough: Add Compliance and Residual Risk
This is where it’s time to shift the conversation from investment to value.
At BCMMetrics, we suggest a better ROI proxy based on two program indicators:
- Compliance: How well your program aligns with accepted BC standards (like ISO 22301, FFIEC, etc.).
- Residual Risk: What risks remain, even after your mitigation strategies are in place.
We define ROI like this:
|
Compliance |
Residual Risk |
Strategic Value |
|
High |
Low |
High |
|
Low |
High |
Low |
|
Mixed |
Mixed |
Moderate |
This matrix provides a more meaningful way to assess your program’s effectiveness and defend it.
How to Measure These Inputs?
- Use the Compliance Confidence (C2) tool to assess how closely your program aligns with industry best practices. It gives you a credit score-style readout of your program’s structure and rigor.
- Use the Residual Risk (R2) tool to see where gaps still exist and whether they’re within management’s risk appetite.
This approach doesn’t rely solely on theoretical cost avoidance. It demonstrates how well-prepared your company is to handle a disruption. And that’s something your CEO can get behind.
How to Communicate ROI to Executives
When executives ask for ROI, they’re often looking for more than just a number. What they really want is confidence:
- Will the company be OK if something goes wrong?
- Are we audit-ready?
- Are we doing what regulators and customers expect?
- Are we in control of our risk?
You can, and should, speak to those concerns with both quantitative data and strategic indicators.
- Show the numbers using ROI calculations based on loss avoidance. These give leaders a tangible estimate of the cost savings your program helps protect.
- Support those numbers with a clear view of where your program stands: How compliant is your BC program? How much residual risk remains? What’s your ability to recover?
- Illustrate the impact by referencing recent disruptions, whether your own or industry-wide, and how a stronger business continuity program would change the outcome.
The ROI formula can show financial justification. Your compliance and residual risk scores show program readiness. Together, they tell the full story.
The Future Of ROI in Business Continuity
Ultimately, business continuity isn’t about delivering a financial return; it’s about delivering organizational confidence.
When you can say:
- “We’ve cut downtime by X hours.”
- “We’re aligned with Y standards.”
- “Our residual risk is below management’s threshold.”
You’re proving ROI and demonstrating value.
And when the next disruption hits, and your program works the way it should? That’s your return.
Ready to show the real value of your business continuity program?
BCMMetrics is a cloud-based platform developed by MHA Consulting, based on decades of hands-on experience managing and evaluating continuity programs.
In our free demo, we’ll walk you through how the tools work, how others are using them, and how they can help you assess risk, benchmark compliance, and strengthen your case for support.
FAQ:
What is the ROI of business continuity?
Business continuity ROI is the value of avoided losses during a disruption, compared to the cost of your BC program. It’s typically calculated as: ROI = (Loss Avoided – Program Cost) ÷ Program Cost
Since BC doesn’t generate revenue, ROI is best shown through reduced downtime, lower recovery costs, and improved risk control.
What’s another way to assess business continuity ROI?
In addition to calculating financial return, you can strengthen your case by evaluating how well your program aligns with established standards and how much risk still remains. This means looking at compliance, for example, with ISO 22301 or FFIEC, and measuring residual risk after all mitigation efforts have been applied. Together, these indicators give a clearer picture of how prepared your organization really is.
