Rainer Hübert, MBCI, sets out a vision for ways in which the advantages of a business continuity management system can be quantified, helping demonstrate a return on investment and changing the business continuity function from a cost centre to a profit centre.
This is the final article in a series where we are publishing the short listed entries in the Continuity Central Business Continuity Paper of the Year competition.
In November 2013 I made a speech at the Business Continuity Institute’s BCM World Conference in London on the possibility of calculating a return on investment when implementing and running a business continuity management programme at an organization (1). In the months following this event, I realized, that this speech did not only open up a new line of reasoning to invest in a business continuity management system (BCMS) but, in reality, laid the foundation for a major change in the business continuity profession. In this short article, I’ll try to explain what may be about to happen.
Business continuity management (BCM) as a discipline was – and is – regarded by most of its advocates as a cost centre. You invest in it to prevent losses in unlikely and unfortunate circumstances, which, should they occur, could severely damage an organization and even result in its closure. The cost of BCM is normally regarded as an insurance premium: the lower, the better; and if nothing happens, the investment is written-off. While ensuring that the BCMS works as intended, the main job of the business continuity manager is to keep the cost of this function as low as possible. This is well known and normal practice across the globe; and business continuity managers are well versed in discussing the minimum investment necessary to comply with company standards with regards to contingency planning, the management of operational risks and maintaining a crisis management organization (2). Typically, business continuity is a type of grudge purchase and organizations generally only accept the need for it when they are forced to demonstrate the availability of a BCMS by either their clients or by regulatory authorities. That it simply could make sense to invest in the resiliency capability of an organization, to protect considerable investments – sometimes accumulated over centuries – against the dangers of unpredictable events, generally is not a dominant argument pro BCM (3). Part of the reason for that is that a BCMS is not seen to contribute to the profits of the company. Something that does not contribute to profit, or worse, will reduce profit, is to be avoided as much as possible. This is the situation that most business continuity managers find themselves in. However, this scenario is about to change; and business continuity managers need to change with it. (4)
We all know the investment part of a BCMS very well: consultants need to be paid; contingency resources to be bought; and people trained or specialists hired who understand the function. There are a few processes to be implemented and maintained, some of them taking bits from the workload capacity of the whole workforce, which can add up to significant amounts across the organization. Ask a business continuity manager what the function costs, and – hopefully – he or she can answer this question extensively and down to two decimal places. On the other hand, if we ask the same business continuity manager what the return on this investment will be he or she will probably say that there is no return on investment, unless some catastrophe hits the organization and the BCMS kicks in to reduce losses or save the company. In my speech at the BCI Conference mentioned earlier I showed that there is, in fact, a possible return on investment. I don’t want to reiterate the talk here, but to enable readers to understand where I’m heading, I’ll briefly list some of the possible returns:
- An organization which has a BCMS is a lower damage risk for business interruption insurances compared to those without a BCMS, mainly because they recover more quickly since they are prepared for recovery; and because the damage will be somewhat lower due to the contingency plans that are in place which allow the continuation of business, at least at a reduced level. The return here is a lower premium for this kind of insurance.
- The same is true for borrowed capital: an organization with a BCMS is a lower risk for a loan default. This can be discussed with banks and taken into consideration when negotiating interest rates. The reduction will be very little in percentage terms, but – especially at highly leveraged companies – can be a significant amount of money in absolute numbers. (5)
- Those who remember the time when quality management with its ISO 900x standards first came up may realize the effect that ISO 22301 could have on sales. Where ISO 9001 aims to ensure ‘quality’ in global supply chains, ISO 22301 is meant to ensure the ‘ability to deliver’ in global supply chains. Since both management standards employ the same mechanics in the sense that by implementing it the organization has to include its own suppliers in its relevant processes and structures (6) an ISO 22301 certificate will gradually become a ’must have’ to participate in tenders or even to keep existing contracts. This possibility to comply with a client’s demands regarding disaster preparedness and organizational resilience will become an important issue for sales. (7)
- One of the main results when establishing a BCMS is the development of workarounds for essential internal processes and tasks. Teams and departments are asked to think about how they might be able to produce the necessary results in a different way, with different methods. After this process they become able to look at their daily processes from a point of view which they most likely never had employed before. Sometimes, as a result, they develop ideas which have the potential to increase the quality and efficiency of their daily jobs, and/or reduce its cost. When implemented these ideas end up modifying the standard operational procedures during normal operation mode. Even if the subsequent overall cost reduction across the whole organization only adds up to a fraction of a percentage, this can easily result in significant amounts of money.
There are further cost, quality and efficiency improving effects of having a BCMS, such as reduced cost of employee training because of documentation produced as a result of the availability of a BCMS, or avoidance of fines because of compliance with present or future regulatory demands, but I think you can get the picture. There is not only ‘investment’ involved with the use of a BCMS, there is also quite some potential for a significant ‘return’. In fact, if properly documented and activated, in many cases this return can be higher than the BCMS investment, eventually turning this function from a cost burden to a profit creator.
The business continuity manager will have to take up this opportunity. Unfortunately, all this is completely new to most of us, and we not only have to learn what to do in this regard, but more importantly how to do it. So far, identifying, discussing and claiming profits for our trade is generally not part of our training. However, we should enter this Promised Land because it offers huge benefits for achieving our goals: it means that we can acquire the functionally that we require for the task given to us, as well as offering personal advancement within the organization or trade. A manager creating profit typically is regarded somewhat better by the owners of an organization than someone who just manages cost!
The first step is to learn and to understand what the sources for profit are that a business continuity manager can influence and promote. I listed some of them above, but it is up to everyone’s creativity to identify others. Many are particular to different industries, locations or organizational sizes. A huge chemical plant with global reach will have completely different opportunities than a midsized food manufacturer providing for national markets.
The bigger challenge is to operationalize these potential profits, to measure and to calculate them. Measuring and calculating profits is only possible, however, when they are realized – and they won’t be realized just because the business continuity manager knows about them. For example, he or she needs to go to the insurance manager and explain why a reduction in business interruption insurance premium is possible because of the BCMS in their organization. This manager might even need to be trained in presenting the reasoning to insurance companies when negotiating premiums. Eventually the business continuity manager may find him- or herself sitting beside the insurance manager to assist in negotiations. The same is true with the financial manager, who negotiates the interest rates for loans taken. The sales department needs to be informed about the sales advantage of an existing and proven BCMS, or even better, of the availability of an ISO 22301 certificate, and it needs to be enabled to present this to existing and potential clients.
Last, but not least, the business continuity manager does need to invest in advocating his or her own cause: showing the results of his or her work to the relevant people in the organization. The business continuity manager needs to understand how a business case should be designed and presented so that the return on investment can be demonstrated. He or she needs to go to the controlling department and inform them of the reasons why the business continuity department has changed from being a cost to a profit centre. We need to toughen up and claim the benefits for ourselves and our team.
All this will not happen just because we want it to. We need to develop processes which allow us to track the financial advantages of our activities. We need to make sure that those advantages will actually be assigned to the BCMS and that this will be documented in the controls of the controlling department and included in the financial reports to upper management. Incidentally, most colleagues I’ve talked to about this in the past months are – speaking euphemistically – reluctant to accept this. It means more work and it’s not something they feel comfortable about, simply because most of them are out of their element here. However, this will not help. Pandora’s Box is open now, and companies will learn about this opportunity. Some of us will jump on this chance to improve the position of our function within our organization; and eventually our own position amongst our peers. Sooner or later it will become part of best practice and an expected skill of a business continuity manager to be able to demonstrate, document, calculate, promote and realize the possible profits because of the organization’s investment in a BCMS. You may not like it at present, but you had better start to familiarize yourself with this concept. In the end, it will strengthen the position of the business continuity manager in the organization and eventually will offer you many more possibilities for getting what you need to better achieve your goals in business continuity management.
The author
Rainer Hübert, MBCI, is a managing consultant and product manager at HiSolutions AG, Germany. In the past 30 years, Rainer has worked on more than 70 projects for over 50 companies and organizations, ranging from multinational companies and organizations to local businesses and public services. At present, Rainer supports several business continuity consultancy projects in Germany, is the acting leader of the business continuity management organization of a major German mutual savings bank, is leading a working group on business continuity management at the German Risk Management Association, and is working on a book outlining a new approach to business continuity management as an alternative to the BCM lifecycle. Contact Huebert@hisolutions.com
References
- Programme BCM World Conference & Exhibition 2013, page 6; The Business Continuity Institute, 2013.
- The cost of implementing a BCMS in many cases is prohibitive. Many companies I talked to about implementing such a system effectively cancelled this idea solely because of its cost. ‘A key barrier to initiating BC will include costs in terms of time, money and opportunity’ page 100; Dominic Elliot, Ethné Swartz, Brahim Herbane; Business Continuity Management – A Crisis Management Approach; 2nd Edition, Routledge, New York; 2010.
- Generally, shareholders would rather avoid risks then invest in measures which mitigate risks. ‘In publicly listed companies, the risk factor that shareholders are prepared to withstand will impact on the expectations of the share price and dividend returns: mature but sage stocks will suit the institutional investor and in turn one might expect the attitude to risk in such organisations is relatively conservative,’ page 58; Julia Graham, David Kaye; ‘A Risk Management Approach to Business Continuity; Rothstein Associates, Brookfield, USA; 2006’.
- Also see ‘Beyond Recovery. The broader benefits of Business Continuity Management. A BSI whitepaper for Business’; BSI UK, Milton Keynes; 2014.
- The main reason for the insurance and the interest rate reasoning is the effect of a BCMS on the damage done to an organization (with a BCMS in place it is less compared to an organization without a BCMS) and to the time needed to recover to the originally projected earnings and profits. See also ‘The Return on Invest of a BCM Programme’; Rainer Hübert, Conference Paper BCM World Conference & Exhibition.
- See clause 8.3.1 of ISO 22301 ‘Societal Security – Business continuity management system – Requirements’; page 16; ISO, Genf, Switzerland; 2012.
- See also ‘ISO 22301 und die Folgen’, Rainer Hübert, page 30-32, RC&A Risk, Compliance & Audit, No. 5/2012; Bank-Verlag Medien GmbH, Köln, Germany; 2012.
