This year’s Business Continuity Awareness Week theme got me thinking about what return on investment means to me. The question of what business continuity is worth to an organization has been around for at least as long as I have been practising and probably longer. When I first got into BC in 1989, the major Canadian Bank I was working for had recently concluded a huge initiative to build a second data centre, at a cost of $20 million, a tidy sum in those days. With the creation of a second site, built explicitly to house Development and provide disaster recovery for technology, the focus shifted to business recovery and the development of unit plans to address disruption of business functions.
I was not involved in the original cost benefit analysis to justify investment in a state-of-the-art, oversized data centre, featuring lots of redundancy throughout its infrastructure. But I do recall from subsequent discussions that management had no trouble convincing the Board that the outlay was well worth it, just to mitigate the obvious risk of having all systems housed in a single facility without back-up. There was no risk department in those days, so the decision to proceed was not a formal outcome from a risk assessment, just top management applying sound business judgment.
Fast forward a few years and I was now working for a new company providing data processing for multiple banks. Having started off with multiple data centres, thus providing layers of redundancy, the company’s mission was to save money by closing down as many of them as possible and achieving economies of scale to improve the bottom line. That cost benefit analysis must have seemed highly attractive, from a profit standpoint, but what went missing in the strategy was a risk-based perspective on how the downsizing initiative was progressively compromising recovery capabilities. The ultimate irony struck in 1999 when the company decided to downsize its head office staff by 10 per cent in one swipe, to provide expense relief and improve its bottom line, for its owner banks. So my whole department of three was made redundant – no more business continuity function! Simultaneously it was a humiliation and a silver lining. Who wants to work in a company with such narrow vision?
Ever onwards... a few years later still I was working for a financial utility providing clearing and settlement for the exchanges and securities industry. By now, BCM was squarely aligned with risk and top management understood. Investment in good DRP and BCP was a given and under heavy regulatory scrutiny, we were continually seeking improvements. What a joy to work in a company where 2-hour RTO and synchronous data mirroring (0 RPO) were embraced as smart business practices.
Soon after I arrived there, we experienced one of the biggest power failures ever in North America. On the 14th August 2003, an area 1,000 miles wide and a population of 50 million lost grid power on a hot summer afternoon. Happily for us, the failure occurred 11 minutes after completion of the daily settlement cycle, so $250 billion of payments were safe and sound. Two immediate observations: our diesel generators (data centre and office) did their job, so all critical equipment and key business staff remained functional. Had the failure occurred earlier, before the deadline, we would probably have been alright anyway, perhaps experiencing a minor delay in completion of the settlement.
Even though we avoided major impact from that disruptive event, thanks to smart investment in power redundancy and lucky timing, I was embarrassed years later when a Toronto newspaper published a supplement on disaster recovery and featured my experience as a lead story. Front page headline: “Rising from the Blackout.” Sub-title: “How Des O’Callaghan saved his company – and billions of dollars – in the power outage of 2003 with business continuity planning.”
In the inside article “Keeping your cool in meltdown mode,” I received undeserved plaudits for how the incident was handled. The truth is the main reasons we were unscathed were decisions previously made to invest in risk mitigation by implementing high end systems, advanced storage solutions and power redundancy. Yes, we did a good job of managing the crisis and communicating with stakeholders, but I did not actually save the organization a penny. I have come to realize that ROI on business continuity really is just the protection of an organization from unacceptable impacts of adverse events.
Investment in BCM should be viewed in the same way that we regard 'investment' in human resources, or the legal department, or technology infrastructure, or building insurance. Running a healthy, resilient enterprise requires investment based on prudent business judgment, not just financial expenditure. Should we be smart with how we spend money? Of course, but allocation of real resources to strengthen operations and mitigate risk should be considered on the same plane as other investments, such as recruitment, training, marketing and many other corporate expenses. Anything contributing to organizational resilience is a worthwhile investment.
Des O'Callaghan FBCI is one of the leaders of the BCI's Greater Toronto Area Forum and a member of the BCI's Global Membership Council