Business Continuity ROI = inherent risk – residual risk. Discuss.
20 May 2016
In a recent online discussion, someone posted this equation as an offering to calculate return on investment for Business Continuity Management:
Business Continuity ROI = inherent risk – residual risk.
I am generally distrustful of equations used in management literature. They either wrongly over-simplify a complex topic, or attempt to make a science out of something that has no basis in science. Having read a lot of literature, my view is that most management studies are not based on objective and empirical observation but instead are the personal views, or experiences of small numbers of individuals under very specific circumstances. That is why it is hard to replicate the results of many “scientific” management studies when the same methodology is run again, and consequently progress a complex subject to a science.
I am aware it’s a bold statement to start this blog with. However this is the context for much of the criticism levelled toward efforts to work out what the return on investment (ROI) is for Business Continuity. Too much management time is wasted developing beautifully crafted business cases only for decisions to be made on the basis of past experience and gut feeling. But is that such a bad thing? I don’t think so.
I do agree that clearly thought through arguments that balance inherent risk against residual risk (post mitigation) are needed to persuade our seniors to invest in BCM. If I park my loathing for the use of equations in management literature for one moment, the missing component for me from the title of this blog is the role Risk Appetite plays. If the inherent risk sits outside of a Board’s comfort zone, something will probably be done about it. If it doesn’t, then there are a 101 other priorities that will sit above it.
In my opinion there are three tests we can apply to check whether a decision to invest (in BCM or anything else) is more likely:
- Is the risk so great that it could have a catastrophic impact on the business and if it is felt the risk could happen (i.e. its plausible)?
- Do the decision makers fear that if something did happen, an individual or group of individuals could be heavily criticised for it? This is why consulting firms like mine see increases in work from the peers of organisations that have suffered a major failure.
- Are there no easy alternatives to work around a loss, and is the resource in question fundamental to a business (for example, an oil and gas plant or a Bank trading floor)?
I would argue that most circumstances that fail these tests are not worth even bothering to ask investment for.
Two things are clear to me from this list. The first is that whether an ROI is acceptable or not is based on personal judgement rather than probabilistic modelling. The second is that a BCM practitioner must have a very strong understanding of risk if they are to make a persuasive argument at Board level.
And here lies a potential problem. More than once in a while, it turns out that BCM leaders don’t have much to do with their Risk counterparts, and perhaps don’t want to either. Meanwhile we want to be able to claim (correctly!) that BCM is an invaluable insurance policy against those high impact, low probability events that our risk colleagues often deprioritise, simply because they aren’t sure what can be done about them. Here’s the thing: a business case is usually more effective when we think of our Boards as expert risk managers who deal in scenarios and specifics.
So if you want to make a great business case for BCM, and demonstrate the ROI, don’t avoid a conversation on risk. And if you really want to impress, work out how you are going to align some of your BCM approaches and processes with your organisation’s risk processes. You may be surprised at the positive reaction.
That is why for Business continuity Awareness Week I am advocating a “hug a Risk Manager” campaign to support your ROI quest. Do you think it will catch on?