ARL Logo
Risky Thinking
On Risk Management, Business Continuity, and Security
26 July, 2017
Risk Register, Business Impact Analysis, or Disaster Timeline
Try the

How Much is a Business Continuity Plan Worth (Part 3)

In parts 1 and 2 I proposed a method of valuing a company's Business Continuity Program. Here's (possibly) where I went wrong...

or where part 1 and part 2 went wrong...

I recently presented some of these ideas on assigning a dollar value to business continuity to a meeting of a Canadian chapter of the British Computer Society which lead to some useful discussions.

The main criticisms were:

  1. The presentation concentrated too much on the total failure of a business. Most businesses won't fail. [Surveys suggest that in fact 20% of companies without a plan fail, but nobody thinks their company is in that 20%]
  2. Most of the value of a business continuity plan is in its intangible benefits.

I'd deliberately excluded non-company threatening incidents for the purposes of the presentation, but both these criticisms are valid. There is a lot more value to a business continuity plan than simply saving the company from the small chance of extinction!

Most incidents don't threaten total disaster: if Amazon irrationally had a single data center (it doesn't) which was destroyed by fire, would it survive? Probably. Would it be substantially diminished? Yes. It's customers would defect and perhaps find that other similar companies are less famous but just as good. Might it then dwindle and be bought by a competitor? Yes. It wouldn't have failed (per se), but its value would have been substantially reduced. Should we assume a reduction of value to zero? It's a good conservative accounting assumption, but possibly excessive here.

What about less severe incidents? Can we measure losses for these?

Suppose your call center cannot process incoming calls because the computer systems are unavailable for three hours. How many customers will you lose? This will depend upon your competitive situation. If you are a government department or hold a monopoly, the answer may be zero (customers don't have a choice). More likely there will be some loss of sales (increasing as customers give up after several call attempts), plus downstream effects (your customers don't come back) and ripple effects (your customers tell their friends).

How accurately you can estimate these immediate, downstream, and ripple effects will depend on your industry and possibly on your history of outages. (Presumably you are not going to try shutting down your call center for a few hours to find out the real numbers!)

Clearly you can (and should) estimate the annual probability of each type of downtime incident and its cost in terms of lost business. Remember that it's the bottom line that matters, so there are probably some reduced costs to go along with the reduced sales.

Do your sums right and you may be able to reduce your business interruption insurance coverage: if a covered incident can't cost you more than $X, perhaps you can negotiate reduced premiums or self-insurance is an option.

What about the intangibles? The original objective was to arise at a concrete dollar value, so I excluded those. But they are valuable nonetheless. Some interesting considerations are:

  • Better understanding of risk. If you understand the risks your business faces (and can quantify them), you may be able to reduce or mitigate them.
  • Better understanding of business processes. A business continuity plan will require documentation of much assumed knowledge. This may allow greater flexibility of operations.
  • Reduced risk of investor lawsuits. Increasingly a prudent business is considered to be one that has analyzed the risks it faces and planned accordingly. If an incident happens and it is handled badly, is there a legal liability waiting in the wings?
  • Reduced Insurance Costs. Do your sums right and you might be able to reduce your business interruption insurance coverage: if a covered incident can't cost you more than $X, then policy limits are too high.

A recent survey suggests that the number one reason for companies adopting a business continuity program is that it is simply “good corporate governance”. It's difficult to put a dollar value on that, although it would be interesting to argue that it must be at least the sum of the salaries of directors and corporate officers.

In conclusion, the valuation method I proposed was based on reducing the probability of company (or business unit) extinction was only intended to provide a lower bound on the value of business continuity planning. Its major premises (with which you may disagree) are:

  • that disasters do exist which cause business loss and whose probability can be reduced,
  • a company is best valued by the uncertain value of its future profits.

It excluded disasters which didn't threaten the existence of the company, and it didn't take into account the sizeable intangible benefits, nor the value of good corporate governance.

You may disagree with my premises, but I hope that you will still agree with me that disastrous events exist which can compromise an organization's existence or value and the prudent organization will assess the risks of such events and plan appropriately for them.

Michael Z. Bell
January, 2007

Want to know when new articles are available? Subscribe to the Risky Thinking Newsletter and keep up to date. It's free for people working in business continuity, disaster recovery, or risk management.

[ Back To Top ]


Note. Where trademarks are mentioned, they belong to their respective owners.

© Albion Research Ltd. 2017