How Much is a Business Continuity Plan Worth (Part 1)
I was reminded of this question — often asked, rarely satisfactorily answered — when I was listening to a local radio station recently. The station was running a phone-in game in which its listeners could win cash. The game worked like this:
A list of increasing dollar amounts are read out at approximately one second intervals. The amount increases by $100 each time (e.g. $100, $200, $300, …). At any point, the caller can say Stop, and collect the last amount read out. What makes the game interesting (and makes the caller say Stop,) is that there is also an alarm clock set for an unknown delay. If the bell on the alarm clock rings before the caller calls Stop, the caller gets nothing.
This game offers some interesting analogies if we consider the decision write a business continuity plan. Suppose you don't have a plan. Your company will actually be worth more each year (in the sense that it will have more cash) as a result. Then the bell goes off: disaster strikes, you didn't have a business continuity plan written, and you lose. The company is either non-existent, or worth considerably less. At any point you could have said Stop, and written the business continuity plan. Each year you made a gamble where the odds were in your favor, but ultimately the gamble failed and you lost.
So what is the best strategy for the game?
One way of looking at the game is to ask ourselves every second whether we should quit or stay in the game.
Let's assume that the game is set up so that there is a probability of 1/10 that the bell will go off during any second, and assume that we have already “won” capital C dollars.
If we quit, we walk away with $C. We receive $0 for deciding to quit.
If we stay in the game, we have a 9/10 chance of collecting $100, but a 1/10 chance of losing $C. Our expected payoff for staying in the game is therefore:
(9/10) * $100 - (1/10) * $C
This will be the better alternative if it exceeds the $0 we receive for quitting. Rearranging and solving for C, we find that we should stay in the game until our capital is $900, at which time we should quit.
Assuming that you use this strategy, how much can you expect to win by playing the game?
To acquire $900 you need to “win” for 9 seconds. Your chances of doing this are (9/10)9 or approximately 0.3874. So if we have a 0.3874 chance of winning $900, our expected winnings is 0.3874 * $900 = $348.64 (approx).
So that's the game and the analogy. By adjusting timescales, probabilities, and pay-offs we can start to answer the questions: Should I write a Business Continuity Plan now? and How much is a Business Continuity Plan worth?
But before we try and answer these question let's note some significant limitations of the analogy. A BCP won't protect a business against all reasons a business might fail. For a new business, the probability of failure for a reason that the business continuity plan won't protect against is particularly high. Also a business is worth more than the value of its assets ? at the very least it should be worth the discounted value of its future earnings.
Before we go further, however, let's look at one method of BCP valuation, found in a number of textbooks, which is certainly questionable if not wrong. (It also, incidentally, highlights one area where our game analogy breaks down).
The method is generally explained through an example similar to this:
Suppose we are considering the installation of a backup generator so that our servers can continue operation in the event of an extended power failure. Assume that we lose on average $50k for each extended power failure, and on average there are two such failures a year. The backup generator will prevent all such failures.
Calculate the Annualized Loss Expectancy (ALE) by multiplying the Annual Rate of Occurrence(ARO) by the Single Loss Expectancy (SLE):
ALE = ARO * SLE = 2 * $50k = $100k
If the annualized cost (taking into account depreciation, training, and maintenance) of our backup generator is less than $100k, we should install the generator. If it is greater, then we should accept the risk and not buy the generator.
Since a business continuity plan is a countermeasure (like the backup generator) its value can be established using the same technique.
If you agree with this analysis, I have a question for you: Why does anybody ever buy insurance?
Insurance companies demonstrably get rich by charging their customers a premium which considerably exceeds the Annualized Loss Expectancy. The premium you pay has to cover the ALE plus the insurer's costs and profits. Thus the price you are paying for insurance is always greater than your expected loss, and buying insurance is never worthwhile.
There is obviously something more at work here, but what is it?
For that, you'll have to wait for Part 2 of this article.