Charlie looks at the evolution of the BIA and explains his reasons for no longer looking at financial impacts when conducting a BIA.
This week I spent some time teaching the GPG course in-house for a bank. We had a long discussion on BIAs and the advantages and disadvantages of including financial impacts in a BIA. So I thought I would share why I don’t look at financial impacts when conducting a BIA.
When I first started in business continuity twenty years ago, financial impacts were a key part of the BIA excel spreadsheet and there were a series of boxes looking at financial impact over time. This was done for every activity and served as a key justification for the cost and effort in rolling out business continuity. The bigger the financial impact discovered, the better.
When I joined one of the companies I worked for before becoming a consultant, I inherited a BIA. It was produced by one of the pre-eminent consultancies at the time, who are still a strong player in the market now. One of their key findings, which seemed to me a justification for the very large fee they charged, was that if there was downtime at the company’s main office, the company would lose £25m a day. This seemed an extremely important discovery and a justification to all involved for the large cost of the project.
When I came to conduct the BIA again, I did some further analysis. The first thing I did was look at the end-to-end process of billing, to money coming in to the company. On closer inspection, I found the consultants doing the BIA had counted the money four times, so the loss of £10m for one business was the same £5m going through the next business. So instead of identifying the £10m that went through the end-to-end process, they had added up the same money four times to come to the £25m figure. I then looked at the £10m figure, which was a real figure the company banked every day, confirmed by the finance department. I very quickly worked out that due to the business model, the customer’s meter was running, so if the company couldn’t collect the money on one day, they could collect the money in the future. The money was still owed to the company and so this was just ‘delayed’ income. The real cost to the company was £10k a day in lost interest, which was not such a high figure to justify the amount spent on the consultancy.
Ever since this day, I have grown more and more cynical about recording money in my BIAs, as in the majority of cases the figures are meaningless and don’t actually add anything to the analysis.
First of all, there is absolutely no point trying to look at the financial impact of most support functions. If HR wasn’t operating, how do we determine the cost of the downtime and what is it based upon? What is the cost of not hiring one person, potentially a cash saving and if a tribunal is delayed how do we calculate the impact? Even if we took the cost of HR’s wages when they are not working, they might do some work even if they have been sent home and do we calculate as a loss if we let them off at lunchtime before Christmas?
When we look at parts of the organisation which make money, it is still hard to calculate the loss of their downtime. For many, or even most organisations, if you cannot buy from the organisation, then with a bit of communication you can persuade your customers to hold on and buy from you when you are up and running. Even in the field of generic consumer goods, many customers may stay loyal and if Branch A burns down, they will make the extra effort to go to Branch B. It may not be convenient, but they will stay loyal. It is difficult to calculate if an organisation is down for a while, what the tail off of customers would be and how long they would wait before switching to a rival or perhaps not buying the item at all.
When we try and calculate the loss, what are we measuring? Loss of income, loss of profit or any other variables, and in all our calculations, how do we ensure consistency across all different parts of the business? A trading department could lose millions by not operating for an hour, but it might also save the company if they might have made millions in losses! I am sure if we had a huge budget and time, we could get a team of accountants in to do lots of modelling and they may be able to come up with a realistic figure, but for me the time and effort does not add great value to the BIA.
ALE (Annual Loss Expectancy) was a way of calculating this, which was the number of incidents per year multiplied by the estimated loss per incident, but again how do we calculate the number of incidents and secondly how do we get a meaningful number for the impact? This has now fallen out of fashion and I have not seen anyone using it recently.
There are some ways of making use of financial figures in BIAs. You could have a bracketed amount: so low is less than £100k loss, medium £100-£1m and high £1m plus. This gives you a quick and rough financial calculation. Even so, you need to look at the measurement – is this in loss of income, loss of interest, turnover or profit? You can also look at fines for not delivering to customers or from regulators. Again, if the incident is not your fault they may not enforce the fines and penalties on the day.
The BIA is all about trying to understand the time criticality of activities and identifying what activities have the greatest impact on the organisation and need to be recovered first. The current industry fashion is for BIAs to get leaner and less precise. The days of taking a year to do the BIAs are gone. When conducting the BIA, we should only collect what we can use and what informs our decision-making and not collect meaningless or inaccurate information. Do not collect financial information for the sake of it!
Chris Green FBCI MSc
Head of HSE&BCM Risk Management at Novartis commented: Correct, Charlie – it’s useful to get a “feel”, but nothing more. One insurance company I worked with calculated the cost of downtime as being $30 BILLION. That was interesting for an organization that made $100 million profit per year. what they had counted was the total value of assets under management – which were not at risk during this downtime. The number was precise, but absolutely wrong. As we’ve pointed out to other commentators, people performing bad BIA’s doesn’t destroy the principle of understanding and prioritizing.
Name: Not known: ‘Well ! I like your arguments, I really do, but you only have (or mention) one case, so that’s not enough to do statistics upon it. Nevertheless, maybe, if financial arguments are used, they should be better defined. However, in the end, I cannot agree on not using financial arguments on one case. Defining the (financial) situation should be key according to me.’
Eugene Taylor: ‘I agree that the BIA should not address ‘financial’ impacts for the sake of it. All impact categories and those relevant to the BIA should stem from Risk Management policies of the business – and hence fits nicely the ‘context’ of the organisation giving credibility to the scope of the BIA. However – in certain sectors it may be unwise to discount financial impacts. Also bear in mind that the executive might wonder about the district lack of such information and may well question why they need a management system or BIA if there are no financial impacts.’