Part 1 answered the question: “Do efforts to prepare for recoverability have a return on investment (ROI)?”1 The answer is that they do, but only if the efforts involve investments which also directly or indirectly benefit operational services. Otherwise, there is no ROI unless the organization suffers an incident.
This answer seems disappointing because it boils down to: “It depends.”
On what does it depend? It depends both on the capabilities of the continuity professional and the culture of the organization.
Both the practitioner and the organization must be able to take advantage of positive ROI opportunities. If the preparedness professional is smart and creative enough, and if the organization is receptive, s/he can manipulate those occasions to provide additional benefits to operations.
This means there is little inherent in the discipline of preparedness planning which can guarantee an ROI (outside of an actual incident). There is nothing embedded in best practices, perfectly executed, which allows any given practitioner to control or ensure such an ROI. A decent practitioner may adroitly lead an organization through a robust planning methodology and still fail to provide additional ROI. The discipline cannot make assurances that a certified continuity planner will provide any pre-incident benefits to an organization. The dependency is outside of the control of the methodology.
Will the new DR server also be positioned for data warehousing? Will an analysis of processes allow for Six Sigma-style improvements? Will a modified website lead to increased customer satisfaction? Will clearer technology requirements help save IT costs by eliminating outdated storage? Or will all this effort be sunk cost and overhead? The answer is, “It depends.”
It takes effort over and above fill-in-the-blank style continuity planning to see beyond immediate data gathering and move an organization to benefit from preparedness efforts. And this can only happen if the organization is receptive to these opportunities. If the culture views preparedness as simple overhead, a one-time project to fill in the document and move on, it will likely be unable to realize new advantages. If executive leadership will not support preparedness efforts, discovering and providing secondary benefits becomes increasingly difficult.
Ironically, this dependency may be good news to some. Because not “just anybody” can bring ROI to an organization during the planning effort, it allows some individual planners to stand out from the crowd. The organization will obtain more value from an individual who can move beyond filling in forms to take advantage of opportunities, especially in the case where an organization feels obligated but not enthusiastic about planning.
This also indicates a potential advantage of using professional preparedness planners in favor of executive assistants and business analysts. The ROI is likely to be higher with a dedicated practitioner than an inexperienced staff member with an internet template. It means that more value is likely to come from a smart and creative practitioner, thus justifying a bigger price tag to hire someone with a background in preparedness. But the value is never guaranteed.2
It is clear that the ROI question is a bad one from the get go. It sets the wrong expectations for stakeholders, and looks to benefits which, as we have seen, cannot be guaranteed by the discipline. It focuses on the wrong sorts of topics, misrepresents the real value of preparedness, and puts the practitioner on unstable footing.
So, if the ROI question is ultimately a damaging one for the profession, how do we replace it with a better question?
Now that the ROI question has been answered, it is possible to try and put it behind us. In this vein, there are three recommendations to try and quarantine the ROI question, mitigate its effects, and put practitioners back on the right path.
Recommendation 1: If you must answer the ROI question as originally posed, respond only using contextual specifics
The solution to the ROI problem indicates that any ROI (apart from an actual incident) is dependent upon the skills of the practitioner and the culture of the organization. This means that nothing can properly be said about benefits that just any planner in just any organization can provide. ROI is always contextual.
If stakeholders press for an answer to the ROI question, then potential benefits must at least be outlined in terms of what an individual practitioner can provide for a specific organization. Some examples might go as follows: “During the course of our preparedness work I believe I can provide secondary benefits to this organization such as:
- Improved general communications resulting from the development of crisis communication strategies, a standby “dark site,” and automatic notification systems
- Increased understanding of our vendors and their capacities resulting from our focus on supply chain continuity
- Reduced spending on IT resulting from an analysis of service owner requirements cross indexed against legacy systems and electronically stored data
- Streamlined processes resulting from an examination of how services would continue under adverse conditions and subsequent process reengineering efforts and Six Sigma corrections.”
The list goes on, but should always be contextually framed for a specific individual in a specific organization’s culture.
Practitioners can answer the ROI question honestly, do so unapologetically, then properly refocus the discussion. The practitioner can explain why the ROI question isn’t the best one that can be asked about preparedness planning. Because it isn’t.
Recommendation 2: Replace the ROI question
Recoverability ought to be about one thing: Preparing an organization to recover services.3 This is a purposefully narrow scope and it provides advantages as such. It does not purport to expand its scope to resilience, sustainability, prevention, or any other all-embracing concept. This scope focuses on increasing the ability of an organization to recover its services following a significant incident. Should it provide an ROI along the way, so much the better, but such added benefits are based on the individual practitioner and the culture of the organization.
The decision to undertake preparedness planning must ultimately rest on the risk appetite of the organization. If leadership feels there is a risk to its ability to recover, and they deem it critical to be able to recover, then preparedness planning is required. Importantly, there is no other discipline which can replace preparedness planning. As defined, this is precisely the discipline needed to improve an organization’s ability to recovery. All the Enterprise Risk Management, IT DR, insurance, and Emergency Management efforts in the world will not assure an effective recovery following a significant incident. This assuredness is the purview of the preparedness planner.
The proper question to replace, “Do efforts to prepare for recoverability have a return on investment (ROI)?” is this:
“To what degree will (professional) preparedness planning improve my organization’s ability to recover from a significant incident?”
Stakeholders want to know how confident they can be that their organization will recover from disaster. “If we follow your method, will we be able to recover our services?”
This, at last, is the question that stakeholders should have asked from the beginning. It is a question worth asking and worth answering.4
Recommendation Three: Work towards better answers to the right question
What stakeholders, lawmakers, philanthropists, communities, and practitioners alike need to know is: What kind of preparedness activities increase an organization’s ability to recover and to what degree? Sadly, the discipline cannot offer an answer at this time. We are unable to fill in a number to say: Organizations that have and utilize a practiced continuity plan in response to a disaster are n percent more likely to remain in business than those that do not.5
If an organization commits to preparedness planning, the profession then has the obligation to offer up proven best practices based on solid evidence. Case studies and best guesses are not enough. A discipline built on intuition will ultimately deteriorate. Recoverability must continually strive to provide firm footing for the recommendations it makes to its customers.6 A dedication to theory and research, empirical data, as well as practice, must be made, and within narrowly defined scopes. ERM, IT DR, emergency management, insurance, and organizational recoverability must each have clearly delineated bodies of knowledge, and must continue to hone and improve such knowledge within their delineated spheres.
This is a tall order to be sure, but one the profession should be in a position to undertake. There are now sufficient organizations, professionals, networking methods, and experience to focus efforts and come up with creative and innovative solutions. The question does not have to be answered overnight. The point is to begin work on answering the right question.
In conclusion, now that the ROI question can be answered within a context, understood as having been the wrong one from the start, and replaced with a better question, both practitioners and stakeholders alike can refocus their expectations and energies on the inherent value of preparing organizations to recover their critical services. As this aspiration expands from organizations into communities and throughout nations, the profession can hope to ensure a more stable society in the face of new threats and continued challenges.
A Final Note: Costs Of Not planning
While outside the exact boundary of the ROI question, it is critical for all stakeholders to remember that there is indeed a cost associated with not undertaking recoverability preparedness. While these costs only occur with an incident, they must be anticipated and incorporated into any expression of an organization’s risk appetite. A visual representation of such costs might be shown as follows.
- To properly answer the question, the scope of the question is purposefully narrowed to recoverability: The ability to recover services, individually and/or holistically, within the targets of time and degree following a physical loss and/or a loss of staffing. The scope is not expanded to include readiness, resilience, survivability, sustainability, or any other all-embracing concept.
- Perhaps this dependency is what drives so much uncertainty in the industry regarding how to obtain executive sponsorship and where to place continuity planning programs. If senior leadership demands an answer to the ROI question, preparedness planners can only accurately respond, “It depends.” Given that this answer is not particularly satisfying, it forces practitioners to backpedal. They fall back on accepted, related disciplines such as strategic planning, risk management and insurance, and even IT DR to justify their efforts. But making analogies with existing disciplines will either reinforce the validity of asking the ROI question, or will set the wrong expectations, neither of which is advantageous to the profession or the professional.
- Specifically: Preparing an organization to recover services individually and/or holistically, within the targets of time and degree following a physical loss and/or a loss of staffing.
- This question is, perhaps, frighteningly simple. It means that the value of planning is contingent upon risk appetite. Either leadership (or, in some cases, regulatory bodies) deems it important to improve recoverability, or it does not. If leadership does want to improve recoverability, then the best practices of preparedness planning are the best approach. If leadership does not, then preparedness is not valued, and there is no other legitimate argument to make. The argument for committing to preparedness planning must rightfully live or die with risk appetite. Therefore, we have replaced one dependency, the skills of the individual practitioner combined with the organization’s culture, for another, namely the risk appetite of leadership or a regulatory body; but this is entirely appropriate.
- For more on this, see: Copenhaver, John, and David Lindstedt, “How to Focus the Discipline of Business Continuity,” in the Journal of Business Continuity and Emergency Planning, Vol. 4, No. 2.
- See: Lindstedt, David, “Grounding the Discipline of Business Continuity Planning: What needs to be done to take it forward,” in the Journal of Business Continuity and Emergency Planning, Vol. 2, No. 2.
David Lindstedt, PhD, CBCP, PMP is the Program Director for Enterprise Continuity Management at The Ohio State University, the largest university in the United States. He is the creator of the RPC Model of Organizational Recoverability and author of “Measuring Preparedness and Predicting Recoverability.” Dr. Lindstedt has presented at numerous conferences and has published several articles in international journals. He has taught continuity planning for Norwich University and currently serves on the editorial board for the Journal of Business Continuity and Emergency Management.