The cost of readiness vs the impact of failure
- Organisational Resilience
Middle East Risk Watch - Issue 8 - December 2017
The cost of readiness vs the impact of failure
For many organisations the costs associated with implementing an effective crisis readiness, response and recovery programme can be daunting. The headline is simple: any organisation needs to have a crisis and continuity capability in place in order to prevent or minimise consequential losses following an incident. For listed companies these capabilities are critical to protecting shareholder value. But why is it that so few organisations across the Middle East have a joined-up crisis management, business continuity and response capability, particularly one that is complemented by a resilient IT infrastructure? Our experience has shown that “Our experience has shown that a lack of budgeted funds directed at developing such a capability is the result of the poorly publicised regional analysis of the likelihood, impact or associated costs of business interruption.
The impact of failure
One of the issues risk, security, crisis, continuity and resilience managers have had over the years is the articulation of the costs associated with a major incident to other stakeholders in their organisations. For example: How much does an incident “cost”? How do you create a business case for having a comprehensive response capability?
Some elements of impact are fairly straightforward, such as the costs associated with the physical replacement of assets or lost revenue from business activities that couldn’t be completed during the outage. However, others are more difficult to establish. For example, how do you assess the cost of the deterioration in customer confidence or brand damage due to a data breach and loss of customers’ personal data, which might not immediately affect your revenue? And how does that affect the organisation over time, when the impact of an incident could take months or years to materialise?
The brand and reputation of an organisation are intangible aspects of value. However, an organisation’s prestige, brand recognition and customer loyalty all have a dramatic impact on performance prospects over the longer term. If damaged, the consequences do not necessarily materialise financially at the time of the incident. Samsung and Sony are two recent examples of big brand companies for which the potentially explosive Note 7 battery and the online gaming data breach, respectively, will have a longer term impact on future sales. These consequences are unlikely to fully manifest themselves for several years, but forewarn a potential loss of market share as the companies’ customers switch to alternative brands as a result of a reduction in brand loyalty.
With physical or security-related incidents, the financial impact is easier to quantify. As the Deepwater Horizon incident demonstrated, the total cost for the incident for BP is estimated at over $60bn. However, this figure excludes the reduction in the capital value of the organisation due to the share price discount of 55% in the weeks immediately following the incident, recovering to 30% over the subsequent 18 months.
The other element that this incident highlighted to contingency planning and recovery specialists globally (for the first time in such a high-profile event) is the impact that social media can have on the recovery effort and an organisation’s ability to manage its messaging to minimise consequential losses (e.g. shareholder value). While the initial loss of life and the environmental disaster were unfolding, the world was at least as focused on the CEO’s repeated public relations gaffes and the organisation’s failure to understand the impact of social media and the Public Relations backlash it would create. However, incidents costing organisations $60bn are without doubt the outliers. Research across our client base where little or no preparation or planning had been implemented shows the average annual financial impact of crisis incidents and disruptive events over the past two years to be between $500,000 and $1m. These numbers are more appropriate when constructing a business case for your organisation.
The cost of readiness – justifying your business case
But what if these organisations had implemented a higher state of readiness, incorporating active programmes for preparation and prevention? It is important to point out that initiating a readiness programme is always the most expensive element of establishing a resilient organisation. Keeping that programme operational and continuing to monitor risk is subsequently a less costly, yet valuable and essential, ongoing operational activity.
Typically, the cost of implementing a readiness, response and recovery capability that, for example, establishes policies, a framework and procedures as well as validation testing, training and exercises will vary from $150,000 to $275,000, plus the cost of your internal resources assigned to support and guide this activity. Subsequently, the year-on-year costs of maintenance, monitoring and continuous improvement range from $40,000 to $100,000, depending on the size and maturity of the organisation and the level of testing and exercising conducted.
These costs exclude “optional extras” adopted by many organisations to increase their capability and capacity, such as automated workflow programmes or mass notification systems to assist during a response.
Although it is dangerous to use statistics out of context, in Control Risks’ Cyber Security Report 2017, 487 CEOs, CIOs and CROs from all over the world were asked whether they believed their organisation would be targeted or attacked by cyber criminals within the subsequent 12 months. A resounding 87% said yes. When we then isolated the data for respondents from the Middle East, this figure dropped to below 15%. Various conclusions could be drawn from the reason for this variance. However, our assessment of the outcome of these figures is that an ill-prepared region with an ever-growing rate of cyber-attacks presents a target-rich environment and organisations in the Middle East need to have a readiness, response and recovery capability in place so they do not fall victim to the increasing number of attacks..
For many organisations the business case for implementing a comprehensive readiness, response and recovery capability comes down to a combination of good management practice, regulatory drivers (where applicable) and the organisation’s tolerance of risk. Where threats are easily identified and articulated, justification for appropriate budgeting is relatively straightforward. But when threats are less obvious, a programme of awareness and education is the best way to assist in securing funds.
Ensuring that the management team, the C-suite and the company executives understand the potential impact and likelihood of an event, in simple and easily understandable terms, is the most effective method of ensuring the appropriate level of “buy-in”. Use language they will understand, link potential impact to your organisation’s objectives and those of the associated budget holders, minimise scare-mongering as this is a short-term strategy which is unlikely to ensure budgets are sustainable year on year and where possible use proven figures and statistics to support your case.
- Will Brown, Director
- Ionut Gioglovan, Senior Consultant