It’s important for business continuity professionals to be knowledgeable about the ways being unprepared for disruptions can harm their organization. How else are they going to make the case to senior management that building a good continuity program is worth the effort?
In today’s post, we’ll look at the costs, direct and indirect, of being underprepared for a disaster event.
THE CASE OF CHERNOBYL
The new HBO miniseries Chernobyl is getting a lot of attention this month. The story of the fire that broke out in one of the reactors of the Chernobyl nuclear power plant hits close to home for anyone involved in business continuity and crisis management. The incident demonstrates an extreme example of multiple failures from oversight, lack of emergency planning, poor design, and poor crisis management.
The costs of the Chernobyl accident are widely thought to include dozens of deaths from intense radiation exposure, thousands of cases of lifespans being shortened by radiation, and 100,000 square kilometers of land being contaminated by fallout. The disaster also cost hundreds of billions of dollars to clean up and was blamed by Mikhail Gorbachev for having brought down the Soviet Union.
The costs will probably not be equally high if there is a disaster at your organization for which people are unprepared. But the impacts could still be substantial.
PUTTING THIS INFORMATION TO WORK
There are many reasons a BCM professional should be knowledgeable about the costs an organization must bear when it is struck by a disaster for which it is not prepared.
The main one is, it is a part of the critical content of the field and something one must know to be considered a true BC professional.
Another good reason is, this information can be very useful when it comes to winning the support of senior management for BC activities and initiatives.
As we’ve discussed elsewhere, if you want management’s attention, you have to talk their language. If management understands nothing else, it understands the language of costs.
How can you put this information to work for you? Use it to explain to your senior managers why BC is beneficial to the organization and worthy of their support.
DIRECT VS. INDIRECT COSTS
Below is a breakdown of the different ways disasters negatively impact organizations. You will already be aware of most of them, but there may be some you have not thought of before.
I’ll divide the list into direct costs—those which the company must spend money to remediate—and indirect costs—those that are more intangible and harder to quantify.
When a disruption strikes an unprepared organization, there are usually significant direct costs, meaning impacts the company must spend money to address. These include:
- Loss of revenue. Revenue lost as a result of facilities being unusable or systems being down as a result of the event.
- Equipment or asset damage. Articles damaged or destroyed by the event that must be repaired or replaced at the company’s expense. An example might be a piece of machinery damaged in a flood.
- Remediation of systems and core business processes by outside personnel. If, for example, you experience a cyberattack and bring in an outside consultant to remediate it or investigate, that would be a direct cost.
- Legal and regulatory impact. Litigation costs and fines arising from the event.
Indirect costs tend to be diffuse and harder to quantify than direct ones. But over the long term they can be even more damaging.
For companies with business continuity insurance, indirect costs are not covered by the typical policy. For example, if you have cyber insurance, the policy might cover the forensics of examining a data breach. It will not cover the loss of good will which the data breach brings about.
As you read the list below, you’ll see how devastating indirect costs can be, and how the strategy of not worrying about BC and trusting to insurance to take care of any problems is short-sighted.
- Damage to or loss of mission-critical data. Any resources the organization spends repairing or recovering data affected by a disruption, including employees’ time, amounts to an indirect cost.
- Productivity impact. Did the event reduce the company’s productivity in any area? That’s an indirect cost.
- Remediation of systems and core business processes by employees. As mentioned above, if contractors are hired to tackle this job, it’s a direct cost. If the company’s regular employees do it, it’s an indirect cost.
- Lost confidence among key stakeholders. If your company experiences a negative event for which it is not prepared, and that event harms your stakeholders or even just becomes known to them, they might lose confidence in the company in certain respects. This loss of confidence can last a long time, putting an invisible drag on everything you try to do moving forward. It can also result in some things being over scrutinized and others being neglected.
- Brand and reputation loss. When an organization experiences a disruption for which it is not prepared, one common consequence is that the public loses faith in it. Current and potential customers may develop a negative attitude toward the company and avoid its products and services. This is especially so if the organization is perceived to be to blame for the problem or to have been inadequate in its response. It’s true that many companies have recovered after suffering a loss to their brand and reputation. Others have been put out of business by it.
A LESSON FROM CHERNOBYL
Chernobyl was a tragedy that was exceptional in its impact but which points up an important everyday truth: When companies are unprepared for disasters, they pay the price in many ways.
At businesses, these costs can be divided into direct ones such as loss of revenue and indirect ones such as harm to brand and reputation. BCM managers should familiarize themselves with the full range of disaster costs and impacts. They will find this information especially useful when trying to convince management that support for business continuity is worthwhile.
For more information on this and other hot topics in business continuity and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS: