Justifying Contingency Plans
- Published on October 29, 2007
We don’t have to worry about anything, nothing can happen to us here.” “We’ve never had any problems before.” “Our other locations can back us up.” “We don’t need our computer, we’ll just go back to our manual system.” “ Insurance will cover everything.” Sound familiar? You only need to watch the news or read the paper to realize both natural and man-made disasters seem to be occurring more often and with more devastating results.
With businesses’ increasing dependence on their Information Systems’ ability to provide instant information, the losses associated with each unplanned outage can grow and compound at an alarming rate. It is a commonly held opinion that businesses nowadays are more vulnerable to disasters impacting themselves, their financial institutions, suppliers, labor unions, utility providers, customers and others. A reliance on federal, state and/or local government assistance following a disaster may delay a business’ recovery. The first priority of emergency agencies is to save and protect people.
The lack of contingency preparedness will ALWAYS result in a higher cost to a business. This condition is compounded by unrealistic, complex and/or out-dated procedures. Disasters impact a business in both measurable and immeasurable ways, directly and indirectly. Lost revenue, falling stock prices, all sorts of outage related costs, reconstruction costs, etc. are all examples of direct and measurable results of an unplanned outage or disaster. Damage to the business’ reputation, customer loyalty, customer satisfaction, customer confidence, higher risk for business loans and employee moral are some examples of impacts difficult to measure. Escalating prices of insurance due to disaster claims in your area directly impact businesses’, families and personal budgets.
Justifying contingency plans is a little like the proverbial chicken and the egg. First, a budget for a Business Impact Analysis (BIA) must be justified. A BIA yields detailed information like dependencies on Information Systems, how long current inventories will hold out, retained earnings and how fast they will exhaust, other financial exposures and much more. The same type of information may be necessary to justify a budget for a BIA in the first place. Approaching this dilemma from a higher, and more simple view can help validate the need for contingency and disaster recovery budgets.
A business has only a limited budget within which to operate. If there’s any hope of securing funds for disaster recovery contingency plan development, implementation and ongoing maintenance, the business case and all associated supporting reasons MUST get, and keep, the attention of the executives and upper level management. That usually means looking at the financial “big picture” from an executive perspective, with regard to contingency preparedness, and outlining the possible ramifications to the executives of noncompliance to regulations. Prepared with that information, it’s up to the executives to approve full funding, limited funding or no funding.
Understanding that you may rarely, if ever, have the opportunity to seriously discuss the supporting reasons and benefits of disaster recovery contingency preparedness with executives or upper level management, it is important to get their attention the first time the occasion rises.
A subject that usually grabs their attention is Money ...revenue ...capital ...cash ...profit, whatever you want to call it. Specifically, the potential loss of it captures their focus. In Accounting 101, we all learned that Revenue minus Expenses equals Profit. Well, if a disaster or any unplanned outage interrupts a business’ anticipated cash flow or expenses increase, the equation changes dramatically and quickly.
It is important to use the “big picture” figures. Keeping the business’ “big picture” envisioned is a sizable challenge, but without it the executive perspective of the whole business gets lost while we are consumed by the non-executive departmental details and accounting methodologies of the day.
In the following example of a hypothetical mid-sized business, the equation on the left might be normal profit and the equation on the right might be a disaster or unplanned outage potential loss. The formula (Revenue - Expense = Profit) stays the same regardless of the business’ size.
In the example of the hypothetical business above, the potential disaster loss is approximately $90,000 per day. An outage of 10 days would accumulate a loss of approximately $900,000. Business interruption insurance may relieve some of the accumulated loss, but chances are pretty high insurance would not cover all of it. It wouldn’t take long to put the example company out of business. The demise of this business may come within days or take months of struggling with an enormous loss, only to end up in agonizing bankruptcy proceedings. Either way, the chances of successfully coming back from this example outage are not good. Using this formula, the duration of a disaster or unplanned outage a business can sustain should become uncomfortably clear.
Now, apply the formula to your business’s figures. Gather your business’ revenue and expense figures for a period of time (i.e. hourly, daily, period ending, etc.) and substitute them in the example. Revenue is tricky, be realistic and don’t exaggerate.
For example, your business may be able to manually take orders, but not be able to act on them. Retained earnings is considered revenue but may be exhausted quickly, effectively producing limited or zero revenue.
Normal expenses (i.e. facility rent, utility bills, payroll, material costs, taxes, etc.) will stay approximately the same. Disasters don’t typically absolve debts or postpone due dates.
Estimate your projected outage expenses (i.e. public relations, spoiled goods, fluctuation of prices and interest, temporary facilities, penalties and fines, etc.). Be generous in your potential outage figures, unexpected expenses always occur. Underestimating a business’ exposures can skew the “big picture”, often resulting in a belief that contingency plans may be unnecessary. Substitute your projected outage figures in the example. Calculate your business’s “big picture” normal profit and disaster potential profit or loss.
Obviously, this approach does not fit every possible industry or business type, but there are few exceptions. Even if you think it doesn’t fit, try to apply your business’ figures to this formula. You may be surprised. Again, keep the figures at an executive perspective and don’t get bogged down in the “but what if” details.
Another way to get the attention of the executives and upper level management is to expose the business’ (and the executives) non-compliance to regulations.
The Foreign Corrupt Practices Act of 1977, an amendment to the Securities and Exchange Act of 1934, deals with the fiduciary responsibilities of officers and directors (executives) of corporations towards the assets of the corporations.
Specifically, the “standard of care” is the concept by which the actions of officers and directors may be judged legally. In the legal publication “Corpus Juris Secundum” (CJS) the “Standard of care” is defined as follows; “A director or officer is liable for the loss of corporate assets through his negligence, fraud, or abuse of trust.” (CJS Corporations, Volume 19, section 491) Further in the same section, CJS defines more clearly that “The directors and officers owe a duty to the corporation to be vigilant and to exercise ordinary or reasonable care and diligence and the utmost good faith and fidelity to conserve the corporate property; and, if a loss or depletion of assets results from their willful or negligent failure to perform their duties, or to a willful or fraudulent abuse of their trust, they are liable provided such losses were the natural and necessary consequences of omission on their part.”
Another regulation, issued by The Comptroller of the Currency in 1983, is Banking Circular (BC) 177. It was revised in 1987 and again in 1989. The 1989 revision to the circular was issued jointly by the Comptroller’s office and the Federal Financial Institution Examination Council (FFIEC).
The 1989 revision of BC 177 states: “The loss or extended interruption of (business operations, including central computer processing, end-user computing, local area networking, and nationwide telecommunications) poses substantial risk of financial loss and could lead to failure of an institution.
As a result, contingency planning now requires an institution-wide emphasis, as opposed to focusing on centralized computer operations.”
The Joint Commission on Accreditation of Healthcare Organizations (JCAHO) also recognizes and requires the same types of emergency preparedness and contingency plans for health-care organizations. The second standard in JCAHO’s 1994 Information Management Requirements is quite clear. Information Management (IM) section 2.1 states “The hospital must have both a plan and a process in place that describes who has access to information, the information to which an individual has access, the confidentiality, and a way to secure information against intrusion, corruption, and damage.” IM2.2 continues by saying “A hospital must show it has systems in place for timely and easy access to information and that the data are safeguarded.” IM2.3 brings section 2 into focus as follows, “The hospital must protect records and information against loss, destruction, tampering, and unauthorized use.”
These legally enforceable regulations clearly reflect a recognition of the need for contingency planning and implementation. Further, they put the responsibility of protecting a business’ assets squarely on the shoulders of executive management.
The Security Exchange Commission, the Office of the Comptroller and the Joint Commission on Accreditation of Healthcare Organizations, in enforcing these regulations and statutes, may seek injunction against non-compliance, institute administrative proceedings or even implement criminal proceedings against executives and others who fail to exercise appropriate disaster recovery contingencies.
Sometimes it’s difficult to tell your boss and your boss’s boss what their fiduciary responsibilities, duties and liabilities are. Those types of discussions can, occasionally, be career limiting. But, by changing the perspective to a more positive tone, you may be able to get their attention and preserve your career opportunities.
By defining, planning, implementing, testing and maintaining adequate contingency measures, the executives and upper level management may take comfort in their compliance with the regulations and the knowledge that their business assets are adequately protected. They are less likely to be the subjects of penalties, civil law suits and/or criminal prosecution.
Between the “big picture” profit/loss potential and the regulation compliance, you should be able to get the attention of the executives.
But, it’s always good to have possible solutions to counter the uncomfortable questions you’ve now raised.
Hot-site vendors can provide you with budget prices for hot-site coverage, mobile-site coverage, end-user coverage, etc.
Your local and long distance carriers can provide routing alternatives for your networks. These kinds of outage coverage can only be maximized with a developed and maintained contingency plan.
Frequently, a Business Impact Analysis (BIA) is necessary.
Hot-site vendor consultants and independent consultants can provide you with budget prices for a BIA and contingency plan development.
In keeping with the hypothetical mid-sized business example shown above, let’s put it all together.
The following example should help justify funding a one time budget cost of $25,000 for a BIA and Contingency Plan development and maintenance with periodic disaster recovery testing for the example business.
It should also justify funding a yearly budget cost of $60,000 for recovery capabilities (i.e. hot-site coverage, end-user coverage, alternate facilities, network, etc.). In this example, we’d be asking for funding of $85,000 ($25K +$60K) for this year and $60,000 for next year.
That may sound like a lot of money, but an outage of 2 days would incur losses of approximately $180,000. Normal expenses will increase based on the contingency coverage (i.e. $60K/365 days=$164/day). Outage expenses may be public relations, spoiled goods, fluctuation of prices and interest, overtime and others.
Contingency expenses include things like disaster coverage implementation (i.e. hot-site), travel and salvage expenses and fees.
Appropriate contingency plans will enable the example business to realize a limited profit after a disaster and avoid devastating losses. The old saying “pay me now or pay me later” is certainly appropriate. As illustrated in the example, “pay me later” may be gambling the business’ survival.
Executives and upper level management are often uninformed of the possible penalties for non-compliance to regulations.
They may also be unaware of the financial exposures resulting from a disaster or unplanned outage. By coupling these two compelling arguments for disaster recovery contingency plans, and presenting them with some alternative solutions, funding can often be justified. By going through this financial exercise, it is easier to approximate a budget for a BIA and contingency planning, implementation and disaster recovery by finding a balance between contingency/recovery and potential loss.
Gaining the executive’s conceptual and financial backing of contingency planning, implementation and disaster recovery makes it much easier to incorporate these strategies and policies in all aspects of a business’ functions. Eventually, it becomes part of a business’ everyday life.
Jeanne D. Powell, CDRP, is an Advisory Business Recovery Specialist with IBM Business Recovery Center in Dallas, TX.Printed in Fall 1995