Posts Tagged ‘BCM’

What is the ROI of a Fire Extinguisher?

There’s a LinkedIn group called BCMIX – Business Continuity Management Information eXchange. There are over 7,000 members of this group, which I think shows just how important Business Continuity Management is in organizations today.  Members can post questions to the community and get advice from other professionals who are struggling with the same issues.  I’m paraphrasing here, but some of the recent topics were:

• Can you develop a profile for what types of individuals are able to manage disasters?
• How do you determine the RTO for critical systems and applications?
• What is the ROI from a Business Continuity Management Program?

In response to that last question, Peter Morris, who is a Business Continuity Coordinator for Debenhams, wrote something I really liked:

I’m always interested in the calculation of an ROI on an intangible such as a BCM program, because the true value of it, like insurance, is not really calculable until after the event. I mean what is the ROI on a fire extinguisher?

There’s really no ROI on a fire extinguisher until you need it, which, hopefully is never.  But, if you do have a fire, you want the fire extinguisher that works well with the type of fire you have.  There are different types of fires and different types of fire extinguishers for each type of fire. There are also combination fire extinguishers that work with more than one type of fire. For those of you who want a quick tutorial on fires and fire extinguishers, here’s a helpful website: Fire Extinguisher: 101.

Once you’ve decided what risks you want to reduce, then you should get the best possible protection at the lowest possible cost. And that’s where the ROI comes in. Our Phoenix System is like a combination fire extinguisher, because we protect data through a wide variety of disasters: floods, fires, earthquakes, bombings, hurricanes, building collapse. But we have something else going for us. We actually lower the cost of data protection, by reducing data communications costs when replicating data over distance.

Maybe there’s no way to determine the return on a Business Continuity Management plan, but once you’ve made the decision to put a plan in place, you might as well have the best possible coverage at the lowest possible cost.  To help you understand the savings that an Axxana Phoenix System investment can provide, we developed an ROI white paper.  I hope you find it helpful.

Risk Management

If you drive a car, but you don’t pay for your gas, you may not care how your driving habits affect your mileage. If you are a business manager, and you don’t directly pay for your organization’s insurance policy, you may not care how your business continuity and risk management programs affect your insurance rates.

I was very happy to stumble upon a blog post at Travelers Insurance entitled: “What I should know about risk management.” Business continuity management is an important component of risk management, and this post provides independent validation for something that, although obvious, is not often explicitly stated: A better business continuity plan lowers insurance rates.

The post makes an important point: “Risk management, particularly loss control, begins at the top of any organization.” And the way most organizations are set up, it’s not until you get to the top of the organization that all of the benefits and and all of the costs come together so that the CFO can determine a return on investment. The CFO should care about how your business continuity plan affects insurance rates.

Anyone who has every had responsibility for developing a business continuity management or risk management program knows that it’s important to have all of the stakeholders at the table. When assembling the team of stakeholders, don’t forget to include the person responsible for negotiating the business liability and loss insurance policy.  Make sure that the benefits of improved business continuity and risk management are included in the determination of the premiums of the policy, and make sure that the benefits in the form of reduced premiums are included in the ROI analysis of business continuity and risk management investments. Then show it to your CFO.

For those who aren’t members of the Yahoo Group: Discuss Business Continuity,  I thought it would be useful to share some excerpts from a recent discussion.  This question was posted by Bill Perschke:

If you don’t have both a High Availability site locally and a replicated site for system maintenance and disaster recovery some distance away, would it be best to have just the HA site or the replicated disaster recovery site?

With regard to the HA option, Kathleen Lucey, President of Montague Risk Management, and a business continuity management expert pointed out:

If what you are talking about is local clustering in the same site, then I would not consider this to be HA.  The protection afforded by a same-site clustering solution is limited to failover to the designated backup server in the event of a failure of the primary.  A larger local event could take down the entire cluster, and so this is not really HA, but more properly local hardware backup. Read the rest of this entry »

BCM Lifecycle from the British Standards Institution

If you work in the area of Business Continuity Management (BCM), you are probably aware of BS 25999, published by the British Standards Institution.  BS 25999 is the Institution’s standard for BCM.  BS 25999 was actually published in two parts:

• BS 25999-1:2006 Business continuity management. Code of practice.
• BS 25999-2:2007 Business continuity management. Specification.

The first publication deals with the should of the standard.  If an organization is considering the development or enhancement of a business continuity management program, the publication provides a comprehensive set of factors that the organization should consider.  It is a set of recommendations and guidelines, not a set of requirements.

The second publication deals with the shall of the standard, meaning that, if an organization wants to claim that they have met the standard, as certified by the BSI, then these are the things that the organization must do. Read the rest of this entry »