2. ABOUT THE AUTHOR
Patrick Alcantara is a Research Associate for the Business
Continuity Institute (BCI). In this role, he strengthens the BCI’s
globalthoughtleadershipinbusinesscontinuitythroughrelevant
studies. Prior to the BCI, he has worked in the education sector.
He completed a Masters in Lifelong Learning with distinction
from the Institute of Education, University of London and Deusto
University.
For more questions about this report, contact him at patrick.
alcantara@thebci.org
3. Executive Summary 3
Introduction 4
IT/Telecommunications Outage 6
Data Breach/Cyber Attack 10
Adverse Weather 17
Conclusion And Recommendations 23
How The BCI Can Help 24
Figure 16. Cost Of Adverse Weather And Natural Disasters, 1992-2010 25
CONTENTS
EXECUTIVE SUMMARY
INTRODUCTION
COUNTING THE COST
CONCLUSION AND RECOMMENDATIONS
APPENDIX
4. On the occasion of the Business Continuity Awareness Week 2014, we are pleased to present this special
report focusing on the cost of common threats to an organisation: IT and telecommunications outage, data
breach and cyber attacks, and adverse weather conditions. This report draws upon the insights of earlier BCI
studies such as the 5th Annual Survey on Supply Chain Resilience (2013) and the BCI Horizon Scan (2014). As
a meta-analysis of available literature, it also draws upon various reports and cost estimates.
The objective of this report is simple. We want to drive home the message that business continuity (BC) is
not the sole domain of an organisation’s BC professional. Ensuring an effective, robust BC programme is also
the responsibility of management, budget holders and the rest of staff. In a time where cutting budgets is the
norm, and BC-related expenses are often one of the first to go, it is important to be reminded of the cost of
being caught flat-footed in an incident. The false economy created by cutting down on business continuity
may create bigger problems that may impact on organisational resilience and viability.
The key takeaways from this report are the following:
• According to a recent IBM study on professionals dependent on high-availability IT, the cost of an
IT/telecommunications outage can vary from US$1.04 million to US$14.25 million over 24 months.
Minor incidents, on average, cost US$53,210 per minute of downtime. Further losses due to
reputation-related costs can add up to US$5.27 million for substantial incidents.
• Analysis by the Ponemon Institute reveals that the average cost of data breach and cyber attacks
stands at an average of US$11.6 million annually. Organisations report costs ranging from US$1.3
million to US$58 million to resolve these incidents. Case studies reveal staggering losses of up to
US$4 billion due to severe incidents of data breach and cyber attack.
• A Munich Re report shows that combined household and corporate insurance payouts for weather-
related damage in the United States alone cost US$12.8 billion in 2013. Extremeweather phenomena
have increased the severity of damage and value of insurance claims. The recent BCI Supply Chain
Resilience Survey has also revealed that adverse weather is a top driver of supply chain disruption,
with serious consequences for companies that experience an incident.
The purpose of this study is to quantify the financial impact of these common threats, and build the case
for strengthening an organisation’s BC programme. Nonetheless, it is important to note that as our figures
are rough estimates of the actual cost of disruption, organisations are highly encouraged to think about their
specific context in order to arrive at more appropriate data. In the end, we aim to start a conversation among
organisations and budget holders using readily understood and comparable data in order to maintain BC
investment.
EXECUTIVE SUMMARY
3
5. Business continuity (BC) goes at the heart of every enterprise. Having in place an effective BC management
programme can spell the difference between organisational resilience and financial ruin. With incidents
having a greater impact than before, it is essential to any organisation to become proactive through an
effective programme.
We are publishing this report as an urgent reminder to all that BC is not the exclusive domain of specialists.
In order to remain resilient amidst disaster, entire organisations have to get on board. Management must
exercise decisive leadership and think in terms of strengthening organisational resilience. Budget holders
must invest in moving the resilience agenda forward. Rank and file employees must remain vigilant, keeping
in mind that their organisation’s strength is a collective responsibility.
We strongly argue that having an ineffective BC management programme can cost an organisation dearly.
A single incident can cost an organisation millions and can demolish its reputation. Figures show that 40%-
60% of businesses without a BC plan never reopen after a significant incident, and the response for the first
10 days are critical to survival1
.
This report reviews existing literature, and puts together a more comprehensive account of the costs
associated with gaps in an organisation’s BC strategy. Drawing upon the findings of the BCI’s Horizon Scan
2014, we count the cost of failure to meet urgent threats: (1) IT or telecommunications outage, (2) data
breach or cyber attack, and (3) adverse weather conditions.
In drafting this report, we acknowledge that costs arising from incidents are often difficult to quantify.
The data we present in the following sections are rough and imperfect estimates at best. We acknowledge
the following limitations in drafting this report:
• The importance of context: The following figures are mostly estimates that apply primarily to
organisations that rely heavily on technology or are vulnerable to weather-related incidents (eg.
flooding, etc.). It is important to note that these are merely ballpark figures, and organisations have
to think in terms of their context (country/region, industry sector, nature of operation) in order to
arrive at an appropriate result.
• Non-statistical results: This report aims to be descriptive rather than normative. The figures cited
come from surveys conducted by the BCI and other organisations (eg. IBM, Ponemon Institute, etc.),
which also acknowledge the same limitations. Hence, statistical inferences cannot be applied to this
data.
4
INTRODUCTION
1. Open Access BPO (2013). The cost of not having a business continuity plan. Retrieved from http://visual.ly/business-disaster-
preparation.
6. 5
• Estimated cost results: The report cites costs that are based from the judgment of professionals
who participated in surveys commissioned by other institutions. Hence, these might vary from
actual cost data.
Given these limitations, it is nonetheless clear that being caught flat-footed in an incident would require
expensive and time-consuming solutions that do little to contain reputational damage. Our message is
simple: ensuring a robust response will cost less than damage control. This is a theme that we will revisit
several times in this report, and we hope to convince the wider organisation that BC is everybody’s concern.
7. A recent BCI study found that 77% of professionals are concerned about the effects of unplanned IT or
telecommunications outage2
, making it the top perceived threat for organisations. This is a valid concern, as
unplanned outages cost millions in terms of deploying solutions, lost productivity and reputational damage3
.
For organisations in sectors that rely heavily on the high availability of IT (eg. banking and finance, IT and
communication, some professional services, etc.), unplanned outages can significantly disrupt operations. IT
systems that have 99.5% reliability are still expected to suffer 44 hours of downtime in a year4
. This can wreak
havoc on organisations that rely heavily on this technology.
A recent IBM study focusing on IT and security professionals confirm this5
. By categorising disruptions
from minor to substantial, it was observed that the down time associated with these incidents can range
from an average of 19.7 to 442.3 minutes (Figure 1). 69% of organisations anticipate having one or more
minor incidents occurring within 24 months, whilst 23% expect substantial disruptions occurring within that
period (Figure 2), reflecting a wide concern.
2. Scott, A. (2014). BCI Horizon Scan 2014. Caversham, UK: Business Continuity Institute.
3. IBM Global Technology Services (2013a). The economics of IT risk and reputation: What business continuity and IT security really
mean to your organisation. Portsmouth, UK: IBM.
4. http://venturebeat.com/2012/11/14/the-high-cost-of-server-downtime-infographic/
5. IBM Global Technology Services (2013a). The economics of IT risk and reputation: What business continuity and IT security really
mean to your organisation. Portsmouth, UK: IBM.
COUNTING THE COST:
IT/ TELECOMMUNICATIONS OUTAGE
6
Figure1.Averageminutesofdowntimeforminor,moderateand
substantial disruptions (IBM Global Technology Services, 2013a)
Figure 2. Estimated likelihood of disruptions over the next 24
months (IBM Global Technology Services, 2013a)
8. In the same study, it is estimated that minor disruptions cost these same organisations on average
US$53,223 per minute, whilst more substantial ones cost US$32,299 (Figure 3). These lower figures reflect
costs being spread over more minutes of down time. However, the average total cost of disruptions become
even more concerning when analysed over a period of 24 months. Average costs to these organisations
skyrocket from US$1.04 million to US$14.26 million as a result of outages (Figure 4), with large organisations
reporting as much as US$100 million worth of costs for a severe incident.
6. http://www.emergency-response-planning.com/news/bid/54928/INFOGRAPHIC-Data-Center-Downtime.
7. http://info.isutility.com/bid/85284/Importance-of-Small-Business-Disaster-Recovery-10-Step-Plan-INFOGRAPHIC
8. http://www.cloudcomputing-news.net/blog-hub/2013/sep/26/infographic-disaster-recovery-by-the-numbers-1/
9. http://www.evolven.com/blog/7-infographics-disaster-recovery.html
10. http://blog.dattobackup.com/combat-risk-with-intelligent-business-continuity/
11. http://www.slideshare.net/EarthLinkBusiness/indographic
7
Figure 3. Estimated average cost of disruption (IBM Global
Technology Services, 2013a)
Figure 4. Estimated average cost of disruption over the next 24
months in US$ (IBM Global Technology Services, 2013a)
A parallel study by the Aberdeen Group estimates that large organisations lose up to US$1.1 million on
average yearly for substantial outages6
. Small firms on average lose US$3,000 a day, whilst medium-sized
organisations lose around US$23,000 daily due to an unplanned outage7
. Another report by Cloudtech
summarises the varying costs of major incidents on selected industry sectors (Figure 5)8
. Data indicating IT
recoverability rates for selected countries is also included in the analysis (Table 1). Furthermore, organisations
that experience an outage lasting for more than 10 days are less likely to recover its full financial capacity9
. In
fact, Datto cites US records which states that 93% of firms that lose access to their data centre for more than
10 days are likely to file for bankruptcy in a year10
. Meanwhile, Earthlink estimates that 43% of organisations
that experience substantial data loss as a result of an unplanned outage shut down for good11
.
COUNTING THE COST:
IT/ TELECOMMUNICATIONS OUTAGE
9. 12. http://venturebeat.com/2012/11/14/the-high-cost-of-server-downtime-infographic/
13. IBM Global Technology Services (2013b). Six keys to effective reputational and IT risk management (How to manage reputational
and IT risk to protect and enhance brand value and competitive standing). Portsmouth, UK: IBM.
14. Ibid.
8
Figure 5. Estimated annual cost of disruption in US$ per industry sector (Cloudtech, 2013)
Table 1. Average IT recovery rate for selected countries (Cloudtech, 2013)
Downtime associated with these outages cause significant effects such as hindering sales due to lack of
access. Employees in a paperless or server-based workforce cannot get anything done due to the same lack
of access. Outages also increase the likelihood of data loss or corruption, which further magnifies loss and
cascades it into other parts of operation12
.
Further analysis shows that significant costs associated with outages are linked with lost productivity,
technical support and forensics (Figure 6). Severe incidents are linked with costs related to reputational
damage, with estimated losses of US$5.3 million over 24 months (Figure 7). With today’s corporate brands
valued at an average of US$1.56 billion13
, severe incidents can create a significant dent into an organisation’s
reputation. Reputational damage must always be factored into a cost analysis of disruptions as organisations
potentially stand to lose existing or prospective business when its trustworthiness is called into question14
.
10. For other organisations in sectors less dependent on high-availability IT solutions (eg. small and
medium sized enterprises, transport and storage, manufacturing, etc.), it can be assumed that losses due
to these incidents may be significantly lower. This is
due to the nature of their work, which can adopt low-
technology yet efficient strategies (eg. taking orders
on paper, deploying power generators, etc.) which
prolong the timeframe before significant disruption
occurs. Whilst they may face lower costs associated
to IT and telecommunications disruption, it does not
completely eliminate the need to mount a robust BC
programme. It is essential to note that BC programmes
do not entirely rely on building sophisticated IT or
telecom infrastructure, but imparting preparedness
into an entire organisation. However, regardless
of dependence on IT and telecommunications,
organisations still face reputational risks given
significantdisruption. Givenreputationalrisksandcost
of damage control, it becomes evident that prevention
is much better – and cheaper – than the cure.
9
Figure 6. Estimated allocation of total costs associated with a minor, moderate and substantial disruption (IBM Global Technology
Services, 2013a)
Figure 7. Estimated allocation of reputation-related costs associated with a minor, moderate and substantial disruption over the
next 24 months (IBM Global Technology Services, 2013a)
COUNTING THE COST:
IT/ TELECOMMUNICATIONS OUTAGE
11. In the BCI Horizon Scan 2014, 73% of respondents reported concern over the threat of data breach and
cyber attack. This is understandable given today’s context. With sensitive customer information, intellectual
property and the control of key machinery increasingly found in electronic formats15
, the potential damage
caused by data breach or a cyber attack can prove devastating. This is more evident in organisations that
rely on data and use sensitive customer information in their transactions, such as the financial, retail, and IT/
communication sectors. This also applies to finance departments in other sectors that deal with similar data.
A study by Shred-It reveals that approximately 1 billion records have been compromised over the last
eight years alone16
. Data breaches cause 80% of small firms to report bankruptcy or severe financial losses 24
monthsaftertheincident17
.AccordingtoForresterResearch,asecuritybreachcancostanorganisationUS$90-
350 per lost record18
. Actual data reveals even greater figures. A lawsuit filed against the US Department of
Veterans Affairs over a recent breach demanded damages worth US$1,000 for each record lost, taking the
claim to a staggering US$26.5 billion if awarded by the courts19
.
Organisations experiencing substantial data breaches might even be subject to fines from regulators
if found guilty of negligence. An Institute for Risk Management survey reveals that fines may range from
<£50,000 (US$81,685) to >£250,000 (US$408,425) for British organisations who have their data breached
to the detriment of the public20
. In different countries, significant incidents may also be subject to fines by
regulators (Table 2). In addition to the cost of damage control and regaining an organisation’s reputation,
fines add to a mounting bill that cannot be ignored.
15. IBM Institute for Business Value (2011). Managing threats in the digital age. Somers, New York: IBM.
16. http://www.emergency-response-planning.com/news/?BBPage=1&Tag=Business%20Continuity
17. ibid.
18. http://www.evolven.com/blog/7-infographics-disaster-recovery.html
19. ibid.
20. Hillyer, M. (2014). The iceberg impact of a cyber loss in: Alison, A. et al. (Auth.) Cyber Risk: Resources for Practitioners (pp. 29-
38). London, UK: The Institute of Risk Management.
10
COUNTING THE COST:
DATA BREACH/CYBER ATTACK
Table 2. Data protection fines for selected countries (Hillver, 2014)
12. 21. IBM Global Technology Services (2013a). The economics of IT risk and reputation: What business continuity and IT security really
mean to your organisation. Portsmouth, UK: IBM.
22. Scott, A. (2014). BCI Horizon Scan 2014. Caversham, UK: Business Continuity Institute.
23. Ibid.
Meanwhile, an IBM study ranks cyber attacks high up in terms of economic impact (Figure 8)21
. This concern
is reflected by the latest BCI Horizon Scan which reveals that 73% of professionals report monitoring the use
of the Internet for malicious attacks in their BCM plans22
. 46% of professionals belonging to organisations with
significant IT infrastructure also reported experiencing a major cyber security breach in the last 24 months23
(Figure 9). An average of 4.2 actual disruptions was reported as a cause of a cyber security breach over the
past 24 months by the same respondents (Figure 10). A further analysis of this figure reveals that a similar
incident can be expected to occur once in every six months.
11
Table 2. Data protection fines for selected countries (Hillver, 2014) (Contin)
Figure 8. Common threats ranked in terms of economic impact (IBM Global Technology Services, 2013a)
COUNTING THE COST:
DATA BREACH/CYBER ATTACK
13. 12
Figure 9. Threats that impact reputation and brand value experienced over the past 24 months (IBM Global Technology Services,
2013a)
Figure 10. Average number of actual disruptions over the past 24 months caused by six common threats (IBM Global Technology
Services, 2013a)
14. 24. http://www.londonlovesbusiness.com/business-news/tech/terrifying-infographic-shows-cyberattack-risk-to-your-businesse/3024.
article
13
Another study conducted by the Ponemon Institute points to even higher numbers, with companies
surveyed reporting two attacks every week. Common attacks involve malicious code, denial of service and
web-based attacks (Figure 11). American companies are most likely to experience the most costly types of
attacks (ie. malicious code, denial of service) according to the same study. The following data show the top
countries (Table 3) and industry sectors (Figure 12) affected by cyber attacks24
.
Figure 11. Types of cyber attacks reported by organisations (Ponemon Institute, 2013)
Table 3. Share of cyber attacks, by top countries (London Loves Business, 2011)
Figure 12. Share of cyber attacks, by industry sector (London Loves Business, 2011)
COUNTING THE COST:
DATA BREACH/CYBER ATTACK
15. 14
Figure 13. Figures pertaining to social media ubiquity (CRI Group, 2014)
The ubiquity of social media has now made it into a legitimate target for hackers and criminal elements,
which is reflected by the shifting medium of cyber attacks from individual computers to social media
accounts25
. A CRI Group study26
reveals the potential of launching attacks from social media due to the sheer
number of accounts (Figure 13), and the inability to keep up with cybercriminals. A good example is the
hijacking of the Associated Press Twitter account in 2013, which falsely reported an explosion at the White
House27
. This sent American stock markets plunging, with the S&P 500 estimated to have temporarily lost
US$136.5 billion in market capitalisation. Foreign exchange markets also reported significant losses in value
due to the incident. This potentially disruptive nature of social media is confirmed by the BCI Horizon Scan
which reveals that 63% of professionals are concerned about its negative influence28
.
25. http://www.emergency-response-planning.com/news/bid/46374/INFOGRAPHIC-Shifting-Digital-Threats-to-Business-Continuity
26. Anjum, Z. (2014). Risks of cybercrime and social media. London, UK: CRI Group.
27. http://www.cnbc.com/id/100646197
28. Scott, A. (2014). BCI Horizon Scan 2014. Caversham, UK: Business Continuity Institute.
16. Case studies29,30,31,32
(Table 4) and other reports reveal that organisations with significant IT infrastructure
face massive costs not just in terms of fines slapped by regulators, but also loss of income and lasting
reputational damage. In a 2013 report by the Ponemon Institute33
, it was estimated that the average
annual cost of cyber attacks runs up to US$11.6 million per organisation. The annual cost of incidents for
organisations ranges from US$1.3 million to US$58 million. Neustar’s report on distributed denial of service
(DDoS) incidents – a class of cyber attacks – approximates up to US$20,000 worth of additional revenue losses
per incident to a mid-size enterprise34
. Further analysis states that an organisation’s reputation declines by
21% as a result of an incident.
29. From various news reports: http://www.complex.com/tech/2012/05/the-11-worst-online-security-breaches-hacks/epsilon,
http://www.theguardian.com/technology/2011/apr/04/epsilon-email-hack
30. From various news reports: http://www.wired.co.uk/news/archive/2011-05/24/sony-psn-hack-losses, http://www.wired.com/
gamelife/2011/04/playstation-network-hacked/, http://www.bbc.co.uk/news/technology-21160818
31. http://www.bbc.co.uk/news/uk-21187632
32. http://www.emergency-response-planning.com/news/bid/53358/INFOGRAPHIC-Worst-IT-Security-Breaches
33. http://media.scmagazine.com/documents/54/2013_us_ccc_report_final_6-1_13455.pdf
34. Neustar (2012). When businesses go dark. Sterling, VA: Neustar
35. www.evolven.com/blog/7-infographics-disaster-recovery.html
36. ibid.
37. http://www.yle.fi/tvuutiset/uutiset/upics/liitetiedostot/norton_raportti.pdf
38. http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime.pdf
15
Table 4. Case studies of some of the worst cyber attacks
Costs involve detection and recovery, which can translate to lost productivity and income. An average
incident takes around 18 days to resolve, with a cost of nearly US$416,00035
. Malicious insider attacks take
more than twice as long (around 45 days) to resolve at even higher cost36
.
Globalreportspaintanevenbleakerpicture.Thepricetagofcyberattacksandsimilarcrimesarestaggering.
The 2013 Norton Report commissioned by Symantec estimates the cost of cyber attacks and similar crimes
at US$113 billion worldwide37
. In the United States alone, losses due to cyber attacks were placed at US$38
billion, translating to US$298 for every American. A parallel McAfee report38
last year approximates global
losses at a minimum of US$300 billion.
COUNTING THE COST:
DATA BREACH/CYBER ATTACK
17. 16
It must be noted that these figures are more appropriate for organisations with a high dependence on IT for
their operations. Predictably, these same organisations bear the brunt of global economic losses attributable
to cyber attacks. Significantly lower losses can be estimated to organisations in other sectors that rely on
workforce expertise (eg. engineering and construction, manufacturing, etc.). It may also be the case for other
sectors which rely on other inputs (eg. mining and quarrying, agriculture/forestry/fishing, etc.). In these
sectors, the susceptibility for sophisticated forms of data breach and cyber attack is low. Nonetheless, these
organisations still hold physical data in terms of employee records, client details and financial statements
that may be compromised through less technologically sophisticated means (eg. employees leaking data,
burglary, etc.).
Even for organisations with some IT infrastructure, damage caused by data breach and cyber attack is
mitigated by other parts of their operations that are not as data-dependent. However, it would not be wise
to dismiss deploying good IT perimeter security and involving employees in safeguarding sensitive data,
as an incident can still create significant disruption. Even as the data from the reports vary, the message is
clear: data breach and cyber attacks cost money. Organisations cannot simply opt not having an effective BC
programme which can respond to these threats.
18. The most recent BCI study reveals that 57% of professionals are concerned about the effects of adverse
weather to their business39
. Whilst many sectors, with the exception of agriculture and tourism, are not
highly weather-dependent, adverse weather conditions can cause significant disruption and losses. In a
report by insurer Munich Re, combined household and corporate insured losses in the United States totalled
US$12.8 billion in 201340
, with four incidents resulting to at least a billion dollars worth of claims41
. Situating
this against overall trends since 1980, insured losses have been on an upward track (Figure 14), due to the
doubling of extreme weather events during the same period42
(Figure 15).
17
COUNTING THE COST:
A D V E R S E W E A T H E R
39. Scott, A. (2014). BCI Horizon Scan 2014. Caversham, UK: Business Continuity Institute.
40. http://www.iii.org/assets/docs/pdf/MunichRe-010714.pdf
41. Ibid.
42. http://www.iii.org/assets/docs/pdf/MunichRe-010412.pdf
Figure 14. Loss events in the United States (overall and insured losses), 1980-2013 (Munich Re, 2014)
Figure 15. Loss events in the United States (number of events), 1980-2013 (Munich Re, 2014)
19. 18
COUNTING THE COST:
A D V E R S E W E A T H E R
Available data from the United Nations Office for Disaster Risk Reduction (UNISDR) also shows the
staggering cost of adverse weather and other natural disasters from 1992 to 2010 (Figure 16, please refer to
the appendix)43
. Total damages worldwide during that period were estimated at a whopping US$2.0 trillion
for an average of US$111.11 billion yearly. The entire amount lost to adverse weather and natural disasters is
enough to fund global development aid for 25 years44
. The three largest economies (United States, China and
Japan) account for 64% of total costs (US$1.29 trillion) due to their exposure to adverse weather and other
natural hazards. This is almost equivalent to Spain’s entire 2012 GDP (US$1.32 trillion)45
.
The cost of adverse weather around the world was also significant last year, as seen from the insurance
payouts to households and businesses (Table 5).
Table 5. Costs of selected extreme weather events in 2013 (various sources)
Available literature also zeroes in on the cost of adverse weather to businesses. According to the UK
Environment Agency, the 2012 flooding that affected Britain cost £277 million (US$451.5 million) and set back
organisations by an average of £60,000 (US$97,810)51
. The indirect impacts on business and local economies
were estimated at £33 million (US$53.8 million)52
. The disruption to transport, communications and utilities
was placed at £82 million (US$133.7 million)53
. Meanwhile, farming in the UK experienced estimated losses
of up to £1.3 billion (US$2.1 billion) due to extreme weather events54
. Insurers paid out £40 million (US$65.2
million) in business interruption payments to organisations in the same year55
. In the European Union, costs
to transport systems associated with adverse weather is set at €15 million (US$20.3)56
. In the United States,
approximately US$3,000 is lost to businesses every day due to down time caused by adverse weather57
.
While these figures do not take into consideration the individual costs to organisations, these nonetheless
point out that adverse weather comes at a steep price.
43. http://www.unisdr.org/files/27162_2012no21.pdf
44. ibid.
45. Data taken from the UN database at http://unstats.un.org/unsd/snaama/selcountry.asp
46. http://www.wri.org/blog/timeline-look-extreme-weather-and-climate-events-2013
47. http://www.cbc.ca/news/business/extreme-weather-cost-canada-record-3-2b-insurers-say-1.2503659
48. http://www.theguardian.com/world/2013/jun/11/german-flood-damage-insurance-claims
49. http://www.nbcnews.com/business/extreme-weather-threatens-global-economy-2D12024233
50. http://www.telegraph.co.uk/finance/economics/10558607/Polar-vortex-disruption-to-cost-US-economy-5bn.html
51. http://www.environment-agency.gov.uk/news/150900.aspx
52. Ibid.
53. Ibid.
54. http://www.ft.com/cms/s/0/48d9b3dc-5113-11e2-b287-00144feab49a.html#axzz2sMsyZjbf
55. https://www.abi.org.uk/News/News-releases/2013/02/Over-1300-Customers-Helped-Everyday-By-Insurers-To-Recover-From-
Extreme-Weather-In-2012
56. http://www.vtt.fi/news/2012/270612_vtt_aarisaat_maksavat_eun_liikenteelle_vuosittain_15_miljardia_euroa.jsp?lang=en
57. http://asbcouncil.org/node/1217
20. 19
Table 6. Risks associated with adverse weather (various sources)
58. Lubchenco, J. and Karl, T. (2012). Predicting and managing extreme weather events. Physics Today, 65 (3), 31-37.
59. Sussman, F. and Reed, J. (2008). Adapting to Climate Change: A Business Approach. Arlington, VA: Pew Centre on Global
Climate Change.
60. ibid. unless taken from another source
61. http://science.time.com/2011/06/27/sticker-shock-what-extreme-weather-costs-the-u-s/
62. Dell, J. (2012). Petroleum Industry: Adaptation to Projected Impacts of Climate Change. Presentation to the International
Energy Workshop 2013. Paris, France: International Energy Agency.
63. Hess, U., Richter, K. And Stoppa, A. (2004). Weather risk management for agriculture and agri-business in developing countries
In: Climate risk and the weather markets (pp. 295-307). London: Risk Books.
64. Cachon, G., Gallino, S. and Olivares, M. (2012). Severe weather and automobile assembly productivity. Columbia Business
School Research Paper No. 12/37. Retrieved from: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2099798.
Furthermore, scientists have also reported the increased frequency and intensity of adverse weather
events of an extreme kind58
. These changes have also been observed around the globe according to a 2008
report by the Pew Centre for Global Climate Change59
. These changes produce far-reaching impacts across
industry sectors (Table 6)60
.
COUNTING THE COST:
A D V E R S E W E A T H E R
21. 20
Table 6. Risks associated with adverse weather (various sources)
65. Becken, S. (2010). The importance of climate and weather for tourism. Retrieved from: http://www.lincoln.ac.nz/PageFiles/6750/
WeatherLitReview.pdf
66. Greenough et al. (2001). The potential impacts of climate variability and change on health impacts of extreme weather events in
the United States. Environmental Health Perspectives, 109 (2), 191-198.
22. 21
Adverse weather also has significant implications on supply chains around the world. As organisations
move to multiple production and transit sites spanning the globe, adverse weather can wreak havoc on the
supply chain and disrupt the transport of raw materials and goods. In the latest Supply Chain Resilience study
by the BCI, the Chartered Institute of Purchasing and Supply (CIPS) and Zurich Insurance, adverse weather was
ranked as the second top source of disruption worldwide (40%)67
. Furthermore, this is ranked as a significant
concern by professionals in Central and Latin America (63%), Australia (59%), the UK (47%), the USA (45%)
and Canada (43%) (Figure 17). Many organisations report that adverse weather conditions had a substantial
impact on their supply chain, as exemplified by the disruption caused by Hurricane Sandy in the US last year.
68. ibid.
67. Glendon, L. and Bird, L. (2013). Supply Chain Resilience 2013: An international survey to consider the origin, causes and
consequences of supply chain disruption. Caversham, UK: Business Continuity Institute.
Figure 17. Reported supply chain disruption caused by adverse weather (Glendon and Bird, 2013)
COUNTING THE COST:
A D V E R S E W E A T H E R
Once more, it is noted that economic losses due to adverse weather vary across locations and industry
sectors. For one, the United States figures significantly in the literature owing to its susceptibility to extreme
weather conditions and the concentration of industries as compared to other countries. Organisations with
buildings in low-lying areas and riversides – especially in the developing world – are susceptible to flooding
events. Adverse weather is also seen to have more impact in sectors that have extended supply chains such as
retail, transport and storage, as well as engineering and construction. These sectors report a higher incidence
of weather-related disruption in 2013 Supply Chain Resilience survey (Figure 18)68
. This points out to the need
of further analysis by organisations in order to determine their actual risk to weather-related disruptions, and
estimate the economic loss caused by an incident. Analysing costs must not be limited to the value of insured
infrastructure only, as there are hidden expenses (eg. lost productivity, recovery of destroyed equipment,
staff welfare, etc.) that will increase the bill of a weather-related disruption.
23. 22
Figure 18. Reported weather-related disruption by sector (Glendon and Bird, 2013)
This data leads to the importance of an effective BC programme. As more extreme weather conditions
are forecast in the years to come69
, organisations have to accept the current situation as the “new normal”
and devise strategies that will head off this threat. Only through proactive adaptation – one that assesses
projected changes and the likelihood of these changes70
– coupled with an effective programme can help
organisations adapt to this new normal and minimise losses.
69. Bohannon, J. (2005). Disasters: Searching for lessons from a bad year. Science, 310, 1883.
70. Sussman, F. and Reed, J. (2008). Adapting to Climate Change: A Business Approach. Arlington, VA: Pew Centre on Global
Climate Change.
24. 23
Table 7. Summary of annual cost estimates for various threats (various sources)
71. Bohannon, J. (2005). Disasters: Searching for lessons from a bad year. Science, 310, 1883.
72. Sussman, F. and Reed, J. (2008). Adapting to Climate Change: A Business Approach. Arlington, VA: Pew Centre on Global
Climate Change.
73. Walker, K., Deary, D. and Woods, D. (2013). Reducing the potential for cascade: Recognizing and mitigating situations that
threaten business viability. Paper for the 5th Resilience Engineering Symposium. Soesterberg, Netherlands: Resilience Engineering
Association.
C O N C L U S I O N :
NOT DOOM AND GLOOM
Data from various sources pertaining to three common threats – IT and telecommunications outage, data
breach and cyber attack, and adverse weather – points out to a steep price tag (Table 7). Note that these
figures correspond to a worst-case scenario involving organisations that are highly dependent on IT and
telecommunications. Meanwhile, costs for adverse weather represent estimated losses to businesses and
may often exceed insurance payouts.
It is important to note that these threats do not just involve economic loss. Challenging events produce
effects that propagate and cascade into other spheres of operation, eventually disrupting an organisation’s
business viability73
. Experience tells us that disruptions are rarely isolated; hence, it is foolhardy to think that
it can be limited to one area once it happens. This makes business continuity everybody’s concern as it goes
into the heart of an organisation.
As organisations grapple with the fragile economic recovery, rationalising cost remains a paramount
concern. In a time of budget cuts, it is often tempting to downsize business continuity efforts and hope that
nothing too disruptive happens in the meantime. However, as the wealth of data above shows, it is wise to
continue investing in a responsive BC programme. Attention must also be given to low-cost measures that
strengthen a BC management programme such as embedding business continuity in existing training. In
many occasions, a BC programme does not necessarily mean purchasing more sophisticated technology.
Instead, it requires changing individual mindsets – and organisational cultures – from a reactive paradigm
to a proactive one. More often, it just requires changing habits, acquiring a strategic frame of mind, and
ensuring consistent leadership from top management.
Whilst we present the staggering costs of organisational threats, we do not wish to communicate doom
and gloom. Instead, we are hoping that an appraisal of how much threats cost can start a conversation about
improving business continuity within organisations. We also wish to point out that effective BC strategies can
translate to significant cost savings. For example, with minor IT and telecommunication outage more likely
to happen than substantial incidents, the cost of prevention is definitely cheaper. Organisations reliant on
high-availability IT infrastructure can save up to US$1.04 million on average over a period of 24 months by
preventing minor outages74
. Furthermore, deploying security intelligence to defend against data breach and
cyber attacks can save similar organisations an average of US$400,000 to US$4.0 million a year75
. Managing
25. 24
74. IBM Global Technology Services (2013a). The economics of IT risk and reputation: What business continuity and IT security really
mean to your organisation. Portsmouth, UK: IBM.
75. http://media.scmagazine.com/documents/54/2013_us_ccc_report_final_6-1_13455.pdf
76. Sussman, F. and Reed, J. (2008). Adapting to Climate Change: A Business Approach. Arlington, VA: Pew Centre on Global
Climate Change.
77. www.huffingtonpost.com/2012/10/30/flood-insurance-in-northeast_n_2045031.html
78. https://www.abi.org.uk/News/News-releases/2013/02/Over-1300-Customers-Helped-Everyday-By-Insurers-To-Recover-From-
Extreme-Weather-In-2012
HOW THE BCI CAN HELP
The BCI is a world leader in business continuity research in areas such as supply chain resilience. Insights
contained in its published reports help BCI members and the wide professional community. The BCI’s
Good Practice Guidelines, world-recognised and ISO-aligned, can be used as a reference for supplier BC
arrangements. The BCI also offers organisations opportunities to share and learn best practices in business
continuity with its global professional network. Opportunities for continuous professional development to
BC practitioners are available through globally-recognised certification (CBCI), a mentoring programme and
annual industry events. It also offers a Diploma course for business continuity in cooperation with Bucks New
University in the UK.
For more information on how the BCI can help your organisation, contact bci@thebci.org
risks associated with adverse weather and possible climate change can better position organisations into
avoiding or mitigating damage76
. With average insurance payouts for flooding in 2012 valued at US$29,236
(United States)77
and US$29,613 (United Kingdom)78
, organisations can have a rough idea on how much
weather-related damage costs and devise appropriate strategies. Even organisations in sectors having lesser
reliance on technology and the weather can still realise considerable savings, and become better prepared to
face related incidents should they occur.
In the end, our message is simple. Business continuity is everybody’s concern as the benefits of
preparedness translates to overall organisational resilience. It is essential that BC professionals are supported
by management, budget holders and the rest of staff in ensuring the highest level of preparedness. Business
continuity remains as relevant to today’s organisations as it was before, with the current spectrum of threats
adding to that urgency to act.