This document summarizes the costs associated with ineffective business continuity programs. It finds that IT/telecommunications outages can cost organizations millions, with minor incidents costing on average $53,210 per minute of downtime. Data breaches and cyber attacks were found to cost on average $11.6 million annually according to one study. Adverse weather events in the US alone resulted in $12.8 billion in insurance payouts in 2013 according to one report. The document concludes by recommending that organizations strengthen their business continuity programs to reduce costs from disruptions.
A small section of the course ECP-901, Business Continuity & Resiliency Management, by the Institute for Business Continuity Training, https://www.ibct.com
IT Optimization: Navigation Fiscal AusterityOmar Toor
The Federal Government faces a situation similar to that of the private sector in the early 2000s. Many corporations experienced rapid growth in the late 1990s. Companies spent tens of millions of dollars on ERP, CRM, and other enterprise IT systems. As the below graphic illustrates, large enterprise systems grew corporate expense budgets at an unprecedented rate in the form of support, maintenance, enhancement, operations, and amortization. The late 1990’s technology and dot com busts, multiple downturns, and a recession caused industry to change their spending habits and drive cost out of their baseline. Some succeeded, many failed, and a few went bankrupt.
The question is whether Federal COOs, CFOs, and CIOs will wait for OMB to levy cuts on them or whether Federal executives will act to address the systemic drivers of IT expense so they are ready to respond to the inevitable round of forthcoming budget cuts. In the words of George Bernard Shaw, “The possibilities are numerous once we decide to act and not react.” Acting now could protect agency missions and even redirect additional funds to critical needs. If CFOs and CIOs wait for the inevitable budget mandate, it will be too late to identify waste - and the only thing left to cut will be investment dollars.
www.pwc.com/publicsector
As our industry evolves increasingly faster, sustaining an existing (or winning an even larger) share of the $30 trillion insurance servicing opportunity requires using an integrated approach to business transformation.
A small section of the course ECP-901, Business Continuity & Resiliency Management, by the Institute for Business Continuity Training, https://www.ibct.com
IT Optimization: Navigation Fiscal AusterityOmar Toor
The Federal Government faces a situation similar to that of the private sector in the early 2000s. Many corporations experienced rapid growth in the late 1990s. Companies spent tens of millions of dollars on ERP, CRM, and other enterprise IT systems. As the below graphic illustrates, large enterprise systems grew corporate expense budgets at an unprecedented rate in the form of support, maintenance, enhancement, operations, and amortization. The late 1990’s technology and dot com busts, multiple downturns, and a recession caused industry to change their spending habits and drive cost out of their baseline. Some succeeded, many failed, and a few went bankrupt.
The question is whether Federal COOs, CFOs, and CIOs will wait for OMB to levy cuts on them or whether Federal executives will act to address the systemic drivers of IT expense so they are ready to respond to the inevitable round of forthcoming budget cuts. In the words of George Bernard Shaw, “The possibilities are numerous once we decide to act and not react.” Acting now could protect agency missions and even redirect additional funds to critical needs. If CFOs and CIOs wait for the inevitable budget mandate, it will be too late to identify waste - and the only thing left to cut will be investment dollars.
www.pwc.com/publicsector
As our industry evolves increasingly faster, sustaining an existing (or winning an even larger) share of the $30 trillion insurance servicing opportunity requires using an integrated approach to business transformation.
Nearly two thirds (62%) of managers report that cyber security threats are increasingly posing a serious risk to their business, with nearly a third of UK organisations (32%) having come under a cyber attack of some sort in the past 12 months, according to new research published by the Chartered Management Institute (CMI) today.
So, you have a continuity plan and perhaps even think you have resiliency covered? Think again!
About more than just theoretical “best practices”, the deck was originally presented as a key note for CPM West 2007. It covers the semenal role of strategic vision and the vital importance of executives’ risk exposure perspective. Practicioners’ and senior executives’ eyes alike are opened to the realities of what it takes to be truly prepared and capable of responding in an all-hazards approach as an integral part of enterprise-wide risk management (ERM). This presentation looks at pragmatic cures for the “hardening of the attitudes” disease prevalent in too many boardrooms that results in the 10 most common mistakes corporate and governmental entities at all levels face when attempting to plan and implement viable resiliency programs.
AN ANALYSIS OF THE CONTRACTING PROCESS FOR AN ERP SYSTEMcsandit
Enterprise Resource Planning (ERP) systems integrate information across an entire
organization that automate core activities such as finance/accounting, human resources,
manufacturing, production and supply chain management… etc. to facilitate an integrated
centralized system and rapid decision making– resulting in cost reduction, greater planning,
and increased control. Many organizations are updating their current management information
systems with ERP systems. This is not a trivial task. They have to identify the organization’s
objectives and satisfy a myriad of stakeholders. They have to understand what business
processes they have, how they can be improved, and what particular systems would best suit
their needs. They have to understand how an ERP system is built; it involves the modification of
an existing system with its own set of business rules. Deciding what to ask for and how to select
the best option is a very complex operation and there is limited experience with this type of
contracting in organizations. In this paper we discuss a particular experience with contracting
out an ERP system, provide some lessons learned, and offer suggestions in how the RFP and bid
selection processes could have been improved.
Coordinating Security Response and Crisis Management PlanningCognizant
Security or emergency response for businesses must be tactically and strategically integrated with disaster recovery, with a plan for root cause analysis and next steps coordinated by the CIO and chief information security officer in conjunction with business units.
Nearly two thirds (62%) of managers report that cyber security threats are increasingly posing a serious risk to their business, with nearly a third of UK organisations (32%) having come under a cyber attack of some sort in the past 12 months, according to new research published by the Chartered Management Institute (CMI) today.
So, you have a continuity plan and perhaps even think you have resiliency covered? Think again!
About more than just theoretical “best practices”, the deck was originally presented as a key note for CPM West 2007. It covers the semenal role of strategic vision and the vital importance of executives’ risk exposure perspective. Practicioners’ and senior executives’ eyes alike are opened to the realities of what it takes to be truly prepared and capable of responding in an all-hazards approach as an integral part of enterprise-wide risk management (ERM). This presentation looks at pragmatic cures for the “hardening of the attitudes” disease prevalent in too many boardrooms that results in the 10 most common mistakes corporate and governmental entities at all levels face when attempting to plan and implement viable resiliency programs.
AN ANALYSIS OF THE CONTRACTING PROCESS FOR AN ERP SYSTEMcsandit
Enterprise Resource Planning (ERP) systems integrate information across an entire
organization that automate core activities such as finance/accounting, human resources,
manufacturing, production and supply chain management… etc. to facilitate an integrated
centralized system and rapid decision making– resulting in cost reduction, greater planning,
and increased control. Many organizations are updating their current management information
systems with ERP systems. This is not a trivial task. They have to identify the organization’s
objectives and satisfy a myriad of stakeholders. They have to understand what business
processes they have, how they can be improved, and what particular systems would best suit
their needs. They have to understand how an ERP system is built; it involves the modification of
an existing system with its own set of business rules. Deciding what to ask for and how to select
the best option is a very complex operation and there is limited experience with this type of
contracting in organizations. In this paper we discuss a particular experience with contracting
out an ERP system, provide some lessons learned, and offer suggestions in how the RFP and bid
selection processes could have been improved.
Coordinating Security Response and Crisis Management PlanningCognizant
Security or emergency response for businesses must be tactically and strategically integrated with disaster recovery, with a plan for root cause analysis and next steps coordinated by the CIO and chief information security officer in conjunction with business units.
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...Citrix Online
“Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And 2011”
Key Findings:
• Improving business continuity and disaster recovery (BC/DR) capabilities is the No. 1 priority for SMBs and the second highest priority for enterprises for the next 12 months
• IT plans to spend at least 5% more on BC/DR in the next 12 months (only 11% of enterprises and 8% of SMBs plan to decrease spending on BC/DR)
• BC/DR represents between 6% and 7% of the IT budget
contributed articlesm a r c h 2 0 1 0 v o l . 5 3 DioneWang844
contributed articles
m a r c h 2 0 1 0 | v o l . 5 3 | n o . 3 | c o m m u n i c at i o n s o f t h e a c m 121
d o i : 1 0 . 1 1 4 5 / 1 6 6 6 4 2 0 . 1 6 6 6 4 5 2
by fabio arduini and Vincenzo morabito
S i n c e t h e S e p t e m b e r 1 1 t h a t ta c k S on the World
Trade Center,8 tsunami disaster, and hurricane
Katrina, there has been renewed interest in emergency
planning in both the private and public sectors. In
particular, as managers realize the size of potential
exposure to unmanaged risk, insuring “business
continuity” (BC) is becoming a key task within all
industrial and financial sectors (Figure 1).
Aside from terrorism and natural disasters, two
main reasons for developing the BC approach in the
finance sector have been identified as unique to it:
regulations and business specificities.
Regulatory norms are key factors for all financial
sectors in every country. Every organization is required
to comply with federal/national law in addition to
national and international governing bodies. Referring
to business decisions, more and more organizations
recognize that Business Continuity could be and
should be strategic for the good of the business. The
finance sector is, as a matter of fact, a sector in which
the development of information technology (IT) and
information systems (IS) have had a dramatic effect
upon competitiveness. In this sector, organizations
have become dependent upon tech-
nologies that they do not fully compre-
hend. In fact, banking industry IT and
IS are considered production not sup-
port technologies. As such, IT and IS
have supported massive changes in the
ways in which business is conducted
with consumers at the retail level. In-
novations in direct banking would have
been unthinkable without appropriate
IS. As a consequence business continu-
ity planning at banks is essential as the
industry develops in order to safeguard
consumers and to comply with interna-
tional regulatory norms. Furthermore,
in the banking industry, BC planning
is important and at the same time dif-
ferent from other industries, for three
other specific reasons as highlighted
by the Bank of Japan in 2003:
Maintaining the economic activity of ˲
residents in disaster areas2 by enabling
the continuation of financial services
during and after disasters, thereby sus-
taining business activities in the dam-
aged area;
Preventing widespread payment and ˲
settlement disorder2 or preventing sys-
temic risks, by bounding the inability
of financial institutions in a disaster
area to execute payment transactions;
Reduce managerial risks ˲ 2 for example,
by limiting the difficulties for banks
to take profit opportunities and lower
their customer reputation.
Business specificities, rather than
regulatory considerations, should be
the primary drivers of all processes.
Even if European (EU) and US markets
differ, BC is closing the gap. Progres-
sive EU market cons ...
contributed articlesm a r c h 2 0 1 0 v o l . 5 3 .docxdickonsondorris
contributed articles
m a r c h 2 0 1 0 | v o l . 5 3 | n o . 3 | c o m m u n i c at i o n s o f t h e a c m 121
d o i : 1 0 . 1 1 4 5 / 1 6 6 6 4 2 0 . 1 6 6 6 4 5 2
by fabio arduini and Vincenzo morabito
S i n c e t h e S e p t e m b e r 1 1 t h a t ta c k S on the World
Trade Center,8 tsunami disaster, and hurricane
Katrina, there has been renewed interest in emergency
planning in both the private and public sectors. In
particular, as managers realize the size of potential
exposure to unmanaged risk, insuring “business
continuity” (BC) is becoming a key task within all
industrial and financial sectors (Figure 1).
Aside from terrorism and natural disasters, two
main reasons for developing the BC approach in the
finance sector have been identified as unique to it:
regulations and business specificities.
Regulatory norms are key factors for all financial
sectors in every country. Every organization is required
to comply with federal/national law in addition to
national and international governing bodies. Referring
to business decisions, more and more organizations
recognize that Business Continuity could be and
should be strategic for the good of the business. The
finance sector is, as a matter of fact, a sector in which
the development of information technology (IT) and
information systems (IS) have had a dramatic effect
upon competitiveness. In this sector, organizations
have become dependent upon tech-
nologies that they do not fully compre-
hend. In fact, banking industry IT and
IS are considered production not sup-
port technologies. As such, IT and IS
have supported massive changes in the
ways in which business is conducted
with consumers at the retail level. In-
novations in direct banking would have
been unthinkable without appropriate
IS. As a consequence business continu-
ity planning at banks is essential as the
industry develops in order to safeguard
consumers and to comply with interna-
tional regulatory norms. Furthermore,
in the banking industry, BC planning
is important and at the same time dif-
ferent from other industries, for three
other specific reasons as highlighted
by the Bank of Japan in 2003:
Maintaining the economic activity of ˲
residents in disaster areas2 by enabling
the continuation of financial services
during and after disasters, thereby sus-
taining business activities in the dam-
aged area;
Preventing widespread payment and ˲
settlement disorder2 or preventing sys-
temic risks, by bounding the inability
of financial institutions in a disaster
area to execute payment transactions;
Reduce managerial risks ˲ 2 for example,
by limiting the difficulties for banks
to take profit opportunities and lower
their customer reputation.
Business specificities, rather than
regulatory considerations, should be
the primary drivers of all processes.
Even if European (EU) and US markets
differ, BC is closing the gap. Progres-
sive EU market cons.
Whitepaper : Building a disaster ready infrastructureJake Weaver
It’s not just hurricanes, fire or other natureal disasters that can bring a business to its knees. Everyday problems such as bad software, misconfigured networks, hardware failures or power outages are much more common. In fact, power failures accounted for nearly half of the declared disasters reported in a recent survey conducted by Forrester
Business Continuity Emerging Trends - DRIE Atlantic - SummaryMarie Lavoie Dufort
Summary document for DRIE Atlantic presentation held on May 19, 2021 on the topic of Business Continuity Emerging Trends – Absorbing & Adapting In A Changing Environment.
Speaker: Marie Lavoie Dufort
Host: Emad Aziz
Business Continuity and Disaster Recover Week3Part4-ISr.docxhumphrieskalyn
Business Continuity and Disaster Recover
Week3Part4-ISrevisionSu2013
Introduction
Organizations grow by providing needed products and services. Overtime, successful
companies will grow as they continue to fill the need of their customer base. This
includes providing the product and services in a predictable fashion that the client base
has grown to expect. Sometimes disasters occur which are unexpected. These disasters
take various forms and can be caused by various events. Some disasters are manmade and
some are not. Generally, the disasters are not predictable when they happen.
Organizations need to prepare for these disasters. They need to have a plan that protects
their assets, the assets of their clients and provides for continuing business according to
their service level agreements.
The outages that result from a disaster can range from a nuisance to a full blown
catastrophe. Consider an outage that occurs to a computer system that is controlling an
online gaming site, versus an outage to a computer system controlling a nuclear reactor or
hospital intensive care until.
If something interrupts an organizations ability to provide their product and services
clients will quickly seek other alternatives.
Sudden interruptions in the delivery of an organizations product and services can occur in
a variety of ways; consider the following few:
Natural disasters such as earthquakes, fire, floods.
When Japan was hit by an earthquake, tsunami and nuclear plant breach their
infrastructure was devastated. Many dependent businesses thousands of miles
away were affected by the inability of the Japanese manufacturers to deliver on
manufacturing commitments such as automobiles and auto parts. The lack of parts
impacted car dealers and car users the world over. Similarly, when Thailand was
hit by floods their ability to deliver disk drives and other semi-conductor parts to
computer manufacturers forced these manufacturers to seek alternate suppliers.
In both these cases organizations that relied on Japan and Thailand to deliver
products to them had to have contingency plans in place for their supply chain.
Without a business continuity plan that had contingencies for alternate suppliers
customers would turn to other alternatives.
Job actions such as: strikes, slowdowns, walkouts
Airline pilots go on strike; forcing customers to seek alternate means of travel for
personal use and business. In some cases, people were forced to seek alternatives
to travel. In some cases business travel was replaced with technology alternatives
such as video conferencing, messages and email. Personal travel was supplanted
with train travel and trips closer to home that could be done with an automobile.
There isn’t much of a contingency for not having trained pilots. But part of a
disaster recovery plan would be to have some good-will gestures in place to win
back the customer base ...
Cloud Complexity: The need for resilience is an EIU report that looks into the critical shifts brought about by an increased organisational dependence on the cloud. In this survey, sponsored by Sungard Availability Services, and conducted by the EIU, 304 executives dispersed across France, the United Kingdom and the United States, were polled regarding their organisational resilience and technology adoption.
Shared Service Centers: Risks & Rewards in the Time of CoronavirusCognizant
Our recent research reveals that organizations are reassessing the pros and cons of captive services. Companies are twice as likely to reduce than increase their use of shared service centers.
Tests und Übungen im BCM-Lifecycle
Der Artikel hierzu findet sich bei BCM-News:
http://www.bcm-news.de/2012/12/16/die-phase-tests-und-uebungen-im-bcm-lifecycle/#more-18059
VAT Registration Outlined In UAE: Benefits and Requirementsuae taxgpt
Vat Registration is a legal obligation for businesses meeting the threshold requirement, helping companies avoid fines and ramifications. Contact now!
https://viralsocialtrends.com/vat-registration-outlined-in-uae/
[Note: This is a partial preview. To download this presentation, visit:
https://www.oeconsulting.com.sg/training-presentations]
Sustainability has become an increasingly critical topic as the world recognizes the need to protect our planet and its resources for future generations. Sustainability means meeting our current needs without compromising the ability of future generations to meet theirs. It involves long-term planning and consideration of the consequences of our actions. The goal is to create strategies that ensure the long-term viability of People, Planet, and Profit.
Leading companies such as Nike, Toyota, and Siemens are prioritizing sustainable innovation in their business models, setting an example for others to follow. In this Sustainability training presentation, you will learn key concepts, principles, and practices of sustainability applicable across industries. This training aims to create awareness and educate employees, senior executives, consultants, and other key stakeholders, including investors, policymakers, and supply chain partners, on the importance and implementation of sustainability.
LEARNING OBJECTIVES
1. Develop a comprehensive understanding of the fundamental principles and concepts that form the foundation of sustainability within corporate environments.
2. Explore the sustainability implementation model, focusing on effective measures and reporting strategies to track and communicate sustainability efforts.
3. Identify and define best practices and critical success factors essential for achieving sustainability goals within organizations.
CONTENTS
1. Introduction and Key Concepts of Sustainability
2. Principles and Practices of Sustainability
3. Measures and Reporting in Sustainability
4. Sustainability Implementation & Best Practices
To download the complete presentation, visit: https://www.oeconsulting.com.sg/training-presentations
Discover the innovative and creative projects that highlight my journey throu...dylandmeas
Discover the innovative and creative projects that highlight my journey through Full Sail University. Below, you’ll find a collection of my work showcasing my skills and expertise in digital marketing, event planning, and media production.
Falcon stands out as a top-tier P2P Invoice Discounting platform in India, bridging esteemed blue-chip companies and eager investors. Our goal is to transform the investment landscape in India by establishing a comprehensive destination for borrowers and investors with diverse profiles and needs, all while minimizing risk. What sets Falcon apart is the elimination of intermediaries such as commercial banks and depository institutions, allowing investors to enjoy higher yields.
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s DholeraAvirahi City Dholera
The Tata Group, a titan of Indian industry, is making waves with its advanced talks with Taiwanese chipmakers Powerchip Semiconductor Manufacturing Corporation (PSMC) and UMC Group. The goal? Establishing a cutting-edge semiconductor fabrication unit (fab) in Dholera, Gujarat. This isn’t just any project; it’s a potential game changer for India’s chipmaking aspirations and a boon for investors seeking promising residential projects in dholera sir.
Visit : https://www.avirahi.com/blog/tata-group-dials-taiwan-for-its-chipmaking-ambition-in-gujarats-dholera/
What are the main advantages of using HR recruiter services.pdfHumanResourceDimensi1
HR recruiter services offer top talents to companies according to their specific needs. They handle all recruitment tasks from job posting to onboarding and help companies concentrate on their business growth. With their expertise and years of experience, they streamline the hiring process and save time and resources for the company.
Premium MEAN Stack Development Solutions for Modern BusinessesSynapseIndia
Stay ahead of the curve with our premium MEAN Stack Development Solutions. Our expert developers utilize MongoDB, Express.js, AngularJS, and Node.js to create modern and responsive web applications. Trust us for cutting-edge solutions that drive your business growth and success.
Know more: https://www.synapseindia.com/technology/mean-stack-development-company.html
Attending a job Interview for B1 and B2 Englsih learnersErika906060
It is a sample of an interview for a business english class for pre-intermediate and intermediate english students with emphasis on the speking ability.
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...BBPMedia1
Grote partijen zijn al een tijdje onderweg met retail media. Ondertussen worden in dit domein ook de kansen zichtbaar voor andere spelers in de markt. Maar met die kansen ontstaan ook vragen: Zelf retail media worden of erop adverteren? In welke fase van de funnel past het en hoe integreer je het in een mediaplan? Wat is nu precies het verschil met marketplaces en Programmatic ads? In dit half uur beslechten we de dilemma's en krijg je antwoorden op wanneer het voor jou tijd is om de volgende stap te zetten.
Putting the SPARK into Virtual Training.pptxCynthia Clay
This 60-minute webinar, sponsored by Adobe, was delivered for the Training Mag Network. It explored the five elements of SPARK: Storytelling, Purpose, Action, Relationships, and Kudos. Knowing how to tell a well-structured story is key to building long-term memory. Stating a clear purpose that doesn't take away from the discovery learning process is critical. Ensuring that people move from theory to practical application is imperative. Creating strong social learning is the key to commitment and engagement. Validating and affirming participants' comments is the way to create a positive learning environment.
2. ABOUT THE AUTHOR
Patrick Alcantara is a Research Associate for the Business
Continuity Institute (BCI). In this role, he strengthens the BCI’s
globalthoughtleadershipinbusinesscontinuitythroughrelevant
studies. Prior to the BCI, he has worked in the education sector.
He completed a Masters in Lifelong Learning with distinction
from the Institute of Education, University of London and Deusto
University.
For more questions about this report, contact him at patrick.
alcantara@thebci.org
3. Executive Summary 3
Introduction 4
IT/Telecommunications Outage 6
Data Breach/Cyber Attack 10
Adverse Weather 17
Conclusion And Recommendations 23
How The BCI Can Help 24
Figure 16. Cost Of Adverse Weather And Natural Disasters, 1992-2010 25
CONTENTS
EXECUTIVE SUMMARY
INTRODUCTION
COUNTING THE COST
CONCLUSION AND RECOMMENDATIONS
APPENDIX
4. On the occasion of the Business Continuity Awareness Week 2014, we are pleased to present this special
report focusing on the cost of common threats to an organisation: IT and telecommunications outage, data
breach and cyber attacks, and adverse weather conditions. This report draws upon the insights of earlier BCI
studies such as the 5th Annual Survey on Supply Chain Resilience (2013) and the BCI Horizon Scan (2014). As
a meta-analysis of available literature, it also draws upon various reports and cost estimates.
The objective of this report is simple. We want to drive home the message that business continuity (BC) is
not the sole domain of an organisation’s BC professional. Ensuring an effective, robust BC programme is also
the responsibility of management, budget holders and the rest of staff. In a time where cutting budgets is the
norm, and BC-related expenses are often one of the first to go, it is important to be reminded of the cost of
being caught flat-footed in an incident. The false economy created by cutting down on business continuity
may create bigger problems that may impact on organisational resilience and viability.
The key takeaways from this report are the following:
• According to a recent IBM study on professionals dependent on high-availability IT, the cost of an
IT/telecommunications outage can vary from US$1.04 million to US$14.25 million over 24 months.
Minor incidents, on average, cost US$53,210 per minute of downtime. Further losses due to
reputation-related costs can add up to US$5.27 million for substantial incidents.
• Analysis by the Ponemon Institute reveals that the average cost of data breach and cyber attacks
stands at an average of US$11.6 million annually. Organisations report costs ranging from US$1.3
million to US$58 million to resolve these incidents. Case studies reveal staggering losses of up to
US$4 billion due to severe incidents of data breach and cyber attack.
• A Munich Re report shows that combined household and corporate insurance payouts for weather-
related damage in the United States alone cost US$12.8 billion in 2013. Extremeweather phenomena
have increased the severity of damage and value of insurance claims. The recent BCI Supply Chain
Resilience Survey has also revealed that adverse weather is a top driver of supply chain disruption,
with serious consequences for companies that experience an incident.
The purpose of this study is to quantify the financial impact of these common threats, and build the case
for strengthening an organisation’s BC programme. Nonetheless, it is important to note that as our figures
are rough estimates of the actual cost of disruption, organisations are highly encouraged to think about their
specific context in order to arrive at more appropriate data. In the end, we aim to start a conversation among
organisations and budget holders using readily understood and comparable data in order to maintain BC
investment.
EXECUTIVE SUMMARY
3
5. Business continuity (BC) goes at the heart of every enterprise. Having in place an effective BC management
programme can spell the difference between organisational resilience and financial ruin. With incidents
having a greater impact than before, it is essential to any organisation to become proactive through an
effective programme.
We are publishing this report as an urgent reminder to all that BC is not the exclusive domain of specialists.
In order to remain resilient amidst disaster, entire organisations have to get on board. Management must
exercise decisive leadership and think in terms of strengthening organisational resilience. Budget holders
must invest in moving the resilience agenda forward. Rank and file employees must remain vigilant, keeping
in mind that their organisation’s strength is a collective responsibility.
We strongly argue that having an ineffective BC management programme can cost an organisation dearly.
A single incident can cost an organisation millions and can demolish its reputation. Figures show that 40%-
60% of businesses without a BC plan never reopen after a significant incident, and the response for the first
10 days are critical to survival1
.
This report reviews existing literature, and puts together a more comprehensive account of the costs
associated with gaps in an organisation’s BC strategy. Drawing upon the findings of the BCI’s Horizon Scan
2014, we count the cost of failure to meet urgent threats: (1) IT or telecommunications outage, (2) data
breach or cyber attack, and (3) adverse weather conditions.
In drafting this report, we acknowledge that costs arising from incidents are often difficult to quantify.
The data we present in the following sections are rough and imperfect estimates at best. We acknowledge
the following limitations in drafting this report:
• The importance of context: The following figures are mostly estimates that apply primarily to
organisations that rely heavily on technology or are vulnerable to weather-related incidents (eg.
flooding, etc.). It is important to note that these are merely ballpark figures, and organisations have
to think in terms of their context (country/region, industry sector, nature of operation) in order to
arrive at an appropriate result.
• Non-statistical results: This report aims to be descriptive rather than normative. The figures cited
come from surveys conducted by the BCI and other organisations (eg. IBM, Ponemon Institute, etc.),
which also acknowledge the same limitations. Hence, statistical inferences cannot be applied to this
data.
4
INTRODUCTION
1. Open Access BPO (2013). The cost of not having a business continuity plan. Retrieved from http://visual.ly/business-disaster-
preparation.
6. 5
• Estimated cost results: The report cites costs that are based from the judgment of professionals
who participated in surveys commissioned by other institutions. Hence, these might vary from
actual cost data.
Given these limitations, it is nonetheless clear that being caught flat-footed in an incident would require
expensive and time-consuming solutions that do little to contain reputational damage. Our message is
simple: ensuring a robust response will cost less than damage control. This is a theme that we will revisit
several times in this report, and we hope to convince the wider organisation that BC is everybody’s concern.
7. A recent BCI study found that 77% of professionals are concerned about the effects of unplanned IT or
telecommunications outage2
, making it the top perceived threat for organisations. This is a valid concern, as
unplanned outages cost millions in terms of deploying solutions, lost productivity and reputational damage3
.
For organisations in sectors that rely heavily on the high availability of IT (eg. banking and finance, IT and
communication, some professional services, etc.), unplanned outages can significantly disrupt operations. IT
systems that have 99.5% reliability are still expected to suffer 44 hours of downtime in a year4
. This can wreak
havoc on organisations that rely heavily on this technology.
A recent IBM study focusing on IT and security professionals confirm this5
. By categorising disruptions
from minor to substantial, it was observed that the down time associated with these incidents can range
from an average of 19.7 to 442.3 minutes (Figure 1). 69% of organisations anticipate having one or more
minor incidents occurring within 24 months, whilst 23% expect substantial disruptions occurring within that
period (Figure 2), reflecting a wide concern.
2. Scott, A. (2014). BCI Horizon Scan 2014. Caversham, UK: Business Continuity Institute.
3. IBM Global Technology Services (2013a). The economics of IT risk and reputation: What business continuity and IT security really
mean to your organisation. Portsmouth, UK: IBM.
4. http://venturebeat.com/2012/11/14/the-high-cost-of-server-downtime-infographic/
5. IBM Global Technology Services (2013a). The economics of IT risk and reputation: What business continuity and IT security really
mean to your organisation. Portsmouth, UK: IBM.
COUNTING THE COST:
IT/ TELECOMMUNICATIONS OUTAGE
6
Figure1.Averageminutesofdowntimeforminor,moderateand
substantial disruptions (IBM Global Technology Services, 2013a)
Figure 2. Estimated likelihood of disruptions over the next 24
months (IBM Global Technology Services, 2013a)
8. In the same study, it is estimated that minor disruptions cost these same organisations on average
US$53,223 per minute, whilst more substantial ones cost US$32,299 (Figure 3). These lower figures reflect
costs being spread over more minutes of down time. However, the average total cost of disruptions become
even more concerning when analysed over a period of 24 months. Average costs to these organisations
skyrocket from US$1.04 million to US$14.26 million as a result of outages (Figure 4), with large organisations
reporting as much as US$100 million worth of costs for a severe incident.
6. http://www.emergency-response-planning.com/news/bid/54928/INFOGRAPHIC-Data-Center-Downtime.
7. http://info.isutility.com/bid/85284/Importance-of-Small-Business-Disaster-Recovery-10-Step-Plan-INFOGRAPHIC
8. http://www.cloudcomputing-news.net/blog-hub/2013/sep/26/infographic-disaster-recovery-by-the-numbers-1/
9. http://www.evolven.com/blog/7-infographics-disaster-recovery.html
10. http://blog.dattobackup.com/combat-risk-with-intelligent-business-continuity/
11. http://www.slideshare.net/EarthLinkBusiness/indographic
7
Figure 3. Estimated average cost of disruption (IBM Global
Technology Services, 2013a)
Figure 4. Estimated average cost of disruption over the next 24
months in US$ (IBM Global Technology Services, 2013a)
A parallel study by the Aberdeen Group estimates that large organisations lose up to US$1.1 million on
average yearly for substantial outages6
. Small firms on average lose US$3,000 a day, whilst medium-sized
organisations lose around US$23,000 daily due to an unplanned outage7
. Another report by Cloudtech
summarises the varying costs of major incidents on selected industry sectors (Figure 5)8
. Data indicating IT
recoverability rates for selected countries is also included in the analysis (Table 1). Furthermore, organisations
that experience an outage lasting for more than 10 days are less likely to recover its full financial capacity9
. In
fact, Datto cites US records which states that 93% of firms that lose access to their data centre for more than
10 days are likely to file for bankruptcy in a year10
. Meanwhile, Earthlink estimates that 43% of organisations
that experience substantial data loss as a result of an unplanned outage shut down for good11
.
COUNTING THE COST:
IT/ TELECOMMUNICATIONS OUTAGE
9. 12. http://venturebeat.com/2012/11/14/the-high-cost-of-server-downtime-infographic/
13. IBM Global Technology Services (2013b). Six keys to effective reputational and IT risk management (How to manage reputational
and IT risk to protect and enhance brand value and competitive standing). Portsmouth, UK: IBM.
14. Ibid.
8
Figure 5. Estimated annual cost of disruption in US$ per industry sector (Cloudtech, 2013)
Table 1. Average IT recovery rate for selected countries (Cloudtech, 2013)
Downtime associated with these outages cause significant effects such as hindering sales due to lack of
access. Employees in a paperless or server-based workforce cannot get anything done due to the same lack
of access. Outages also increase the likelihood of data loss or corruption, which further magnifies loss and
cascades it into other parts of operation12
.
Further analysis shows that significant costs associated with outages are linked with lost productivity,
technical support and forensics (Figure 6). Severe incidents are linked with costs related to reputational
damage, with estimated losses of US$5.3 million over 24 months (Figure 7). With today’s corporate brands
valued at an average of US$1.56 billion13
, severe incidents can create a significant dent into an organisation’s
reputation. Reputational damage must always be factored into a cost analysis of disruptions as organisations
potentially stand to lose existing or prospective business when its trustworthiness is called into question14
.
10. For other organisations in sectors less dependent on high-availability IT solutions (eg. small and
medium sized enterprises, transport and storage, manufacturing, etc.), it can be assumed that losses due
to these incidents may be significantly lower. This is
due to the nature of their work, which can adopt low-
technology yet efficient strategies (eg. taking orders
on paper, deploying power generators, etc.) which
prolong the timeframe before significant disruption
occurs. Whilst they may face lower costs associated
to IT and telecommunications disruption, it does not
completely eliminate the need to mount a robust BC
programme. It is essential to note that BC programmes
do not entirely rely on building sophisticated IT or
telecom infrastructure, but imparting preparedness
into an entire organisation. However, regardless
of dependence on IT and telecommunications,
organisations still face reputational risks given
significantdisruption. Givenreputationalrisksandcost
of damage control, it becomes evident that prevention
is much better – and cheaper – than the cure.
9
Figure 6. Estimated allocation of total costs associated with a minor, moderate and substantial disruption (IBM Global Technology
Services, 2013a)
Figure 7. Estimated allocation of reputation-related costs associated with a minor, moderate and substantial disruption over the
next 24 months (IBM Global Technology Services, 2013a)
COUNTING THE COST:
IT/ TELECOMMUNICATIONS OUTAGE
11. In the BCI Horizon Scan 2014, 73% of respondents reported concern over the threat of data breach and
cyber attack. This is understandable given today’s context. With sensitive customer information, intellectual
property and the control of key machinery increasingly found in electronic formats15
, the potential damage
caused by data breach or a cyber attack can prove devastating. This is more evident in organisations that
rely on data and use sensitive customer information in their transactions, such as the financial, retail, and IT/
communication sectors. This also applies to finance departments in other sectors that deal with similar data.
A study by Shred-It reveals that approximately 1 billion records have been compromised over the last
eight years alone16
. Data breaches cause 80% of small firms to report bankruptcy or severe financial losses 24
monthsaftertheincident17
.AccordingtoForresterResearch,asecuritybreachcancostanorganisationUS$90-
350 per lost record18
. Actual data reveals even greater figures. A lawsuit filed against the US Department of
Veterans Affairs over a recent breach demanded damages worth US$1,000 for each record lost, taking the
claim to a staggering US$26.5 billion if awarded by the courts19
.
Organisations experiencing substantial data breaches might even be subject to fines from regulators
if found guilty of negligence. An Institute for Risk Management survey reveals that fines may range from
<£50,000 (US$81,685) to >£250,000 (US$408,425) for British organisations who have their data breached
to the detriment of the public20
. In different countries, significant incidents may also be subject to fines by
regulators (Table 2). In addition to the cost of damage control and regaining an organisation’s reputation,
fines add to a mounting bill that cannot be ignored.
15. IBM Institute for Business Value (2011). Managing threats in the digital age. Somers, New York: IBM.
16. http://www.emergency-response-planning.com/news/?BBPage=1&Tag=Business%20Continuity
17. ibid.
18. http://www.evolven.com/blog/7-infographics-disaster-recovery.html
19. ibid.
20. Hillyer, M. (2014). The iceberg impact of a cyber loss in: Alison, A. et al. (Auth.) Cyber Risk: Resources for Practitioners (pp. 29-
38). London, UK: The Institute of Risk Management.
10
COUNTING THE COST:
DATA BREACH/CYBER ATTACK
Table 2. Data protection fines for selected countries (Hillver, 2014)
12. 21. IBM Global Technology Services (2013a). The economics of IT risk and reputation: What business continuity and IT security really
mean to your organisation. Portsmouth, UK: IBM.
22. Scott, A. (2014). BCI Horizon Scan 2014. Caversham, UK: Business Continuity Institute.
23. Ibid.
Meanwhile, an IBM study ranks cyber attacks high up in terms of economic impact (Figure 8)21
. This concern
is reflected by the latest BCI Horizon Scan which reveals that 73% of professionals report monitoring the use
of the Internet for malicious attacks in their BCM plans22
. 46% of professionals belonging to organisations with
significant IT infrastructure also reported experiencing a major cyber security breach in the last 24 months23
(Figure 9). An average of 4.2 actual disruptions was reported as a cause of a cyber security breach over the
past 24 months by the same respondents (Figure 10). A further analysis of this figure reveals that a similar
incident can be expected to occur once in every six months.
11
Table 2. Data protection fines for selected countries (Hillver, 2014) (Contin)
Figure 8. Common threats ranked in terms of economic impact (IBM Global Technology Services, 2013a)
COUNTING THE COST:
DATA BREACH/CYBER ATTACK
13. 12
Figure 9. Threats that impact reputation and brand value experienced over the past 24 months (IBM Global Technology Services,
2013a)
Figure 10. Average number of actual disruptions over the past 24 months caused by six common threats (IBM Global Technology
Services, 2013a)
14. 24. http://www.londonlovesbusiness.com/business-news/tech/terrifying-infographic-shows-cyberattack-risk-to-your-businesse/3024.
article
13
Another study conducted by the Ponemon Institute points to even higher numbers, with companies
surveyed reporting two attacks every week. Common attacks involve malicious code, denial of service and
web-based attacks (Figure 11). American companies are most likely to experience the most costly types of
attacks (ie. malicious code, denial of service) according to the same study. The following data show the top
countries (Table 3) and industry sectors (Figure 12) affected by cyber attacks24
.
Figure 11. Types of cyber attacks reported by organisations (Ponemon Institute, 2013)
Table 3. Share of cyber attacks, by top countries (London Loves Business, 2011)
Figure 12. Share of cyber attacks, by industry sector (London Loves Business, 2011)
COUNTING THE COST:
DATA BREACH/CYBER ATTACK
15. 14
Figure 13. Figures pertaining to social media ubiquity (CRI Group, 2014)
The ubiquity of social media has now made it into a legitimate target for hackers and criminal elements,
which is reflected by the shifting medium of cyber attacks from individual computers to social media
accounts25
. A CRI Group study26
reveals the potential of launching attacks from social media due to the sheer
number of accounts (Figure 13), and the inability to keep up with cybercriminals. A good example is the
hijacking of the Associated Press Twitter account in 2013, which falsely reported an explosion at the White
House27
. This sent American stock markets plunging, with the S&P 500 estimated to have temporarily lost
US$136.5 billion in market capitalisation. Foreign exchange markets also reported significant losses in value
due to the incident. This potentially disruptive nature of social media is confirmed by the BCI Horizon Scan
which reveals that 63% of professionals are concerned about its negative influence28
.
25. http://www.emergency-response-planning.com/news/bid/46374/INFOGRAPHIC-Shifting-Digital-Threats-to-Business-Continuity
26. Anjum, Z. (2014). Risks of cybercrime and social media. London, UK: CRI Group.
27. http://www.cnbc.com/id/100646197
28. Scott, A. (2014). BCI Horizon Scan 2014. Caversham, UK: Business Continuity Institute.
16. Case studies29,30,31,32
(Table 4) and other reports reveal that organisations with significant IT infrastructure
face massive costs not just in terms of fines slapped by regulators, but also loss of income and lasting
reputational damage. In a 2013 report by the Ponemon Institute33
, it was estimated that the average
annual cost of cyber attacks runs up to US$11.6 million per organisation. The annual cost of incidents for
organisations ranges from US$1.3 million to US$58 million. Neustar’s report on distributed denial of service
(DDoS) incidents – a class of cyber attacks – approximates up to US$20,000 worth of additional revenue losses
per incident to a mid-size enterprise34
. Further analysis states that an organisation’s reputation declines by
21% as a result of an incident.
29. From various news reports: http://www.complex.com/tech/2012/05/the-11-worst-online-security-breaches-hacks/epsilon,
http://www.theguardian.com/technology/2011/apr/04/epsilon-email-hack
30. From various news reports: http://www.wired.co.uk/news/archive/2011-05/24/sony-psn-hack-losses, http://www.wired.com/
gamelife/2011/04/playstation-network-hacked/, http://www.bbc.co.uk/news/technology-21160818
31. http://www.bbc.co.uk/news/uk-21187632
32. http://www.emergency-response-planning.com/news/bid/53358/INFOGRAPHIC-Worst-IT-Security-Breaches
33. http://media.scmagazine.com/documents/54/2013_us_ccc_report_final_6-1_13455.pdf
34. Neustar (2012). When businesses go dark. Sterling, VA: Neustar
35. www.evolven.com/blog/7-infographics-disaster-recovery.html
36. ibid.
37. http://www.yle.fi/tvuutiset/uutiset/upics/liitetiedostot/norton_raportti.pdf
38. http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime.pdf
15
Table 4. Case studies of some of the worst cyber attacks
Costs involve detection and recovery, which can translate to lost productivity and income. An average
incident takes around 18 days to resolve, with a cost of nearly US$416,00035
. Malicious insider attacks take
more than twice as long (around 45 days) to resolve at even higher cost36
.
Globalreportspaintanevenbleakerpicture.Thepricetagofcyberattacksandsimilarcrimesarestaggering.
The 2013 Norton Report commissioned by Symantec estimates the cost of cyber attacks and similar crimes
at US$113 billion worldwide37
. In the United States alone, losses due to cyber attacks were placed at US$38
billion, translating to US$298 for every American. A parallel McAfee report38
last year approximates global
losses at a minimum of US$300 billion.
COUNTING THE COST:
DATA BREACH/CYBER ATTACK
17. 16
It must be noted that these figures are more appropriate for organisations with a high dependence on IT for
their operations. Predictably, these same organisations bear the brunt of global economic losses attributable
to cyber attacks. Significantly lower losses can be estimated to organisations in other sectors that rely on
workforce expertise (eg. engineering and construction, manufacturing, etc.). It may also be the case for other
sectors which rely on other inputs (eg. mining and quarrying, agriculture/forestry/fishing, etc.). In these
sectors, the susceptibility for sophisticated forms of data breach and cyber attack is low. Nonetheless, these
organisations still hold physical data in terms of employee records, client details and financial statements
that may be compromised through less technologically sophisticated means (eg. employees leaking data,
burglary, etc.).
Even for organisations with some IT infrastructure, damage caused by data breach and cyber attack is
mitigated by other parts of their operations that are not as data-dependent. However, it would not be wise
to dismiss deploying good IT perimeter security and involving employees in safeguarding sensitive data,
as an incident can still create significant disruption. Even as the data from the reports vary, the message is
clear: data breach and cyber attacks cost money. Organisations cannot simply opt not having an effective BC
programme which can respond to these threats.
18. The most recent BCI study reveals that 57% of professionals are concerned about the effects of adverse
weather to their business39
. Whilst many sectors, with the exception of agriculture and tourism, are not
highly weather-dependent, adverse weather conditions can cause significant disruption and losses. In a
report by insurer Munich Re, combined household and corporate insured losses in the United States totalled
US$12.8 billion in 201340
, with four incidents resulting to at least a billion dollars worth of claims41
. Situating
this against overall trends since 1980, insured losses have been on an upward track (Figure 14), due to the
doubling of extreme weather events during the same period42
(Figure 15).
17
COUNTING THE COST:
A D V E R S E W E A T H E R
39. Scott, A. (2014). BCI Horizon Scan 2014. Caversham, UK: Business Continuity Institute.
40. http://www.iii.org/assets/docs/pdf/MunichRe-010714.pdf
41. Ibid.
42. http://www.iii.org/assets/docs/pdf/MunichRe-010412.pdf
Figure 14. Loss events in the United States (overall and insured losses), 1980-2013 (Munich Re, 2014)
Figure 15. Loss events in the United States (number of events), 1980-2013 (Munich Re, 2014)
19. 18
COUNTING THE COST:
A D V E R S E W E A T H E R
Available data from the United Nations Office for Disaster Risk Reduction (UNISDR) also shows the
staggering cost of adverse weather and other natural disasters from 1992 to 2010 (Figure 16, please refer to
the appendix)43
. Total damages worldwide during that period were estimated at a whopping US$2.0 trillion
for an average of US$111.11 billion yearly. The entire amount lost to adverse weather and natural disasters is
enough to fund global development aid for 25 years44
. The three largest economies (United States, China and
Japan) account for 64% of total costs (US$1.29 trillion) due to their exposure to adverse weather and other
natural hazards. This is almost equivalent to Spain’s entire 2012 GDP (US$1.32 trillion)45
.
The cost of adverse weather around the world was also significant last year, as seen from the insurance
payouts to households and businesses (Table 5).
Table 5. Costs of selected extreme weather events in 2013 (various sources)
Available literature also zeroes in on the cost of adverse weather to businesses. According to the UK
Environment Agency, the 2012 flooding that affected Britain cost £277 million (US$451.5 million) and set back
organisations by an average of £60,000 (US$97,810)51
. The indirect impacts on business and local economies
were estimated at £33 million (US$53.8 million)52
. The disruption to transport, communications and utilities
was placed at £82 million (US$133.7 million)53
. Meanwhile, farming in the UK experienced estimated losses
of up to £1.3 billion (US$2.1 billion) due to extreme weather events54
. Insurers paid out £40 million (US$65.2
million) in business interruption payments to organisations in the same year55
. In the European Union, costs
to transport systems associated with adverse weather is set at €15 million (US$20.3)56
. In the United States,
approximately US$3,000 is lost to businesses every day due to down time caused by adverse weather57
.
While these figures do not take into consideration the individual costs to organisations, these nonetheless
point out that adverse weather comes at a steep price.
43. http://www.unisdr.org/files/27162_2012no21.pdf
44. ibid.
45. Data taken from the UN database at http://unstats.un.org/unsd/snaama/selcountry.asp
46. http://www.wri.org/blog/timeline-look-extreme-weather-and-climate-events-2013
47. http://www.cbc.ca/news/business/extreme-weather-cost-canada-record-3-2b-insurers-say-1.2503659
48. http://www.theguardian.com/world/2013/jun/11/german-flood-damage-insurance-claims
49. http://www.nbcnews.com/business/extreme-weather-threatens-global-economy-2D12024233
50. http://www.telegraph.co.uk/finance/economics/10558607/Polar-vortex-disruption-to-cost-US-economy-5bn.html
51. http://www.environment-agency.gov.uk/news/150900.aspx
52. Ibid.
53. Ibid.
54. http://www.ft.com/cms/s/0/48d9b3dc-5113-11e2-b287-00144feab49a.html#axzz2sMsyZjbf
55. https://www.abi.org.uk/News/News-releases/2013/02/Over-1300-Customers-Helped-Everyday-By-Insurers-To-Recover-From-
Extreme-Weather-In-2012
56. http://www.vtt.fi/news/2012/270612_vtt_aarisaat_maksavat_eun_liikenteelle_vuosittain_15_miljardia_euroa.jsp?lang=en
57. http://asbcouncil.org/node/1217
20. 19
Table 6. Risks associated with adverse weather (various sources)
58. Lubchenco, J. and Karl, T. (2012). Predicting and managing extreme weather events. Physics Today, 65 (3), 31-37.
59. Sussman, F. and Reed, J. (2008). Adapting to Climate Change: A Business Approach. Arlington, VA: Pew Centre on Global
Climate Change.
60. ibid. unless taken from another source
61. http://science.time.com/2011/06/27/sticker-shock-what-extreme-weather-costs-the-u-s/
62. Dell, J. (2012). Petroleum Industry: Adaptation to Projected Impacts of Climate Change. Presentation to the International
Energy Workshop 2013. Paris, France: International Energy Agency.
63. Hess, U., Richter, K. And Stoppa, A. (2004). Weather risk management for agriculture and agri-business in developing countries
In: Climate risk and the weather markets (pp. 295-307). London: Risk Books.
64. Cachon, G., Gallino, S. and Olivares, M. (2012). Severe weather and automobile assembly productivity. Columbia Business
School Research Paper No. 12/37. Retrieved from: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2099798.
Furthermore, scientists have also reported the increased frequency and intensity of adverse weather
events of an extreme kind58
. These changes have also been observed around the globe according to a 2008
report by the Pew Centre for Global Climate Change59
. These changes produce far-reaching impacts across
industry sectors (Table 6)60
.
COUNTING THE COST:
A D V E R S E W E A T H E R
21. 20
Table 6. Risks associated with adverse weather (various sources)
65. Becken, S. (2010). The importance of climate and weather for tourism. Retrieved from: http://www.lincoln.ac.nz/PageFiles/6750/
WeatherLitReview.pdf
66. Greenough et al. (2001). The potential impacts of climate variability and change on health impacts of extreme weather events in
the United States. Environmental Health Perspectives, 109 (2), 191-198.
22. 21
Adverse weather also has significant implications on supply chains around the world. As organisations
move to multiple production and transit sites spanning the globe, adverse weather can wreak havoc on the
supply chain and disrupt the transport of raw materials and goods. In the latest Supply Chain Resilience study
by the BCI, the Chartered Institute of Purchasing and Supply (CIPS) and Zurich Insurance, adverse weather was
ranked as the second top source of disruption worldwide (40%)67
. Furthermore, this is ranked as a significant
concern by professionals in Central and Latin America (63%), Australia (59%), the UK (47%), the USA (45%)
and Canada (43%) (Figure 17). Many organisations report that adverse weather conditions had a substantial
impact on their supply chain, as exemplified by the disruption caused by Hurricane Sandy in the US last year.
68. ibid.
67. Glendon, L. and Bird, L. (2013). Supply Chain Resilience 2013: An international survey to consider the origin, causes and
consequences of supply chain disruption. Caversham, UK: Business Continuity Institute.
Figure 17. Reported supply chain disruption caused by adverse weather (Glendon and Bird, 2013)
COUNTING THE COST:
A D V E R S E W E A T H E R
Once more, it is noted that economic losses due to adverse weather vary across locations and industry
sectors. For one, the United States figures significantly in the literature owing to its susceptibility to extreme
weather conditions and the concentration of industries as compared to other countries. Organisations with
buildings in low-lying areas and riversides – especially in the developing world – are susceptible to flooding
events. Adverse weather is also seen to have more impact in sectors that have extended supply chains such as
retail, transport and storage, as well as engineering and construction. These sectors report a higher incidence
of weather-related disruption in 2013 Supply Chain Resilience survey (Figure 18)68
. This points out to the need
of further analysis by organisations in order to determine their actual risk to weather-related disruptions, and
estimate the economic loss caused by an incident. Analysing costs must not be limited to the value of insured
infrastructure only, as there are hidden expenses (eg. lost productivity, recovery of destroyed equipment,
staff welfare, etc.) that will increase the bill of a weather-related disruption.
23. 22
Figure 18. Reported weather-related disruption by sector (Glendon and Bird, 2013)
This data leads to the importance of an effective BC programme. As more extreme weather conditions
are forecast in the years to come69
, organisations have to accept the current situation as the “new normal”
and devise strategies that will head off this threat. Only through proactive adaptation – one that assesses
projected changes and the likelihood of these changes70
– coupled with an effective programme can help
organisations adapt to this new normal and minimise losses.
69. Bohannon, J. (2005). Disasters: Searching for lessons from a bad year. Science, 310, 1883.
70. Sussman, F. and Reed, J. (2008). Adapting to Climate Change: A Business Approach. Arlington, VA: Pew Centre on Global
Climate Change.
24. 23
Table 7. Summary of annual cost estimates for various threats (various sources)
71. Bohannon, J. (2005). Disasters: Searching for lessons from a bad year. Science, 310, 1883.
72. Sussman, F. and Reed, J. (2008). Adapting to Climate Change: A Business Approach. Arlington, VA: Pew Centre on Global
Climate Change.
73. Walker, K., Deary, D. and Woods, D. (2013). Reducing the potential for cascade: Recognizing and mitigating situations that
threaten business viability. Paper for the 5th Resilience Engineering Symposium. Soesterberg, Netherlands: Resilience Engineering
Association.
C O N C L U S I O N :
NOT DOOM AND GLOOM
Data from various sources pertaining to three common threats – IT and telecommunications outage, data
breach and cyber attack, and adverse weather – points out to a steep price tag (Table 7). Note that these
figures correspond to a worst-case scenario involving organisations that are highly dependent on IT and
telecommunications. Meanwhile, costs for adverse weather represent estimated losses to businesses and
may often exceed insurance payouts.
It is important to note that these threats do not just involve economic loss. Challenging events produce
effects that propagate and cascade into other spheres of operation, eventually disrupting an organisation’s
business viability73
. Experience tells us that disruptions are rarely isolated; hence, it is foolhardy to think that
it can be limited to one area once it happens. This makes business continuity everybody’s concern as it goes
into the heart of an organisation.
As organisations grapple with the fragile economic recovery, rationalising cost remains a paramount
concern. In a time of budget cuts, it is often tempting to downsize business continuity efforts and hope that
nothing too disruptive happens in the meantime. However, as the wealth of data above shows, it is wise to
continue investing in a responsive BC programme. Attention must also be given to low-cost measures that
strengthen a BC management programme such as embedding business continuity in existing training. In
many occasions, a BC programme does not necessarily mean purchasing more sophisticated technology.
Instead, it requires changing individual mindsets – and organisational cultures – from a reactive paradigm
to a proactive one. More often, it just requires changing habits, acquiring a strategic frame of mind, and
ensuring consistent leadership from top management.
Whilst we present the staggering costs of organisational threats, we do not wish to communicate doom
and gloom. Instead, we are hoping that an appraisal of how much threats cost can start a conversation about
improving business continuity within organisations. We also wish to point out that effective BC strategies can
translate to significant cost savings. For example, with minor IT and telecommunication outage more likely
to happen than substantial incidents, the cost of prevention is definitely cheaper. Organisations reliant on
high-availability IT infrastructure can save up to US$1.04 million on average over a period of 24 months by
preventing minor outages74
. Furthermore, deploying security intelligence to defend against data breach and
cyber attacks can save similar organisations an average of US$400,000 to US$4.0 million a year75
. Managing
25. 24
74. IBM Global Technology Services (2013a). The economics of IT risk and reputation: What business continuity and IT security really
mean to your organisation. Portsmouth, UK: IBM.
75. http://media.scmagazine.com/documents/54/2013_us_ccc_report_final_6-1_13455.pdf
76. Sussman, F. and Reed, J. (2008). Adapting to Climate Change: A Business Approach. Arlington, VA: Pew Centre on Global
Climate Change.
77. www.huffingtonpost.com/2012/10/30/flood-insurance-in-northeast_n_2045031.html
78. https://www.abi.org.uk/News/News-releases/2013/02/Over-1300-Customers-Helped-Everyday-By-Insurers-To-Recover-From-
Extreme-Weather-In-2012
HOW THE BCI CAN HELP
The BCI is a world leader in business continuity research in areas such as supply chain resilience. Insights
contained in its published reports help BCI members and the wide professional community. The BCI’s
Good Practice Guidelines, world-recognised and ISO-aligned, can be used as a reference for supplier BC
arrangements. The BCI also offers organisations opportunities to share and learn best practices in business
continuity with its global professional network. Opportunities for continuous professional development to
BC practitioners are available through globally-recognised certification (CBCI), a mentoring programme and
annual industry events. It also offers a Diploma course for business continuity in cooperation with Bucks New
University in the UK.
For more information on how the BCI can help your organisation, contact bci@thebci.org
risks associated with adverse weather and possible climate change can better position organisations into
avoiding or mitigating damage76
. With average insurance payouts for flooding in 2012 valued at US$29,236
(United States)77
and US$29,613 (United Kingdom)78
, organisations can have a rough idea on how much
weather-related damage costs and devise appropriate strategies. Even organisations in sectors having lesser
reliance on technology and the weather can still realise considerable savings, and become better prepared to
face related incidents should they occur.
In the end, our message is simple. Business continuity is everybody’s concern as the benefits of
preparedness translates to overall organisational resilience. It is essential that BC professionals are supported
by management, budget holders and the rest of staff in ensuring the highest level of preparedness. Business
continuity remains as relevant to today’s organisations as it was before, with the current spectrum of threats
adding to that urgency to act.