1 Global Technology Services Research Analysis Risk Management Building the business case for continuity and resiliency The economics of IT risk and reputation and their importance to business continuity and resiliency professionals Implications of the IBM Global Study on the Economic Impact of IT Risk
2 2 Building the business case for continuity and resiliency Contents 2 Introduction 3 Benchmarks for business cases 6 The state of business continuity today 9 An action plan for business continuity professionals 10 How IBM can help 11 About the study Each business continuity specialist answered detailed questions about the types of failures their organization experiences and the causes of these failures. Their responses, featured in this analysis report, can give you the benchmark data you need to add depth and breadth to your existing IT risk management strategy, demonstrate the business importance of IT continuity and resiliency and, ultimately, build the business case that can help justify the budget and resources you need for success. Introduction The days when continuity professionals focused exclusively on getting computers up and running after a major disaster are over. Continuous availability is now a requirement of enterprise-wide business continuity and resiliency practices. Prevention, not reaction, is the focus and disaster recovery is just one part of the picture. As a result, today s continuity and resiliency professionals have a vastly expanded scope of responsibilities including ensuring system viability and compliance, evaluation of vendors, data backup and storage, managing budgets and setting priorities, to name just a few. No matter which responsibility you are attending to on any given day, you need keep an eye on cost. According to continuity and resiliency respondents to the IBM Global Study on the Economic Impact of IT Risk, business and IT disruptions that result from IT failures will cost an organization $19.5M over the next 24 months. Building the business case for improved continuity and resiliency efforts has been difficult, because detailed benchmark time and cost data has not been available until now. The IBM Global Study on the Economic Impact of IT Risk is among the largest of its kind, surveying a total of 2,316 IT professionals, 1,069 of them business continuity specialists. Threats and their costs To aid respondents in identifying the types of threats that cause business and IT disruptions and the types of costs that result from these threats the IBM Global Study on the Economic Impact of IT Risk provided a list of common threats and cost categories for IT professionals to consider. Respondents were asked to evaluate: Six common threats 1. Human error 2. IT system failure 3. Cyber security or data breach/theft 4. Third-party failure to continuity or IT security 5. Data loss from backup or restore failure 6. Natural or manmade disasters Six common categories of costs 1. Reputation and brand damage 2. Lost productivity due to downtime or system performance 3. Lost revenue due to system availability problems 4. Forensics to determine root causes 5. Technical support to restore systems 6. Compliance and regulatory failure costs
3 Risk Management 3 Benchmarks for business cases The business case for improved continuity and resiliency is built upon one proven truth that continuity and resiliency efforts have a business value that go far beyond the back office and affect everything from employee productivity to corporate and brand image. It makes good financial sense, then, to invest in designing robust continuity and resiliency protections into IT systems up-front, rather than paying to mitigate and correct failures when they happen. Here is what your continuity and resiliency peers have to say about costs, causes and risk factors, as revealed in the IBM study. When combined with the $19.5M potential price tag for mitigating and correcting failures as they happen, these findings can provide the concrete proof points that previous business cases have been lacking. The cost of disruptions by time Common sense dictates that the longer a business or IT disruption lasts, the more it costs. There is more to be learned from disruption duration, however. Business continuity and resiliency respondents have varying opinions on what constitutes a minor, moderate and substantial disruption, which may be a reflection of the sophistication of their organization s risk management strategy and accepted industry levels of tolerance, along with personal experience. (see Figure 1.) Along with assigning a specific amount of time to minor, moderate and substantial business and IT disruptions, respondents also assigned a cost figure for the next 24 months. Business continuity and resiliency professionals said they anticipate spending $1,022,000 on minor disruptions, $4,340,000 on moderate disruptions and $14,130,000 on substantial disruptions. While the cost of substantial Minor, moderate and substantial disruptions by time Minor disruption extrapolated = 19.4 mins 2 hrs 2% 4hrs 1% 60 mins 9% 30 mins 16% 10 mins 38% 1 day 25% 1 min 33% Moderate disruption extrapolated = 1.9 hrs 2 days 2% 1 min 2% 1 day 6% 10 mins 14% 4 hrs 19% 2 hrs 16% Substantial disruption extrapolated = 7.6 hrs 2 days 22% 60 mins 18% >2 days 5% 30 mins 32% 10 mins 1% 30 mins 5% 60 mins 8% 2 hrs 9% 4 hrs 25% Figure 1. The variation between business continuity and resiliency respondents definition of minor, moderate and substantial disruptions may reflect industry risk tolerances and personal experience.
4 4 Building the business case for continuity and resiliency Financial impact by cost category Rounded to nearest thousand Reputation and brand damage $31,000 $477,000 $5,252,000 $5,760,000 Lost productivity Lost revenue Technical support to restore systems Cost of forensics to determine root cause Compliance or regulatory failure $289,000 $1,693,000 $2,002,000 $41,000 $434,000 $413,000 $825,000 $1,295,000 $2,533,000 $206,000 $738,000 $1,437,000 $2,381,000 $52,000 $174,000 $1,437,000 $1,662,000 $3,983,000 $2,708,000 $3,183,000 Minor disruption Moderate disruption Substantial disruption Total Figure 2. Business continuity and resiliency professionals were asked to assign IT failure costs to six common categories. Reputation and brand damage is the most expensive category overall, and the most expensive for events of substantial duration. disruptions proves the wisdom of common sense, it is important that continuity and resiliency professionals not ignore the 28 percent of costs resulting from minor and moderate disruptions, especially since minor and moderate disruptions occur more frequently and can be easier to prevent. Costs by category The IBM study also asked business continuity and resiliency professionals to report on the cost of IT failures by assigning a dollar figure to each of six common cost categories, which were then cross-referenced to disruption duration. As seen in Figure 2, the most expensive category overall is reputation and brand damage, followed by lost productivity and lost revenue. The most expensive category for events of minor duration was technical support. Lost productivity was the most expensive category for moderate duration events, and reputation and brand damage for major duration events.
5 Risk Management 5 It is interesting to note that lost revenue, the third most expensive category overall, was not among the cost leaders by event duration. This does not mean that costs attributed to lost revenue are unimportant; in fact, the opposite is true costs attributed to lost revenue can be significant during any duration of IT failure. When lost revenue is combined with other business costs (reputation and brand damage, lost productivity and compliance and regulatory failure), these business costs represent a full 75 percent and $14.5M of the total costs incurred, further reinforcing the business case. Business continuity today is all about continuous availability and proactive techniques to protect that availability, no matter what happens. Paige A Poore, Director, Worldwide IBM Business Continuity Why disruptions happen: IT risk factors No examination of the costs of IT failures would be complete without answering the question, What is causing these failures? Figure 3 shows the results of continuity and resiliency professionals rating six common IT risk factors by economic impact, reputational impact and likelihood. Human error is the single most frequent cause of business and IT disruptions, with the most significant economic impact. This is true both within the IT department and among general users. Human error is also the cause of 82 percent more reputational damage than continuity and resiliency professionals anticipated. IT risk factors that cause failures On scale of 1-7, with 7 representing most impact or highest likelihood Human error IT system failure Cyber security breach or data breach/data theft Third-party IT systems or security failure Data loss from failed backup/restore Natural or manmade disasters Economic impact Reputational impact Likelihood Figure 3. Human error is the IT risk factor with the largest economic impact and highest likelihood of occurring, according to business continuity and resiliency participants in the IBM Global Study of the Economic Impact of IT Risk
6 6 Building the business case for continuity and resiliency The single best way to prevent human error is to apply automation across the enterprise. This can take the form of virtualization, managed backup and cloud delivery of system resources, software and data. Automated backup for individual users and cloud delivery of software and data can also help reduce business and IT disruptions due to lost or improperly coded data not to mention potentially reducing technical support costs. IT system failure ranks second among continuity and resiliency respondents to the IBM Global Study of the Economic Impact of IT Risk, both for likelihood of occurrence and reputational impact. Number one for reputational impact is natural or manmade disasters, while the same disasters rank at the bottom of the list for economic impact and likelihood. The dichotomy between the reputational, economic and likelihood scores for disasters is a good example of why it is important to include all three aspects in the analysis for your business case. News sources are quick to report major problems with an organization s IT systems, whether related to a big storm or a large system failure, leading to disasters being perceived as having high reputational impact. Because disasters are infrequent occurrences for any individual organization, however, they may require less of the budget than has been allotted to them in the past. The state of business continuity today There has been a major shift in the focus of business continuity and resiliency efforts in the past few years. No longer is the focus on disaster recovery and reacting to problems quickly. Now, disaster recovery is just one part of the larger continuity and resiliency picture, and the focus has shifted from reactive to preventive. Many organizations business continuity and resiliency programs still have a way to go, however. Only 20 percent of continuity and resiliency professionals say that their business continuity management program or activities are fully mature, while 13 percent were unable to determine maturity. Reputation and brand damage is the single highest continuity and resiliency cost category, but only 35 percent of continuity and resiliency professionals say their organization s leaders recognize that IT risks affect brand image. Strategy is essential Every mature continuity and resiliency program needs a strong and consistent strategy. Yet only 17 percent of respondents have a formal strategy that is applied across the enterprise, and 29 percent have no strategy at all. While creating or strengthening your continuity and resiliency strategy can be challenging, there are tools that can help smooth your way. One such tool is the IBM Business Continuity Index. The Index guides you through a series of online questions about your organization s current continuity and resiliency efforts, and provides you with an analysis of which areas of your business continuity strategy are mature and highlights items on which you may want to focus more attention. Matching IT threat perception to reality Making sure that your organization s continuity and resiliency strategy and business case are based on fact-based reality, rather than perception, is critical input for both your business case and your strategy.
7 Risk Management 7 Mapping perception and reality to evaluate IT threat significance Perception Perception Reality Perception Reality Rank by economic impact Rank by likelihood Threats that caused disruptions Rank by reputation impact Threats that damaged reputation OVERALL THREAT SCORE More significant Human error IT system failure Cyber security breach/ data theft Data loss Third-party failure Natural/manmade disaster 1=Highest rank or rate of occurence 6=Lowest rank or rate of occurence Less significant Figure 4. By comparing continuity and resiliency respondents rankings of various IT threats to the actual frequency of occurrence of each threat provides a truer picture of threat importance. As seen in Figure 4, the six common IT threats are mapped by their perceived economic impact, likelihood and reputational impact, along with the frequency at which the threats actually caused disruptions and damaged reputation over the past 24 months. This mapping confirms human error and IT system failure as the top two IT threats. At the same time, the mapping highlights the significant divide between the perceived reputational impact of natural and manmade disasters and actual threat score. The rise of third parties Third party contributions to a wide variety of an organization s business functions continue to increase. Along with their positive contributions, third parties also bring new IT risks. With organizations forming larger and more connected macrocosms of partners, vendors, suppliers and consultants, requiring these third parties to provide the same level of IT risk mitigation as the organization enforces internally will become more and more critical.
8 8 Building the business case for continuity and resiliency Today, the worst dangers are still the fullblown disasters, but the biggest threats are the commonplace events like human error and system disruption. Laurence Guihard-Joly, Global General Manager, IBM Business Continuity and Resiliency Services IT risks affect reputation Corporate and brand reputation is an organization s lifeblood, and IT now has a significant role to play in protecting it. According to the IBM Global Study on the Economic Impact of IT Risk, continuity and resiliency professionals reported that system failure is the IT threat that has had the greatest impact on reputation over the past 24 months. Amplifying this finding is the fact that, according to data collected during the 2012 IBM Global Study of Reputational Risk and IT, reputational damage is the most long-lasting damage an organization can incur, taking six months or more half an annual report period to recover from. The threat of IT system failure can be mitigated by adequate planning and frequent testing, along with automation of tasks such as backup and updating of operating systems and software. Your score 129 out of 200 Evaluate your reputational risk practices When it comes to IT risks impact on reputation and brand image, is your organization exposed, aware, or capable? The IBM Reputational Risk Index can help you find out. Answer a few questions, and this quick and easy online tool gives you an overview rating of your reputational and IT risk management efforts, along with scores in key reputational and IT risk management categories and suggestions for improvement. Outsourcing as a positive force Outsourcing and consulting are becoming ever more important resources for robust business continuity and resiliency. The reason IT departments are seeking outside help is clear: they need additional skills, bandwidth or both. This is evidenced by the 49 percent of continuity and resiliency respondents who said their organization had failed an external or internal audit. At the time of this study, 34 percent of respondents were outsourcing their business continuity management activities, with a further 18 percent saying they are likely to do so in the next 18 months. Outsourcing and consulting are also more attractive than ever, thanks to a widening variety of options that can be matched to an organization s specific needs ranging from strategy and planning workshops to evaluations and consulting to full outsourcing.
9 Risk Management 9 An action plan for business continuity professionals Becoming the voice for the economic and reputational impact of IT risk is a win-win opportunity for you and your organization. Your organization gains a valuable new perspective through which to filter IT risk strategy and tactics, while you can become known as the technology person with an eye on the bottom line which almost always means increased visibility. Based on the findings of this study, IBM offers six action steps to help you make the case for business continuity and resiliency spending and achieve measurable results. Some of these are recommendations we have made over the past five years of studying IT risk and issuing reports. Others are based on the fresh insights and deeper data from this study. With both we hope to help you elevate the discussion of continuity and resiliency in your organization, as well as give you essential information on reputational risk and human error that you can take forward to your leadership. Carry the reputational risk message to corporate leaders Up to two-thirds of study respondents believe that their organizational leaders do not realize that business and IT disruptions can damage reputation and brand image and that those damages carry a hefty cost. Help these leaders understand the reputational consequences of IT failures and, in the process, elevate yourself and your peers as IT professionals who protect this valuable corporate asset. Build a business case for IT investments With the convincing evidence that more than 75 percent of the costs associated with IT failures are attributable to reputational damage and business performance, you now have a fact-based foundation on which to build a business case for funding continuity and resilience. Finance and business unit executives are used to being presented with budget requests in terms of projects and costs. Take a different approach. Make the connection between continuity-related spending and quantifiable business objectives, such as increasing productivity and revenue and protecting reputation and brand value. Develop metrics for IT risk mitigation To support your business case going forward, develop metrics that connect the results of risk mitigation initiatives to improved business outcomes. Admittedly, this is harder than it sounds, because it is difficult to measure the outcome of prevention or doing things better and faster. One strategy is to take an outside in approach by first identifying the business objectives your leadership wants to achieve and then determining what to measure and how, so you can see the results of your mitigation efforts. Reduce the potential for human error Human error is the leading cause of business and IT disruptions. Be proactive by evaluating automation solutions in the context of reducing the potential for human error rather than reducing IT costs. For example, automating backup across all user and server platforms can address a range of human errors that can lead to data loss from incorrectly configuring backup software to forgetting to run backups or even losing a notebook PC.
10 10 Building the business case for continuity and resiliency Address collaboration Of the continuity and resiliency professionals surveyed, 41 percent say that collaboration between various functions within the organization to support business continuity management is poor or nonexistent. As technologies grow more complex and IT risk domains overlap, collaboration is particularly critical. Look outside for help Collaborating with outside experts who have a different perspective can help you bring new thinking to old problems and identify new issues that are emerging along with new technology. IT consultants can help you determine a strategy for IT risk mitigation and develop an implementation plan, plus assist with building a business case. Consultants can also help organizations determine what components of business continuity and resiliency can be addressed more effectively by an IT services provider that has more extensive skills, resources or technology. For smaller organizations that find it difficult to secure skilled specialists, or industries such as healthcare where IT departments are relatively compact, using managed services for all of an organization s business continuity management may be a good choice. How IBM can help When planned and implemented effectively, business continuity strategy and management can become a vital competitive advantage. When you protect against and mitigate risks successfully, you can enhance brand value in the eyes of customers, partners and analysts. Further, your organization can better attract new customers, retain existing customers and generate greater revenue. To get an overall picture of the risks to your business, you can start with an IT Risk Management Workshop. IBM consultants will collaborate with you to provide a holistic assessment of risks across multiple layers of your business: your processes, technologies, applications and data as well as your physical IT infrastructure and facilities. A Continuous Operations Risk Evaluation (CORE) Workshop can help determine your organization s ability to provide continuous business operations. To help you address enterprise-wide resilience, our IBM SmartCloud Resilience Services offer on-demand, cloud-based managed services that can help you cost-effectively protect data, applications and operations from downtime and quickly restore data and operations should a disruption occur.
11 Risk Management 11 About the study The IBM Global Study on the Economic Impact of IT Risk is the largest independent research study conducted to date to measure the financial and reputational consequences of business or IT disruptions caused by business continuity or IT security failures. The study a follow-on to the 2013 IBM Reputational Risk and IT Study was sponsored by IBM and independently conducted by Ponemon Institute in July Participation was limited to IT professionals whose job focus is either business continuity, IT security or both, with decision-making or performance-related responsibilities. For this research analysis, only responses from business continuity professionals have been included in the data. Total business continuity respondents: 1,069 Location (35 countries) Company sizes (employees) Latin America 6% 69 Asia Pacific 16% 165 North America 51% 546 More than 75,000 4% 25,001 to 75,000 9% 10,001 to 25,000 15% Less than 500 8% 500 to 1,000 15% Europe/Middle East 27% 283 5,001 to 10,000 26% 1,001 to 5,000 23% All others 24% Industries Banking 15% Job titles Administrative 2% Contractor 2% Staff/technician 9% C-level executive 4% Executive/VP 7% Energy and utilities 5% Public sector 14% Supervisor 19% Director 23% Consumer goods 7% Manufacturing 8% Healthcare 8% Retail 10% IT and technology 9% Manager 33% The IBM Global Study on the Economic Impact of IT Risk, independently conducted by Ponemon Institute, and published September 2013, gathered information from 1,069 business continuity and resiliency professionals.
12 For more information To learn more about how IBM can help you protect your organization by strengthening business continuity and resiliency, contact your IBM representative or IBM Business Partner, or visit the following website: ibm.com/services/continuity Join the business continuity conversation To learn more about the IBM Global Study on the Economic Impact of IT Risk, visit: ibm.com/services/riskstudy IBM Business Continuity Index ibmbusinesscontinuityindex.com IBM Reputational Risk Index ibmriskindex.com Copyright IBM Corporation 2014 IBM Global Technology Services Route 100 Somers, NY Produced in the United States of America January 2014 IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at Copyright and trademark information at ibm.com/legal/copytrade.shtml The content in this document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED AS IS WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON- INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. All data in this paper is from the IBM Global Study on the Economic Impact of IT Risk, unless indicated otherwise, and is presented in U.S. dollars. Please Recycle RLW03026-USEN-01