Monday, June 8, 2009

Business Continuity and Disaster Recovery - Uncovering and Calculating the Hidden Costs of Downtime

Clients' overlooking some of the less obvious direct and indirect costs of downtime is one of the more common mistakes we encounter when called into a Business Continuity and Disaster Recover engagement.  
Unfortunately, failing to get this piece right directly affects the amount of investment you'll be able to make in your infrastructure, especially today. All investments are being scrutinized, hurdle rates increased and the speed and certainty of payback now more than ever, being demanded. 
Business Continuity and Disaster Recovery Experience is Key 
This is where working with an experienced partner really pays off. Knowing were to look for direct and indirect costs is something that takes experience.   Once costs are aggregated, you must then begin assigning hourly downtime costs (which of course vary by business process). Your goal is to as accurately as possible calculate the cost of an hour of downtime.  
You might find the results staggering. On average, studies from IT industry analysts estimate hourly enterprise level outages to cost between $84,000 and $108,000 (US). For some large institutions in the financial and utility sectors the costs of hourly downtime have been estimated to be in the millions of dollars. 
Of course, the exact figures for your firm may vary considerably depending upon the size and nature of your business. The key point here is that in order to justify the BCDR investment you know your organization needs (and NOT put your organization at an unacceptable level of risk) you must invest sufficient time and energy accurately identifying all of the costs of downtime. 
Calculating Your Cost of Downtime: How Much Will Downtime Cost Your Business? 
Again, the importance of getting this calculation right cannot be over emphasized. We recommend as a starting point you consider the following: 
Who will be impacted? 
What business groups, suppliers, customers, partners and other stakeholders?

What will be the indirect and direct costs to each of these stakeholders?  
In addition to the costs in the figure above, some industries must also weigh the costs of government and regulatory compliance. 
When will they need services restored? 
Some mission critical services simply cannot go down (order entry and processing, ecommerce, global collaboration systems), while others (inter-company email, employee internet access) if interrupted might cause just temporary inconveniences.

Where are the critical operations located? 
Physical location, location in the process flow, points of convergence?

Why are specific processes deemed critical? 
Of course every stakeholder believes their processes and functions to be important. Your job is to weigh the merits, identify the costs and assign the most accurate priority level you can. Rarely is everything critical and one sure way to make certain that the investment you seek is far too great to ever get funded is to develop a Business Continuity and Disaster recovery plan that treats every operation as critical. 
Government and Regulatory Compliance 
As you begin to compile your data don't overlook the costs of complying with the regulations that govern your industry. Gartner, Inc.'s Research Paper Laws Influence Business Continuity and Disaster Recovery Planning Among Industries ID Number: G00128123 (11 July 2005) provides an excellent overview of the myriad compliance issues facing industries such as healthcare, finance, government and utilities. 
Here are just a few examples of regulations to which you may be required to comply: 
HIPAA (Health Insurance Portability and Accountability Act) Requires data backup plan, DR plan, and emergency mode operation plan. Primarily focused on maintaining patient health data confidential, HIPPA requires a maximum turn-around time of 5-days when requests for information are made. An organization's resources, size, and complexity are taken into account.

USA PATRIOT ACT (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001) It seems a day does not go by without some mention in the news of the Patriot Act. This far reaching regulation defines what information must be made available to federal and local authorities for those suspected of terrorism and terrorist-related activities. 
FISMA (Federal Information Security Act of 2002) Primarily focuses on data security, however, also requires that governments remain open during crisis and thus impacts continuity of operations. 
Sarbanes Oxley Act of 2002 While primarily a corporate governance regulation surrounding truthfulness in financial reporting and controls; Sarbanes Oxley does mandate specific reporting time-frames that must be met in order to avoid penalties. 
Calculate Your Cost of Downtime Accurately! 
Remember, underestimating or failing to account for the less obvious direct and indirect costs of downtime is one of the more common mistakes IT professionals make when evaluating a Business Continuity and Disaster Recover plan.

To get a full appreciation of just how true this statement is I highly recommend you get the white paper titled The Disaster Waiting to Happen: The 4 Biggest BCDR Mistakes People Make And Why They Cost So Much. In this resource you'll also learn why Business Continuity and Disaster Recovery remain at the top of the IT professional's worry list.

Kurt Buckardt is CTO of Konsultek a leading edge network infrastructure and information security company located in Chicago, IL. Kurt can be reached at 847.426.9355. To learn more about Konsultek and how we can help you with your BCDR, network infrastructure and information security needs visit

No comments:

Post a Comment