Governance, Risk & Compliance: GRC
Qualifying and Quantifying the Costs and ROI of Business Continuity Plans
Taking a hard look at the dollars behind the 9s of availability.
IT professionals obsess about high availability. They strive to make IT systems accessible to all stakeholders, internal and external, all the time. But making the case for high availability outside of IT can be challenging, especially when it comes to budgeting for the costs of business continuity and disaster recovery — and the expenses of inadequate BCP.
Many IT managers strive to reach “five 9s of availability:”
- The five 9’s stand for 99.999% availability over 24 hours a day, 7 days a week, and 365 days each year.
- And the .001% equates to 5.26 minutes of unscheduled downtime a year, or 25.9 seconds a month.
While less than 30 seconds a month may seem inconsequential, the hidden costs behind that number are not. Demonstrating the cost of not doing due diligence for Disaster Recovery (DR) and Business Continuity Planning (BCP), can greatly help in:
- Creating a unified understanding of DR / BCP
- Obtaining budget for resilient IT systems
- Demonstrating that it is not only an IT problem
- Raising awareness and appreciation for the complexity of IT
Estimations vary on the average cost of a single minute of IT downtime, from Gartner’s conservative estimate of $5,600 per minute to a Ponemon Institute study that set it at nearly $9,000 per minute.
Unfortunately, no company is average. It’s up to you to research and present downtime costs to senior management, especially prior to submitting your technology budget for Blade Servers, Virtualization, or a redundant data center in event of a disaster. Here is one way to make the case.
Here are the 4 key steps to quantifying the ROI of BCP.
1. Calculate employee cost: Direct, incidental and recovery
Direct cost: Factor the total hourly cost for employees who would be impacted by an outage of a certain system (by location and or application). If your organization has 100 employees and the average salary per hour (be sure to include benefits) is $80 per hour, and you have an hour of downtime, the initial reaction is the cost for the downtime is $8,000.
Average Hourly Employee Cost x Number of Employees = Direct Cost for Hour of Downtime
Incidental cost: Calculate the idle time the employee is not working due to an incident (again, it doesn’t have to be a technology failure). This cost may be difficult to validate with senior management, as the response may be that “they can do something else.” The truth lies somewhere in the middle. By offering a factor of 50% effectiveness, you are dealing with an incidental incremental time of $4,000.
Direct Cost for Hour of Downtime * 50% = Incidental Cost for Hour of Downtime
Employee recovery cost: This is the time required to catch up after the incident (email, voicemail, deadlines, etc.). Recovery time can often require overtime. Again, this cost may be difficult to justify and using a percentage of direct cost (75%) may be more acceptable. So you are looking at $6,000 for recovery.
Direct Cost for Hour of Downtime * 75% = Recovery Cost for Hour of Downtime
This brings the total cost of the one-hour outage during normal business to $18,000. This is a conservative number and should be communicated as such. A more detailed breakdown of “employee true costs” written by Diane Gilson of the Sleeter Group can be found here.
Direct Cost + Incidental Cost + Recovery Cost = Total Employee Cost for Hour of Downtime
2. Calculate loss-of-business costs
On the surface, this seems like an easy calculation. To calculate the cost of business lost by a minute of downtime, divide your company’s gross revenue by the total minutes in a work year (2080 working hours x 60 minutes = 124,800). However, very few companies shut down at 5 PM. Web sales and marketing, email, voicemail, and social media never stop. So, you may want to use the number of total minutes in a year, 525,600.
In 2021, CNBC calculated that Apple makes $691,234 per minute, while Tesla makes $80,162 per minute. An outage at a mega tech brand would cost an average of $373,606 per minute.
3. Cost of customer confidence/service value
This is almost impossible to quantify with a direct cost unless it can be related to a similar incident. Your marketing department and then finance may be a help in putting together an estimate.
4. Cost of technology recovery
This cost is easier to calculate after an incident. Typical technology recovery costs include overtime, out-of-warranty acquisition costs, outside vendor and consulting costs. To estimate recovery costs, include all the above plus the costs associated with a system restoration.
Here’s an example of how technology recovery costs can add up. A customer’s data center experienced a power outage. Normally the backup generator would have protected the data center from an outage, but the customer soon learned that facilities had not been refueling the generator after weekly tests. In rushing to refuel, air bubbles formed in the diesel fuel line, causing the backup generator to die. This occurred off-hours, of course. When the UPS system failed, everything crashed. The technology recovery cost calculated by the company included overtime /comp time for the IT staff, and the cost of replacing 20% of the two storage area networks (SANS). Also included was the emergency fuel and service costs for the generator.
Bottom line? Downtime, for whatever reason, costs big money. Quantifying the cost of business continuity and disaster recovery can help to win support and alignment between business units and IT. And bigger blade servers!
Learn about SAI360’s solutions for disaster recovery and business continuity management.