The Cost of Being Unprepared

Could your business ever experience a computer outage, hardware failure, or data loss?   The obvious answer is yes, of course this could happen.

Then consider these questions: What will it take for your business to recover from a computer outage, hardware failure, or data loss?  How much time will it take to fully restore critical processes?  At what point will an incident become a major disruption?

In the case of IT systems, the cost of disruption is very high.  Various studies have examined exactly how costly, but this statistic from SCORE seems to capture it best: 70% of small firms that experience a major data loss go out of business within a year.

One reason behind this startling statistic is businesses have become more dependent upon IT systems and data networks over time.  Processes such as accounting, point-of-sale, e-mail, client scheduling, and service databases, not to mention the electronic storage of vital documents, have been increasingly deployed throughout businesses large and small.

Understanding the extent to which your business is dependent upon the continual operation of these systems and the availability of this information has become vitally important.  Prudent managers periodically re-examine all of their business processes for potential disruptions and make plans to eliminate or avoid those risks.  Preparedness can be the difference between a minor inconvenience and a crippling blow to your business.

Business Interruption and Impact

Equipment failure, physical damage, or software corruption (either intentional or accidental) are some of the causes of an IT systems failure.  Sometimes potential failures can be identified in advance through systems monitoring and corrected with minimal disruption to your business.  But as often as not, IT systems fail without warning, bringing every associated process to a complete halt.

A detailed and thorough risk assessment will provide a comprehensive understanding of the risks associated with potential business interruption caused by an IT system failure.  However, a quicker method of calculating your exposure is a useful guide.

First, determine the annual revenue associated with the business process.  This can be estimated as a percent of total revenue.  For example, a retailer may have 70% of sales revenue from a physical store front and the other 30% from online sales.  If only the point-of-sale system in the physical store is being analyzed, then 70% of the store’s total revenue number can be used as an estimate.  (Of course, if the online sales functions are part of the same IT infrastructure, then 100% of revenue should be used).

Next, divide the Annual Revenue by the annual number of work hours (e.g., 2,600 for a business with five, ten-hour days; higherfor retailers and others with longer hours).  This will yield the average Hourly Revenue rate.

Time to Recover

The amount of time needed to recover from an IT systems failure and return the business to normal operations is a key consideration.  The first step in understanding the tolerance for downtime is to determine the accumulation of lost revenue and costs associated with the downtime.

In consultation with your IT specialists, determine the likeliest downtime scenarios.  The table below is for a business that utilizes their systems for ten hours per day, with a determination that the most likely downtime scenarios are three hours, two days, and seven days.

Enter the Hourly Revenue calculated in the first step, and multiply across for each downtime scenario.  Note that the loss of revenue is considered a cost associated with the downtime incident. 

Hourly Downtime Cost

Additional marginal costs associated with the IT systems failure are the next aspects to consider.  This category can include such items as:

• Higher equipment costs due to rush replacement (e.g. air freight, or being
  forced to purchase a costlier configuration that is in stock)
• Additional repair labor charges (use the IT hourly support rate as a guide)
• Overtime costs for business staff to accommodate the process interruptions or
  lost data
• Lost wages (salaries paid for work not accomplished)

There could be other business-specific or timing-specific impacts, such as penalties for missed service level agreements or missed contract deadlines, particularly in the case of longer-downtime scenarios.

The table below includes both the Hourly Revenue and the other marginal cost categories.

By adding all the factors together for each of the downtime scenarios, a Total Costs figure is calculated.

The final consideration is the likelihood of a failure, which increases with the age of the equipment.  For example, all hard drives (including new drives) have an average failure rate of 3%, but can range from 2% to 9% depending upon the quality of the manufacturing batch.  Our experience shows the failure risk for a workstation or server is between 5% and 10% each year.  This means the failure risk for a four-year-old workstation or server is between 20% and 40%.

The business manager can now see the significance of a potential IT systems failure and the related downtime, based on an experience-based likelihood of failure expressed in dollars and cents.  The potential cost of an incident is from the Total Costs line.  The likelihood figure expresses the chances of a failure this year.  It is important to keep in mind that should an incident occur the business will be exposed to 100% of the Total Costs.  In a multi-year analysis, the increasing risk over time associated with aging equipment must be considered.

Business Continuity

This exercise quickly determines the potential magnitude of an IT systems failure and the resulting downtime.  The next step is to develop a plan to mitigate the risks that have been identified.  Offsite backups, preventative maintenance, monitoring software, and redundant or specialized recovery and backup equipment will be just as much a part of the solutions as ensuring the correct physical space and good network security practices.  The best solutions will be derived from the unique exposures and risks faced by a business.

It is worth noting that a failure to understand and address the risk is the same as accepting 100% of the potential loss.  And keep that statistic from SCORE in mind.