On a weekly basis, I get at least one inquiry request from either a vendor or an end-user company seeking industry averages for the cost of downtime. Vendors like to quote these statistics to grab your attention and to create a sense of urgency to buy their products or services. BC/DR planners and senior IT managers quote these statistics to create a sense of urgency with their own executives who are often loath to invest in BC/DR preparedness because they view it as a very expensive insurance policy.
BC/DR planners, senior IT managers and anyone else trying to build the business case for BC/DR should avoid the use of industry averages and other sensational statistics. While these statistics do grab attention, more often than not, they are misleading and inaccurate, and your executives will see through them. You'll hurt your business case in the end because you haven't done your homework and your execs will know it.
I saw a study recently that stated the cost of downtime for the insurance industry was $1,202,444 per hour. You might be tempted to grab this statistic and throw it into the next presentation to your C-level exec but what is this statistic really telling you? Do the demographics of the companies in the study match yours? Do you trust the accuracy of the data? Consider the following:
What is the definition of insurance industry in this case? Is it companies that focus solely on insurance or does it include companies that also provide financial advice and monetary instruments to their clients?
What size companies participated in this study? What were their revenues? How many employees did they have?
Where are the companies in this study from? Are they headquartered in North America? Europe? Latin America?
Did the companies in this study really know their cost of downtime or was it an estimate? Had the companies conducted a business impact analysis and risk assessment in the last two years?
- Who within the company responded to the study? Was it a decision-maker or influencer in BC/DR?
It's going to be very difficult to find a study that has a meaningful sample size of companies that match your demographics. And even if you did find such a study, I would argue that there are still certain demographics and business operations that are unique to your company such as the location of your critical sites, the distribution of your employees across those sites, your revenue mix, and your peak periods.
In addition, the cost of downtime is meaningless if you have not performed a risk assessment. Your risk profile is specific to the location of your critical sites. An insurance company with headquarters and data centers in Connecticut does not have the same risk profile as an insurance company with headquarters and data centers in California. So the cost of downtime must be adjusted for the probability of the occurrence of certain threat scenarios. For example, the insurance company in the Connecticut has determined that due to the frequency of severe winter storms and the service history of the local power utility that the probability of a major power outage (greater than 8 hours) each year is quite high. What is the expected loss associated with this power outage?
Impact (e.g., $100,000 cost of downtime per hour) x probability (e.g., 30% chance of a power outage this year) x duration (8 hours) = annual loss expectancy ($240,000)
You repeat this calculation for the most probable threats identified in your risk assessment and this will determine the level of investment you need to make in preventative and recovery measures.
Statistics do have their place, I'm not dismissing them entirely. In fact, I use them frequently in my own research; they provide valuable insights into certain trends, particularly technology, service, and process adoption. You can use statistics (that are applicable to your company's demographics) to give you an understanding of overall trends and whether you are significantly different from you peer group in your current BC/DR efforts. So statistics do provide insight and identify potential areas of improvement but when it comes to calculating the impact of downtime and the probability of risk, statistics aren't helpful. At the end of the day, you can't escape taking the time to conduct your own business impact analysis and risk assessment. Justifying investments in BC/DR is difficult, I outlined at least 7 steps that need to occur in my report, Building The Business Case For Disaster Recovery Investment. Conducting a business impact analysis and risk assessment are key steps in the report.
Check out Stephanie's research
You should follow me on here