Tuesday, April 29, 2008

Pay me now or pay me later

As I cobble this together I am looking at an Adobe Flash Player advert on the WWW that tells me "Our formula is simple . . . Plan. Practice. Prevail." The advert continues that the company "delivers the expertise and the resources to help you" do those three things to "prevail over disasters."

Good advertisement.

The scrolling words caught my eye and I actually paid attention to the flying letters.

I didn't click on the invitation to "learn more" because I know about the organization (its product has an excellent reputation) and because the advertisement tells me the company is in the disaster recovery - not business continuity - business.

I know the company's spokesfolk would argue the point, and that's ok.

But the advertisement is the damning evidence.

Like BS 25999-*.

No, it's not something I read in the advert.

It is something I find glaringly absent in the advert.


Actually, the advertisement also fails to mention risk identification; lacking risk identification, how would anyone know what to mitigate? BS 25999-* at least suggests we look for risks. (To be fair, I only have the 25999-* drafts to go on; I have yet to see the Final Deliverables.)

The primary difference between "disaster recovery" and "business continuity" is approach.

Disaster recovery is REactive.

Business continuity is (supposed to be) PROactive.

  • Disaster recovery is an iron lung.
  • Business continuity is a polio vaccination (or sugar cube).
  • Disaster recovery is a head in traction (if the person is lucky).
  • Business continuity is a tested helmet.

I could carry the comparisons on for a great many lines, but I hope by now you understand this scrivener's concept of the two terms.

The problem with a lot of organizations claiming to be in the business of business continuity is that they remain in the business of disaster recovery - the only thing "business continuity" is the nom du jour of the product or service. (Some organizations have gone farther, to "resiliency planning," which, I contend, is what business continuity promises - resiliency to recover to business as usual, sometimes better than before an event.)

From a cost perspective, which is better? Think of the old Purolator commercial: "Pay me know or pay me later." Now think about the cost of a new oil filter every 3000 to 7000 miles over the life of a vehicle vs. the cost of replacing an engine, and maybe a transmission, too.

Pay me now or pay me later.

How much for that polio vaccine vs. a stay in an iron lung (cost + lost wages + lost companionship, etc.)

How much for a top of the line helmet vs. head surgery, days in intensive care, rehab, etc.

Pay me now or pay me later.

Next time someone asks how the cost of risk avoidance or mitigation can be justified, remind them of the Purolator commercial.

John Glenn, MBCI, SRP Enterprise Risk Management/Business Continuity http://JohnGlennMBCI.com Planner @ JohnGlennMBCI.com

No comments: