Investors and financial institutions like to correlate business continuity risk with business continuity reward. If risk is greater in an investment, then the potential reward should be greater too.
Stock market investments are perceived to be riskier than bond investments, but are expected to give higher returns. However, some riskier investments are capped in their potential for reward, offering no more than less risky investments.
Similarly, spending more money to protect the business continuity of an organisation does not automatically guarantee a reduction in the level of risk. So why would organisations persist in thinking otherwise?
Market research company Gartner made a recent (2016) survey on the specific subject of IT security, part of an overall business continuity approach. Gartner found that many organisations mistakenly equated IT security spending with maturity.
Budgets varied by a factor of one to thirteen, but did not necessarily reflect the real level of protection gained. Many clients simply wanted to know if they were spending equivalent amounts to others in their industry, geography and size of business, as a (false) measure of their diligence in protecting their enterprises.
Comments made in the survey report about risks, spending, and security carry over to business continuity too.
As Gartner puts it, “General comparisons to generic industry averages don’t tell you much about your state… You could be spending at the same level as your peer group, but you could be spending on the wrong things and be extremely vulnerable.
Alternatively, you may be spending appropriately but have a different risk appetite from your peers”.
Pessimistically, Gartner also considers that most organisations will continue to misinterpret average spending in this way to 2020.
The company’s suggestion for organisations is to start by assessing risks, then understand the budget directly available to the specific risk manager (the CISO in the Gartner survey, or the business continuity manager in this article) and indirectly available via budgets for the different organisational departments. Which is also the approach we have recommended for a long time!