Beware the iceberg!
Insourcing your business continuity management may seem to make sense - until, too late, you realise that 80 percent of the costs and complexities are hidden.
Although most responsible organisations now accept the imperative for a proper business continuity management (BCM) plan, when it comes to investing in a business continuity capability, the eternal problem of costs asserts itself. And while many organisations will more or less willingly pay for access to a third party's data centre and communication links for their IT disaster recovery, they often balk at the costs associated with a work-area recovery capability provider by an outsourcer.
The issue before any organisation is thus whether to insource or outsource all or part of its BCM. In weighing up the two options, however, care must be taken to consider all the factors. The truth of the matter is that most of the costs and other disadvantages attached to insourcing are hidden - hence the iceberg reference in the title.
Generally speaking, when costing an insourced solution, the impact on already overburdened internal departments is not considered. Everybody is too busy and it is a brutal reality that BCM is likely to be more or less permanently relegated to somewhere near the bottom of the to-do list.
In addition, many of the costs are likely to be spread across the business, and so will be hard to manage. ContinuitySA estimates that only around 20 percent of insourcing costs (purchase of equipment and furniture, as well as development) will be visible and assigned to the project. The remaining 80 percent will be hidden in other budgets. They would include planning and design; installation and development; rental of premises; rates, taxes and utilities; insurance; maintenance; security and cleaning; operational staff; administration; training; and health and safety.
Another point to bear in mind that the insourced solution will require an expensive diesel generator and uninterrupted power supply (UPS), with additional fuel and maintenance costs. In an outsourced model, these items would be syndicated, lowering their total cost.
At a strategic level, too, it is worth mentioning that many of the costs associated with insourcing would appear on the balance sheet as capital expenses, whereas all the costs of outsourcing would fall under operational expenses. The decision to insource might typically be made by a middle manager who does not appreciate the overall financial strategy, which is likely to favour operational over capital expenses.
Outsourcing is one single cost item: easy to see and easy to manage.
We have already seen the iceberg problem associated with insourcing but cannibals are also a problem. If the company owns the work-area or disaster recovery sites and equipment, there is always the temptation to use the BCM equipment—from servers and PCs to desks and chairs—to meet production needs. Invariably, the equipment is never replaced because there is never any budget to do so, with predictably awful consequences if and when a disaster strikes.
At a more strategic level, it needs to be understood that developing a recovery solution is complex: it takes time to do it properly, and it needs to be tested and continuously fine-tuned. It is critical that the plan is kept updated and also that it is proved to work through rigorous testing - a disaster is no time to find out that something does not work.
The business will almost invariably lack many of the specialist skills needed, and there will be a continuity problem (ironically) as insourced staff are reassigned to new jobs or leave the organisation.
In conclusion, insourcing's apparent cost-effectiveness masks not only a whole raft of hidden costs, but also fails to recognise the need for dedicated specialist skills to craft the business continuity plan; develop, test and fine-tune the solution; and guide the organisation through a real-world crisis. As the old proverb truly says, bargains really are expensive in the long run (goedkoop is duurkoop).