This post first appeared on the MHA Consulting blog.
By RICHARD LONG
Events in Texas this week drew attention to what could happen to companies that are unprepared for a lengthy power outage. But this is only one of many types of failure to plan that can cause devastating consequences for a business. In today’s post, we’ll look at eight common business continuity oversights that can bring your operations to a standstill.
Looking Beyond the Texas Power Outage
The power outage that swept across Texas this week has raised the awareness among business continuity professionals of the need to be prepared for long-term blackouts. This is all to the good. However, it would be a mistake to get hung up on the issue of a loss of electrical power to the exclusion of other threats.
The failure to prepare for a protracted power outage is one of many types of common business continuity oversights.
Chances are, the next big BC event will not be a power outage. Nor is it likely to be a global pandemic, our other recent high-profile event. It will probably be some equally startling occurrence—one that will seem unlikely before it happens and inevitable afterward.
In today’s post, I wanted to break down eight business continuity gaps or oversights that I’ve commonly observed out in the field. The failure to be prepared for a lengthy power outage is only one such oversight (actually, it’s only a subpart of one).
If your organization can avoid committing the eight oversights described below, it will be well prepared to ride the storm out no matter the form of the next event that comes along.
8 Common Business Continuity Oversights
The following is a list of eight common business continuity oversights. These are ways that many companies fail to prepare adequately for negative events. Failure to close these gaps can have serious and costly impacts on an organization’s ability to carry out its critical functions.
1. Lack of sufficient redundancy in core functioning, including electrical power, telephony, and IT functions.
This brings us back to the Texas power outage. However, power is only one aspect of core functioning where many organizations are insufficiently resilient. Weakness in these areas can be crippling. The problems with breakdowns in power and telephony are obvious; that of IT is worthy of special note. It’s during times of distress that IT systems are most likely to come under attack. To fend off these attacks, IT network, security, and other infrastructure must be sufficiently redundant in terms of protection, access, authentication, and security monitoring.
2. Lack of sufficiently robust and redundant email and collaboration technologies.
The pandemic has greatly enhanced most organizations’ capacity in this area. Nonetheless, conditions change. Organizations should regularly review the robustness of their arrangements regarding collaboration tools.
3. Not having the necessary dependencies in place to carry on critical business functions.
Planners need to understand what must be in place for their critical processes to run. These dependencies must be redundant or backed up by workarounds. Example: At one company, the ability to ship products might be considered a mission-critical business process. Suppose shipping at the company depends on the ability to print labels; if the company cannot print labels, it can’t ship. In this scenario, the company would be well-advised to develop redundancy or a workaround for its label-printing operation.
4. Not adequately vetting third-party vendors.
Third-party suppliers are often less than forthcoming about their level of preparedness, or lack thereof. When critical supplies are unavailable, production or services come to a halt. To avoid this happening, it’s important to vet suppliers and have backup plans in place. (See this post for more on vetting third-party vendors.)
5. Not having enough IT processing capability.
Many companies are insufficiently rigorous in their IT/DR testing. It is common for companies to target only a portion of their environment for testing, assuming that will be adequate for an actual event. This assumption is likely to be incorrect, particularly for an event that is prolonged. It is critical to have enough processing capability, especially for server storage and load balancing.
6. Not providing sufficient training for staff.
Many companies make rash assumptions regarding the ability of their staffs to manage an event without training. The failure of staff to respond optimally during an event can seriously delay a company’s recovery.
7. Not developing sufficient operational resiliency.
The most common events are not complete outages but the failure of individual applications or components. Operational resiliency refers to day-to-day availability needs. The IT/DR solution and the operational solutions should be considered separately but integrated as needed.
8. Lack of sufficient redundancy in connection with cloud-based SaaS solutions.
Many companies put little effort into thinking about the resiliency of their SaaS solutions. The thinking is, “not my problem.” If such a solution goes down, it will be up to the SaaS provider to restore it. However, companies should think about their SaaS interdependencies. Suppose a company’s e-commerce engine is running on one SaaS solution and its dependent data on a second SaaS tool. What will happen if the second SaaS provider suffers an outage? Companies should analyze these webs in advance and develop redundancies or workarounds for mission-critical processes.
Closing the Gaps
Because of the recent power outage in Texas, many BC professionals have begun assessing whether their organizations are prepared for a long-term loss of electrical power. This is not a bad idea; however, the next event to strike your company is unlikely to be a power outage (or a global pandemic). It will probably be something that, until it happens, will seem unlikely or even preposterous.
Failure to prepare for a long-term power outage is one of many business continuity oversights that can bring an organization’s operations to a halt. By closing the gaps in preparedness described above, you can increase the chances that your organization will get through the next event in good shape, no matter what form it takes.
Further Reading on BC Oversights
For more information on common BC oversights and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS:
- Vulnerable Vendors: Supplier Weaknesses Put Your Organization at Risk
- Conduct an IT Wellness Check: Make Sure Your Tech Systems Are Healthy
- The Magnificent Seven: 7 Key BC Areas to Focus on in 2021
- One-Two Punch: The Two Problems That Cause the Worst BCM Failures
- You Still Need to Drill: IT/DR Testing Is as Important as Ever
- The Great Inspection: Identifying Likely Future Common BCM Problems
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.
