Everyone knows they should be prepared for disasters that could disrupt their business. We implement safeguards for cyberattacks, power outages, equipment failures, and natural disasters — all events that happen frequently enough to warrant our attention and where the threats and impacts are well-understood.
But how do you prepare for a disaster that catches everyone — businesses, governments, even the World Economic Forum (WEF) — completely off guard?
According to the WEF’s Global Risks Report 2020, the risk of infectious disease outbreaks isn’t among the top 10 most likely disasters. It barely made the cut for the top 10 most impactful events. Yet, here we are in the midst of a world-altering global pandemic.
So, how do you equip your business for a potentially devastating event like the COVID-19 pandemic when its likelihood seems remote? How do you balance that need against the need to prepare for more common and frequent disruptions like extreme weather and natural disasters?
It’s tough. Our inherent optimism bias leads us to downplay potential threats – especially if we can’t envision them impacting us directly. After all, how many of us looked at early COVID-19 maps depicting the spread in countries in the Far East and Europe and remained convinced the United States would be spared major impact?
Recency effect leads us to prioritize threats we’ve most recently encountered. We’re much more likely to pay attention to pandemic planning and readiness in the future than we once were.
The simple truth is you should be ready for a broad range of risks which can impact your business. Obviously, there are limits to budgets and resources, and every company has its individual priorities, but if you want to be prepared for the unexpected, you should prioritize three principles.
1. Balance risks and costs
Even if you had an infinite budget, you’d still have to prioritize your applications and systems based on how critical they are to your business. Preparing for the unknown is about striking the right balance.
Start by identifying your priorities and budget. You can base your decisions around events which are most likely to happen and which ones are going to have the greatest impact on your business, but you can’t – especially given what we’ve experienced with COVID-19 – discount the possibility of disasters that come out of the blue.
Weigh the impact each disaster will have on your business and utilize your resources accordingly to reduce risk.
2. Have a plan and test it
What would happen if a disaster strikes and one-third of your workforce couldn’t make it into work? Would you still be able to run your systems? Would you still be able provide the services your customers need? Would you be able to recover?
When a disaster hits, if you haven’t taken the necessary precautions, it’s too late to act effectively. You’ll find yourself in reactive mode, playing catch-up instead of implementing a response.
It starts with a defined business continuity and disaster recovery plan.
Know what your most mission- and business-critical applications are and make sure they’re protected. Map out your application dependencies and determine how your systems impact each other.
Plan for various scenarios to make sure you’ve got all the bases covered. Make sure everyone understands the plan and knows their role once it’s enacted. Then continuously test your plan and make necessary changes as your IT environment progresses and the threat landscape evolves.
The muscle memory you develop in testing will speed your response when a disaster arrives. Ideally you can do this upfront, building the flexibility required to respond quickly if and when you encounter those situations.
3. Diversify your risk
If you’ve heavily invested in developing the skills to successfully execute your BC/DR plan, then perhaps you may have invested in the technology capabilities to handle your DR in-house.
However, as I mentioned before, what happens if a disaster cuts off a considerable number of your workforce? Every plan needs contingencies, and it’s possible you might not have your point people available to carry out the plan.
Diversify your risk. Think about what responsibilities you can hand off to a third party so in the event of an emergency, you’re not scrambling to carry out the plan. By having a diversified set of capabilities in place, instead of putting all your eggs in one basket, your business has a higher chance of survival.
Take a broad point of view
The latest WEF Global Risks Report didn’t even feature infectious disease on the list of most likely risks. But if we’ve learned anything from the COVID-19 pandemic, it’s that all businesses should be prepared, even for disasters that don’t seem likely.
It’s impossible to plan for every single scenario; unexpected events happen. But if you’ve balanced risks, resources, and costs; tested and practiced your plan to the point it becomes second nature; and diversified your risk, you’ll be better able to respond to any disaster and maintain or quickly return to business as usual.