Security breaches and ransomware. Wildfires, flooding, and hurricanes.
This is what most organizations have in mind when they think about business disruption and plan for business resiliency. All of these events are costly, disruptive, and bring normal operations to a crawl.
But business resilience goes far beyond cyberattacks and natural disasters. Power outages, personnel changes, and even digital transformation can disrupt your business in various ways. Resilience is about having a plan to deal with the big hits, as well as the changes that come from competitive pressure and changing market dynamics. Resilience is about ensuring your business – and the underlying IT infrastructure – is available, safe, and agile.
Here’s why you might be thinking about resiliency all wrong and how to cultivate an agility which helps your business weather changes of all kinds.
The Most Common Disasters in 2018
Natural disasters cost the U.S. $155 billion in 2018, with hurricanes, wildfires, and even Hawaii’s volcanoes playing a role. Cyberattacks are also increasingly becoming more expensive. One report estimates that cybercrime costs the world almost $600 billion, up from $500 billion in 2014.
While these disasters are often widespread and newsworthy, companies are often left reeling from more mundane and localized, albeit still disruptive, events. In 2018, a leading disaster recovery and business continuity service provider received 91 disaster declarations spanning the U.S., UK, Europe, Canada, and India. Looking at the causes of those declarations, some interesting trends surface. While hurricanes and flooding were both causes of several declarations, the top cause, at 17.5 percent of the total, was power outages. Network outages and hardware failures closely followed. In total, those top three triggered 40 percent of total declarations. Flooding and hurricanes combined were just 13 percent of the total.
Beyond IT: Workplace Disruptions
If your building lost power, how quickly could employees resume serving customers? If you experienced communication issues which cut off your link to the cloud, how would you access the data and applications which reside there? If your company acquired another with 15 sites and a few data centers, how quickly could you streamline the collection of current and “new” IT infrastructure?
Resilience programs have to go beyond how to bring back up the applications which have gone down or send employees to a recovery site. Sometimes an issue cripples operations, and sometimes it just affects employees’ ability to work effectively. Alternatively, it might be positive news, like migrating select applications to the cloud or a digital transformation program, which can similarly disrupt normal business operations. All of these events can affect your organization’s employees, investors, customers, and reputation, and you’ll only be truly resilient when you have a plan for managing these changes and disruptions holistically.
How to Build Resilience for Any Disaster
There are four principles which can minimize the impact of many kinds of disruptions:
1. Understand dependencies.
Not just in your IT, but in your organization. While digital transformation can increase revenue, customer satisfaction, and agility, it can also leave your organization susceptible to external threats if you’ve opened up part of your business that wasn’t previously connected. Know the potential impact of an application failure or data breach. The same thing goes for employees. If there is an unexpected personnel change, what’s the succession plan or adjustment to access rights and process flows?
2. Cover the last mile.
So many resilience plans fall short in the last mile: your people. Train and educate your team on what they should and should not do. Many companies underestimate how much employees are targeted with real threats like phishing attacks. Simulating phishing emails to test users and teaching them how to report phishing attempts can avert disasters. Training them on new technology ensures smooth transitions when migrating to the cloud, for example. Also, regular testing of disaster recovery plans can help identify weak areas and reinforce the required actions.
3. Don’t assume anything.
It’s easy, given the many benefits of the cloud, to assume your data and applications are safe and easily recoverable. But just because your applications and data are running in the cloud do not mean your cloud provider will own recovering them. Recoverability still falls on your shoulders. In a similar vein, it’s easy to assume your locations’ power and communications will always be in place, but it is imperative to have a plan for when they fail.
4. Don’t try to become impenetrable.
It is impossible, whether we’re talking cybersecurity, natural disasters, or a power outage. Instead, aim for agility. You cannot block disasters from happening, but you can create a good plan so when they hit, you not only fix the problem but keep your business running in the meantime. Beyond IT resiliency, that means having a plan for proactive communication with customers, vendors, and partners to keep them apprised of the situation and how you are handling it. That way you protect both your critical business systems and your reputation.
Disruptions and disasters come in all shapes and sizes, but they all have one thing in common: they cannot be predicted. Even for hurricanes you can see coming days in advance, it is impossible to know their full impact until after they’ve passed. Truly resilient businesses take that unpredictability in stride, with a plan that minimizes disruption, improves agility, and ensures their business stays up and running.
