Many aspects of the Iran war are shocking and dismaying, but to business continuity professionals, the kinds of impacts it his having on organizations are nothing new. However, the war provides an excellent opportunity to share some enduring truths about BC.
Related: In an Ancient Land, Glimpsing the Future of Business Continuity
In human terms, the war between the U.S., Israel, and Iran has been deeply unsettling. The sudden loss of innocent life and drone and missile attacks on formerly peaceful cities have been disturbing to witness. Many of the cities targeted had previously been thought of as safe havens in a difficult part of the world.
Meanwhile, the loss of a global aviation hub, drone attacks on data centers, and the bottling up of a significant proportion of the world’s oil supply has sent shockwaves through the world’s economies.
When looked at from the purely human point of view, these events are startling and anxiety-provoking. But from the business continuity perspective, the picture is somewhat different.
As disturbing as the crisis has been from the human perspective, from the point of view of BC practice and methodology it hasn’t presented any challenges that resilient organizations haven’t already anticipated and prepared for.
From the BC standpoint, the crisis can almost be considered “just another day at the office.” The headline events of the war might be new and unique, but the disruptions they are causing are old acquaintances.
For example, it might be true that no one has ever attacked an AWS data center with a drone before. But cloud DC outages have occurred many times. Resilient organizations know such outages can happen and have prepared accordingly. MHA CEO Michael Herrera and I have written about the possibility many times in this article.
Looking at things strictly from the BC point of view, what is new and shocking about an outage at a data center? Nothing.
The same is true of energy shortages, financial shocks, disruptions to the availability of key personnel, and the other organizational impacts we are seeing coming out of the crisis in the Persian Gulf.
The business disruptions caused by the war are very ordinary, but the crisis offers a unique opportunity to revisit a couple of BC fundamentals.
One thing worth reviewing is the fact that, when it comes to outages, it is important to differentiate between causes and impacts. And also to remember that business continuity is much more interested in impacts than causes. (We’ll address a partial exception in the next section.)
From the standpoint of BC, it doesn’t matter if your cloud service provider is down due to a drone attack, a cyberattack, or because someone at the provider accidentally pressed the wrong button. The only thing that matters is the impact—your provider is down—and whether you are prepared to cope with that impact.
The same goes for other disruptions, whether they involve people, facilities, technology, or suppliers.
The same impact can result from many different causes, and BC planning should ensure impacts are addressed regardless of origin.
Mentioned above was the fact that there is a partial exception to BC’s indifference regarding causes.
In practice, BC programs should differentiate between two types of potential causes: those they can do something about and those that are beyond their control. Organizations should take a two-pronged approach to managing risk: addressing the risks they can control and preparing for the impacts of those they cannot.
On the one hand, organizations should take all reasonable steps to reduce the likelihood of disruptions arising from internal or manageable sources. This includes strengthening process controls, reducing single points of failure, hardening critical infrastructure, and addressing both intentional and unintentional human error.
On the other hand, many of the most significant risks organizations face are outside their control. Obviously war is near the top of the list. Others include geopolitical instability, natural disasters, and large-scale supply chain disruptions. In these cases, the focus must shift from prevention to preparedness.
This means ensuring the organization can withstand and respond to impacts such as supplier outages, fuel shortages, loss of key personnel, and technology disruptions—regardless of what caused them.
Events like the current conflict also present an opportunity—one that business continuity professionals should not let go to waste.
When disruptions dominate the headlines, leadership is naturally more concerned about the organization’s exposure and resilience than in placid times. This creates a valuable opening for BC teams to engage decision-makers and highlight areas where the organization may not be as prepared as it should be.
This is an ideal time to revisit previously identified risks, reintroduce recommendations that may not have gained traction in the past, and move stalled initiatives forward. Real-world examples tend to make risks feel more tangible and harder to dismiss.
Of course, some leaders will still be inclined to think, “That won’t happen to us.” But experience shows that organizations are more likely to take action when risks feel immediate and concrete.
Just as classroom teachers look for “teachable moments” when timeless lessons gain special relevance, BC practitioners can use events like the current crisis to reach their leaders. An ideal outcome would be to convert today’s heightened alarm into practical steps to improve resilience before the next disruption occurs.
For organizations wondering what concrete steps they should be taking in light of current events, a few broader considerations are worth keeping in mind.
First, plans and assumptions should be revisited regularly. Business continuity strategies that have not been reviewed in the past year may no longer reflect current realities, whether due to changes in technology, personnel, suppliers, or business priorities.
It is important to validate underlying assumptions about technology and infrastructure. The widespread adoption of cloud services has led some organizations to assume a level of resilience that may not exist in practice. As the recent attacks reminded us, the cloud is still dependent on physical data centers and networks, and those can and do fail for a variety of reasons.
Organizations should ensure that their response strategies are not only documented but workable in practice. This includes testing recovery procedures, exercising workarounds, and understanding how processes perform under real-world conditions and at scale.
Two final points: it’s important to remember that, from the point of view of individual organizations, obscure, local events can be as devastating as well-covered global crises. And we often see companies make the mistake of fighting the last war, so to speak. Don’t obsess, in your planning and training, on preparing for the last impact you experienced. The next challenge you face might well be something else.
The Iran war reminds us that business continuity is less about predicting every headline event and more about preparing for the impacts that inevitably arise. Resilient organizations know that while causes may differ, the types of disruptions—people, process, technology, and supply—are familiar territory.
By focusing on impacts, maintaining up-to-date plans, and testing responses, organizations can strengthen resilience and reduce the chaos that inevitably accompanies unexpected events. Leadership engagement and proactive preparation turn even high-profile crises into opportunities to reinforce core BC practices.
MHA Consulting helps organizations get ready for the next disruption—whether geopolitical, technological, or operational. Contact MHA to learn how we can help review your plans, test your responses, and ensure your teams can respond effectively when the next crisis strikes.
No. While the war itself is unprecedented in its specifics, the types of disruptions it has created—such as supply chain interruptions, energy volatility, technology outages, and workforce impacts—are not new. From a business continuity perspective, these are familiar challenges that resilient organizations have already anticipated and planned for.
Because the same operational disruption can result from many different causes. Whether an outage is triggered by war, human error, or a technical failure, the key issue is the impact on the organization and its ability to respond. Focusing on impacts ensures preparedness regardless of how a disruption occurs.
High-profile crises create awareness and urgency, making them valuable opportunities to engage leadership and strengthen preparedness. BC practitioners can use such moments to highlight risks, revisit gaps, reinforce best practices, and encourage proactive steps to improve organizational resilience.