The recent profusion of serious outages affecting both critical internet services and the physical supply chain reminds us of the need to focus on fundamentals. When it comes to resilience, there are two basic tasks every company should undertake: 1) assessing and mitigating risks and 2) preparing for outages.
Related: Weighing the Danger: the Continuing Value of the Threat and Risk Assessment
The past year and a half has seen an unusually large number of significant business disruptions, including numerous outages to critical digital services providers and hits to the physical global supply chain.
For examples of the former, look no further than the headlines about the recent outages at CrowdStrike, AWS, Azure, and Cloudflare. Instances of the latter include the East Coast port strike, ongoing issues with the pharmacological supply chain, and the Baltimore bridge collapse.
For MHA, these weren’t just stories in the news. There were issues that posed real and, in some cases, ongoing challenges to our clients’ ability to keep their critical operations going.
Meanwhile, the private, non-headline-making disruptions that our clients face kept up their usual busy pace.
Taken all together, these events are a reminder that organizations need, at the very least, to assess and mitigate risks and plan how to maintain essential operations if normal activities are disrupted.
An analogy from everyday life might be helpful.
Many people make it a habit to think about the risks to their car tires and take steps to mitigate them. For instance, they might be mindful of the possibility they could have a blowout. To mitigate against this, they might make sure their tires are inflated to the correct pressure and check for embedded stones. This kind of behavior reduces the chance they will have a problem with their tires.
The possibility of tire trouble cannot be completely eliminated, however. Not everything is within our control. We might still drive over an unseen nail and suffer a flat. Certain problems can strike despite our best efforts. This is why, along with identifying and mitigating risks, we prepare for outages. For most drivers, that means carrying a jack and a spare or, at the very least, making sure they can call for help.
The equivalent actions for organizations are surveying the environment for threats and mitigating against those that are most likely to happen, or which would cause the most damage if they did happen. And putting some effort toward figuring out what you would do if, despite your best efforts, something happened that brought some aspect of your mission-critical operations to a halt.
Let’s look at each of those measures individually.
Every organization has vulnerabilities, and the first step toward resilience is understanding where they are. Identifying risks is an area where a good imagination is helpful. So is a knowledge of company history and being attentive to the news.
The classic risk assessment is a formal, comprehensive document that looks at all the angles, but a back-of-the-envelope assessment by a few informed people can identify the biggest risks in a few quick strokes.
The key is to imagine all the things that could go wrong and evaluate them in terms of the probability of occurrence and how serious the impact would be if they did occur.
The risks to consider vary widely by company, industry, and location. They might include any or all of the following: power outage, chemical spill by the plant across the street, loss of a critical internet service, political demonstration that prevents access to a facility, arrest of a senior executive, cyberattack, software glitch, fire, labor action, sudden departure of key staff member, loss of a critical supplier, social media embarrassment, active shooter—or any of a hundred other things.
It’s good to be aware of what issues have occurred in the past, but don’t make the mistake of assuming that the next issue will be a rerun of the last one.
Once you’ve identified your risks, the next step is determining whether there are reasonable steps you can take to reduce the likelihood of these events. Organizations have four options for mitigating risk: accepting the risk; avoiding it by changing the activity that creates the exposure; transferring it through mechanisms such as insurance; or reducing it through targeted mitigations. Choosing the right approach for each risk ensures your resources are focused where they can deliver the greatest resilience benefit.
Risk assessment is about casting a wide net. In contrast, the activity of preparing for outages is narrower in scope. The reason is, when it comes to continuity planning, the reason for the disruption does not matter. All that matters is what aspect of the organization is affected. Those impacts will necessarily be one of four kinds: loss of facility or area, loss of technology, loss of vendor, and loss of people.
In continuity planning, you don’t have to worry about the cause of your problem; only which aspect of the organization is impacted as a result of it. This greatly reduces the number of plans you need to develop. From the continuity planner’s point of view, it doesn’t matter if your facility is unavailable due to a fire, flood, or something else. All that matters is that you have a way of continuing your essential operations without that facility.
As with risk assessments, continuity planning can be more or less formal. Written, tested continuity plans that spell out manual workarounds and cover the loss of critical business processes are the state-of-the-art solution. But even having a rough idea of what you would do if you lost a core dependency is better than nothing
The wave of significant disruptions over the last eighteen months has reinforced the fact that every organization should, at a minimum, address two key aspects of resilience: understanding its risks and preparing for outages. Whether the disruption comes from a service provider, a supply-chain issue, or a local incident, these fundamentals remain the most reliable foundation for keeping your operations running.
Focusing on these core activities provides a practical framework for improving resilience without overcomplicating things. By identifying vulnerabilities, reducing preventable exposures, and planning how to work through unavoidable disruptions, organizations can navigate uncertainty with greater confidence.
If your team needs help conducting a risk assessment, developing outage strategies, or building a stronger business continuity foundation, MHA is here to assist. We’ve helped organizations across industries strengthen their preparedness, reduce their vulnerabilities, and respond more effectively when disruptions occur. We’d be glad to talk about how we can help you do the same.
Further Reading