By Stephen McGrady
Principal
If Hurricane Harvey and the magnitude 8.1 earthquake off the coast of Mexico didn’t get you thinking about whether your business is prepared to withstand a major disaster, chances are Hurricane Irma or Maria did.
Like most professionals who work in the Business Continuity Planning (BCP) field, I’ve been giving a lot of thought to the implications of having three major natural disasters strike in North America within a 1-1/2 week span. It’s become clear to me that even if you have what you thought was a solid plan in place to keep your business operating after a disaster, your plan might not be good enough. After all, most organizations put plans in place that address how they’ll recover from one disaster. Very few ever consider the possibility that the situation may be even worse than that.
Are two baskets enough?
Heeding the old adage that you shouldn’t “put all your eggs in one basket,” a common approach to Business Continuity Planning is to have a primary site (i.e. office, factory, warehouse, data center, shipping center, etc.) plus a secondary or backup site. Or two sites that share the load in normal times, with one taking over the entire workload, perhaps with some degradation in service, if its sister site is taken offline. The question that now needs to be considered is whether or not this is enough.
This summer if you had a loan servicing company headquartered in downtown Savannah, with your two Spanish-language call centers located in Houston and the Florida, Harvey and Irma may have shut your operations down. Not only would your plan to have your Texas and Florida call centers function as backups for each other failed, your Georgia headquarters may have been flooded as well. Who would have thought a scenario like this was possible?
Some new questions to consider
In my recent article on a 4-step approach to business continuity planning, step number one is to conduct a business impact assessment. The idea here is that before you can begin to create a Business Continuity Plan you need to clearly understand how different areas of your business might be affected by a disaster.
In light of recent events, I think that as part of this exercise you should also consider what would happen if a single natural disaster brought multiple geographic areas down or if two different natural disasters happened in rapid succession. How much would your business be impacted if both X and Y went down at once? How long could your business survive this? Would your business be completely out of commission, or do you have a survival plan that will allow you to run the business, perhaps in a very degraded way, despite the double loss? How much money would it cost you (in terms of lost business, costs to get operations running again, etc.) if this happened?
If you only have one backup plan, consider whether this is a risk that you’re willing to take. Try taking your senior management through a “table top” training exercise where you take a look at your options if both your primary and secondary sites go down (either simultaneously or one right after the other). The results should either help you feel satisfied that you could survive the double whammy…or make it clear that you can’t.
How much protection is enough?
While BCP is all about mitigating risk, it is never possible (or economically feasible) to mitigate all risk. At some point you have to draw the line. You may decide that the chances of both your primary and your backup going down at once are so low that it does not need to be addressed. You may decide that this is a scenario that does need to be addressed, and then draw the line at a three-disaster scenario. The odds of three things happening at once is probably quite small. But as we have just seen, the probability of two things happening at once is not insignificant.
Conclusion
As humans we all tend to overestimate the probability of good things happening, and underestimate the probability that something catastrophic will happen. This is one of the reasons (in addition to cost!) why so many Californian homeowners buy lottery tickets, but so few buy earthquake insurance.
This same psychology tends to come into play in the BCP world. People think that disaster won’t strike their business, or that if it does it will be “disaster light.” Don’t let this type of wishful thinking stop you from preparing for disaster, whether that disaster is a single hit or a one-two punch.
About Stephen McGrady
Stephen McGrady is a Principal with CIO Professional Services. He has served in technology vision and leadership roles, including Vice President of Services, Chief Information Officer (CIO) and General Manager, for over 20 years. Since 2006 he has focused on executive management consulting that enables business clients to improve performance through intelligent use of information technologies.
About CIO Professional Services
Based in the San Francisco Bay area, CIO Professional Services LLC is a top-rated Information Technology (IT) consulting firm focused on integrating Business and Information Technology. Our consultants are all hands-on executives who are veteran CIOs and Partners of Big 4 consulting firms. Companies come to us seeking assistance with their information technology strategy as well as for interim or fractional CIO / CTOs, and negotiation and program management/project rescue assistance.
