Tagged in: Advice From A Risk Detective
We might argue with any number of Nietzsche's philosophical tenants, but this statement seems to define not only the human condition but also the quality of resilience that we aspire to in the plans and programs we build around business continuity and disaster recovery.
Americans are not the only people tested sorely in the past several years by hurricanes, tornadoes, tropical storms, wildfires, floods, extreme heat or earthquakes. Nor have we had to bear the triple scenario that included a magnitude 9 earthquake, a tsunami, and the failure of major nuclear power plants in Japan in 2011. Debris from those events is still washing up on the coast of the State of Washington, where I live. That series of events in Japan should lead all of us in business continuity and emergency management to reconsider the fundamental assumptions on which we make our plans, and ask "What really is the worst case, now that conditions on the Earth have changed so significantly from climate change?" For there's no doubt that things have changed, even though our plans have probably not been dusted off more than once a year for a drill or exercise, rather than an actual fail-over for the technology components.
The world has changed in other ways than natural disasters. The intrusion of technology into all aspects of our lives and work means that a company's ability to respond to certain types of disasters is not wholly within their own hands. Its technology and online presence are dependent upon the power grid to drive both physical and virtual assets; and, as individuals, we are dependent upon the communications sector to provide sufficient bandwidth to power our multitude of smartphones and other devices.
Technology and online are also dependent upon strong online security so that websites are not compromised by cyber amateurs or terrorists. We know clearly that certain parts of our critical infrastructure, in particular our power grids, offer relatively easy targets to those who wish to disrupt the physical infrastructure upon which most of us have come to depend. Other parts of our infrastructure like banking and finance offer more ready targets to cyber-terrorists.
Then there's social media. Some of us deal better than others with it, and its power to do good or wrong. I've written previously on cyber bullies as well as on exceptional social media programs managed by police, fire and public utilities. In future blogs, I'll look more closely at examples of each.
In business, the foundation for practical, usable, streamlined business continuity plans is the information derived from the tool we call the Business Impact Analysis (BIA). That information identifies and ranks the most critical business processes for a company. In doing so, it acts also as a repository of the company's operational risks, as well as estimates of what the failure of the business process would cost to reputation, to revenues, and in terms of regulatory compliance. I'll stop here by suggesting that it's not until we go all the way back to review our critical business processes to ensure we have absolute breakdowns into sub-processes that we can strengthen our respective levels of resilience by re-ranking and re-architecting business processes based on the current conditions. So we're not dead yet, but we have fewer dollars to spend to close the gaps. In the meantime, fires, floods, hurricanes and the Syrian Electronic Army (SEA) continue to present unprecedented challenges.
Annie Searle is principal of Annie Searle & Associates LLC, a risk consulting firm based in Seattle that helps companies close gaps in their operational risk programs. She is the former executive in charge of business continuity, vendor and application security, technology change management, and technology regulatory and audit services at Washington Mutual Bank, where she also chaired the enterprise crisis management team. She blogs at www.advicefromariskdetective.com.