This last statement about probability is very true. I conducted a probability study for a large telecommunications firm approximately eight years ago. They had more than 50 facilities around the country, some on faults and in tornado allies. We did an exhaustive study of factors, risks and threats. We determined that the probability of a catastrophic disruption occurring at one of their central office switching centers was less than 1 percent. This only served to reinforce their ambivalence.
Since I conducted that study, hundreds of companies have been impacted by disasters that have caused them to recover at commercial recovery providers. Many more have been forced to declare bankruptcy because of major catastrophic outages. This is not isolated to small companies! Just ask the plant managers at the General Motors plant in Oklahoma City that suffered what plant managers called “substantial damage from the devastating tornado” – a May 2003 tornado leveled a significant portion of the plant that produces SUVs.
The bottom line is that we must clearly explain at least three things to our executives: the risk exposures at our companies, the options that are available to mitigate those risks, and a simple plan to implement the appropriate controls and disciplines.
While this sounds appropriate, I’ve witnessed way too many situations in which a disaster recovery coordinator or the data center managers that they report to present grandiose plans for implementing disaster recovery programs. These presentations typically result in an executive or group of them explaining a decrease in IT spending, poor representation of the return-on-investment in the initiative, and a general lack of creativity in designing the strategies and programs for success. Ultimately those executives turn down the request for improving the company risk coverage.
While this scenario is all too true, I have worked with companies that have been very successful in their ability to evangelize the need for higher level of assurance. There are some common characteristics among those companies where I’ve seen a BC professional be successful in building their case:
- Keep it short: executives want business cases in four-page presentations or 1,000 words.
- Make it simple: don’t try to educate people on terminology and technical solutions.
- Relate it to the business: describe it in business terms that the executives understand.
- Don’t recommend analysis: they don’t want paralysis; they want action and quick results.
- Evolve: explain how a program will evolve after initial results are achieved and validated.
Another thing that contributes to this anemia is corporate culture. There is a “don’t rock the boat” culture in many companies that has only been magnified with the poorly performing economy and the resulting layoffs. Most of our companies have been less than diligent in ensuring that their one or two most important business processes can continue if there is an outage or disruption.
This “business continuity capability” includes making employees aware of their responsibilities in a crisis, creating a recovery strategy for supporting technology applications, and identifying space for people to work if the facilities are unavailable.
Very few people are willing to point out these inadequacies in our companies past practices. That is especially true if it reflects badly on someone we work with. This social pressure tends to drain our convictions to business continuity principles.
In order for us to get over this apologetic anemia we must combine the thoughts that have been espoused in this article. We must take a pragmatic look at our companies and determine what business processes, not applications or technologies, are critical to customer satisfaction and revenue generation. Only focus on one or two so that we can make it addressable and manageable to build our business case. Attempt to put in business terms what would happen to the business if a weak link in that process were to be broken. What would the financial and long-term impacts be to the company? Then look at a few reasonable solutions to reduce, maybe not eliminate, the risks. Finally, you must clearly show the return-on-investment and results of that effort. If this is accomplished and done clearly, simply and briefly you will get and keep the ear of your management team.
By doing these things we will educate executives about how business continuity fits in the big picture of corporate governance and risk management. Our senior executives will then and only then be able to say they are comfortable with their ability to restore and recovery business processes in the event of a major disruption or outage. Ultimately isn’t that what we and the customers of a company are asking for – executives’ confidence in recoverability?
Damian Walch is the business resilience, national practice executive for IBM. He is a 13-year veteran of the business continuity industry. Walch is also a member of the Disaster Recovery Journal EAB.