Business Continuity Planning: lessons your business can learn from the Titanic
You may be thinking, “I am not sure what the Titanic has to do with my business?” However, the Titanic’s hubristic cum tragic story is a good illustration of why every organization needs a robust Business Continuity Plan (BCP). White Star Line, the ill-fated ship’s owner was, like many organizations today, so singularly focused on perfecting and promoting their self-described, “unsinkable” ship in pursuit of a greater return on their investment, that they failed to fully consider all of the possible risk scenarios necessary to protect that investment—and the people involved.
Obviously, icebergs were a known risk for a journey across the North Atlantic. But, when the Titanic set sail, it was widely thought to be “unsinkable” because its owners believed they had installed adequate safety features capable of tackling those known risks. Their costly miscalculation and lack of planning for other possible scenarios ultimately led to the catastrophic events that followed.
It is unlikely that your organization will ever need to worry about icebergs, but there are plenty of other situations that could derail your own “unsinkable” business, leading to business disruptions. Or worse. Rather than let ego lead you to believe that all will be well, it’s far smarter to consider potential risks and out a plan in place that addresses potential threats.
Every business should have a Disaster Recovery (DR) or Business Continuance Plan (BCP) in place that considers risks related to economic, environmental, geopolitical, societal, and technological threats. While all are important, technology has to be prioritized within the plan as without this vital infrastructure, most organizations are totally incapacitated.
At this point, you might be asking, “how can I possibly formulate a comprehensive plan when I don’t know what my disaster might be?” It’s true, your disaster could be a tornado or earthquake that destroys your buildings, a flood that knocks out your power and perhaps destroys some of your equipment, military-related actions within a country, hackers looking for ransom, or an employee who inadvertently deletes your data. Looking carefully, all of these have one thing in common: the ability to degrade or destroy your capabilities to operate.
Knowing this, you should start with a high-level assessment of what vital assets and operations need to be protected and then build out scenarios from there. Learning from our Titanic example, make sure to not just check the safety box and assume that all will be good. Make sure to have contingency plans for multiple points of failure.
Are you regularly and routinely backing up your company’s data? Moreover, are you able to quickly and efficiently restore that data? Are you testing this system on a regular basis?
Even if your technology department is regularly backing up data and conducting restores to a preset schedule, you should still question whether the remainder of your company is prepared to address an unforeseen situation.
Consider a possible scenario where electrical power for operations and access to the internet are in jeopardy. Of course, this is a primary concern on the technology front. To mitigate the power grid risks, some of the actions you can take include securing backup batteries, power packs, and generators for laptops and computers.
Depending on the makeup of your workforce, internet access could be eased if employees are disbursed (working from their homes). Should this be the case, it is not likely that all Internet Service Providers (ISPs) would be knocked offline. However, it is impossible to know which ISPs will be unaffected. Therefore, all cell phones, whether company or employee-owned, should be enabled as hot spots to ensure continued internet accessibility for all employees.
Other BCP considerations involve Human Resources (HR) and their ability to relocate employees, should that be necessary. Workspaces in other facilities must be available should a business need alternate locations. HR may need to assist in relocating employees to a neighboring community or even country, in the case of military or political unrest. If employees must relocate, then preparation and assistance with transportation and housing must also be considered.
As was pointed out at the beginning of this article there is no way to predict what risk will occur should your company come under attack. The lesson here is to review your BCP and ensure that you have defined the processes that you will undertake in enough detail to allow for a quick response to any event. This may require that you simulate various possible catastrophes that may befall your company.>
It also is imperative not to develop a BCP and set it on a shelf somewhere to collect dust. This is meant to be an iterative process and success depends on the establishment of a consistent routine to plan, test, and revise your BCP.
Lastly, take a deep breath and realize that planning for crisis and even more mundane but unexpected incidents have always been and always will be a part of running an organization. Having these discussions early on, making robust contingency plans, and elevating business continuity planning as a priority concern are all just good business practice and set your organization up for success going forward.
Written by Dean Lane, Senior Vice President for Cyber Intelligence at The Institute of World Politics. Mr. Lane brings a wealth of knowledge to his role at IWP. He has founded his own company, taught courses at Universities in California, was the Chief Information Officer for multiple companies, worked for a Big Four Consulting firm, and spent his time in the military with the Special Forces. Mr. Lane has a Bachelor of Arts from UCLA and a Master’s degree in Business Administration from National University. He is the author of three #1 best-selling books related to information technology.