Many organizations think they’re prepared for a disaster since they invest good money on plans and capabilities. But are they prepared to recover when faced with compound disruptive events such as COVID-19 workplace restrictions, severe weather and a declarable IT disaster? Few among us have thought about these possibilities and fewer yet have taken the time to prepare.
Take Texas, for example. While under COVID-19 restrictions, the state was pummeled with a massive winter storm that brought historic freezing temperatures, triggered rolling blackouts and left almost 4.5 million people without electricity. Now, while a deep freeze and snow in Texas might be less likely to strike than a cyberattack, equipment failure, or even a hurricane, it’s still an eventuality to factor into your plan. Especially at a time when your business is reliant on a remote workforce.
The hard truth is that most people, and thereby businesses, have trouble planning and making decisions related to unlikely scenarios. They may treat the unlikely scenario as one that will not happen, or one that the business is prepared to handle because they believe they have planned for the worst case. But when disruption strikes, they quickly realize they’re anything but prepared. It’s even worse when those unlikely scenarios compound. That’s why it’s important to use events like this as a learning experience to make sure you don’t get caught flat-footed.
Here are three lessons that businesses can learn from Texas’s winter storm experience.
1. Reassess your operational resilience
If the recent snowstorm in Texas showed us anything, it’s that you need to be prepared for the unexpected and complex. That’s why reassessing your organization’s operational resilience is of the utmost importance.
Start by reexamining your entire business continuity (BC) program top to bottom. Compare it against industry “best practices,” as well as industry “new practices” and incorporate improvements where you might fall short.
For example, during the Texas outage, both Ferguson PLC and Home Depot used digital tools that they implemented at the beginning of the COVID-19 pandemic to improve communication within their organization and with their customers.
You can create a well-rounded program by establishing a working group to look at your key resilience disciplines and make adjustments as needed.
2. Look at your vendors through a resilience lens
While you should take a hard look at your own organization’s operational resilience, it shouldn’t stop there. It’s important to take the same approach with your third-party partners.
How capable are they when it comes to withstanding disruption? What sorts of plans and capabilities do they have in place? Are the plans actionable and capabilities sufficient? Have they been successfully tested? Have they thought through compound disaster scenarios?
Make sure you also investigate the “effectiveness duration” of different disruption response strategies your vendors have in place. Can they deal with disruptions that last for 30, 60, 90 or more days?
In addition, be sure to examine your overall concentration risk. Are your suppliers geographically dispersed, or are they all located in the same area? What if you get all your critical parts from a single vendor and they experience a disruption?
By lowering your concentration risk, you give yourself options. The last thing you need is to have all your eggs in one basket during a disaster.
3. Plan for the possible and appropriately test and challenge
You need a Disaster Recovery (DR) plan in place that accounts for multiple recovery scenarios and compounding resource restrictions.
When you build your DR plan, make sure you understand what sort of downtime your business can withstand. Every organization is different, so perform a business impact analysis (BIA) to determine what is acceptable for you.
Your production environment is constantly changing, with impacts on application interdependencies and other aspects that can hamstring your recovery. If you’re not keeping track of these changes, the resulting resiliency perception gaps can leave you scrambling – or worse, unable to recover – when you experience a disaster.
Avoid this by regularly testing and challenging your DR plan and running various scenarios, both those with a higher and less likely probability of occurring. That way, you can identify any issues and fix them accordingly.
The last thing you need is to find out your DR plan doesn’t address the circumstances that have materialized and that you must respond to.
By reassessing your operational resilience, examining the resilience of your third-party vendors, and creating a well-rounded DR plan that you regularly test and challenge, you stand a much better chance of responding to and overcoming a disaster. Trust us, your customers will thank you.