How to Secure Management Support for Business Continuity / Disaster Recovery
Guest Blogger: Mark Norton – Director of Business Continuity, Agility Recovery
A challenge we frequently hear about regarding business continuity planning is the lack of management support. I believe it’s a common misunderstood dilemma that can be avoided with a bit of illogical reasoning.
We live in a world where people fear flying over driving, are troubled with scenes of terrorism and believe the greatest threat when vacationing at the beach is being attacked by a shark. However, a rational look at data suggests that it’s over seventy times riskier to drive a vehicle than to ride in an airplane; that more Americans have died from food allergies over the past 50 years than have been killed by international terrorism; and that getting a sunburn at the beach is far more dangerous than entering the water where a shark may be swimming nearby.
Yet, how many of us feel more comfortable behind the wheel of a car versus in the seat of an airplane? How many will ask for the ingredients of our food at our next meal before we start eating or spend more time stocking up on sunscreen vs. watching Shark Week before the next beach trip?
The answer goes hand-in-hand with how business leaders may approach business continuity.
If we were to rationally calculate risk, we’d use this formula: risk = probability x consequence. However, humans have adopted a slightly modified and irrational formula to calculate risk: risk = probability x consequence x dread/optimism. Depending on whether or not you’re an optimist or pessimist, your risk calculation will err by being irrationally cautious or aggressive.
This irrational calculation of risk is why you should speak with your management team about risk, and the best way to manage it. While I wouldn’t suggest calling your leadership team irrational, it’s important to recognize the obvious…they’re human, and as human beings, we tend to incorrectly manage our risk.
Understand Your Risk Tolerance
Generally, making assumptions is a dangerous business, but if you assume your management team cares greatly about the survival of your organization, then you can also conclude they care strongly about business continuity and disaster recovery. Adopting this precarious element of reasoning allows you to shift your focus, time, and energy from proving the necessity of business continuity to providing facts about risk that allow them to make the best, rational decision about your recovery strategies.
As with the rest of us, your management team likely has a bias towards being risk-adverse, thus defining your organization’s risk tolerance. Some organizations are going to be more risk-averse and others more tolerant. Some organizations cannot legally accept the risks, while others may plan to thrive off good fortune.
The Reality of Risk
After properly accessing your organization’s risk tolerance, you need to provide a case study that endorses a sound business continuity and/or disaster recovery strategy based on rational, objective facts about risk to your organization.
The truth about disasters is that without a plan or executable strategy, your organization’s existence is threatened. Although you can provide stats of historical natural disasters in your area, the biggest fact to share with management is that isolated, man-made disasters are completely unpredictable and can be Anything happening to Anyone, at Any time, Anywhere in the world (4 As of Disasters). Without the ability to recover all of your critical functions quickly and effectively, you could suffer a devastating, long-term consequence. Occasionally it could be so severe that it takes you out of business.
Test Your Current Plan
For those who truly want to understand their ability to continue their business no matter what, a simple tabletop or mock exercise will reveal a lot about your organization's readiness. Regardless of whether or not you were successful in establishing sufficient business continuity and/or disaster recovery strategies to protect your organization, a test of your strategy will confidently convey your organization’s level of preparedness.
Agility has an Active Shooter Tabletop Exercise available for download. This tabletop will guide you and your team through an active shooter scenario so you would know how to react if one were to occur in reality. The best way to make sure you're prepared for a real-life scenario is to put your plans to the test.
Finding the right recovery strategy is paramount to your organization’s survival, and it may be up to you to start this conversation. Your greatest challenge likely will be to resist viewing management’s caution or initial resistance to business continuity/disaster recovery as apathy. Instead, accurately identify it as your management team’s risk appetite and start proposing solutions that fall within their tolerance. Through practicing (testing) your recovery strategy over time, you will be able to gain more and more rational, sound approaches to ensuring your organization’s survival.
Ripley, A. (2008). The Unthinkable: Who Survives When Disaster Strikes – And Why. New York: Three Rivers Press.