The Drawbacks of Planning for a Worst-Case Scenario

While the worst-case scenario approach is a good one to use in order to reflect on organizational needs and the impacts of a disaster, it often brings an improper sense of safety.

So, should you plan for a catastrophic event or a localized disruption? When we work with organizations on business continuity, the scenario that almost always comes up is the “smoking hole” – whether it is a complete loss of the data center or the destruction of the headquarters building. This worst-case scenario is useful for planning, but there are two questions that should be considered as we put plans and strategies together for business and technology resiliency. What is the potential impact of an event, and what is the likelihood of it happening? Will it cause a catastrophic loss (the worst-case scenario), or will it cause a localized failure that will still have a significant impact on the business? Too many organizations fall into using only worst-case scenarios, thinking that with the “smoking hole” plan in place, their business is now adequately prepared to respond to and recover from a disaster.

But, based on statistics and our experience over the past 17 years, an organization is most likely to experience a localized outage rather than a catastrophic event.  In the last several months, what issues have been in the news? Security breaches, human error, and single points of failure have caused significant business impacts. There may be some of you who were impacted by the two recent airline outages. Those were not “smoking hole” scenarios. Data breaches, both large and small, have had an impact on many of us. I have received notice of security breaches from more than one company where I am (or have been) a customer. I now have credit monitoring in place from multiple identity theft vendors, all provided by the impacted companies.

As we perform risk assessments and provide recovery strategy recommendations, resiliency is just as important to consider as recoverability. While they are not the same, they are dependent on each other, and each should be considered as you plan and implement your business continuity strategies. In fact, we are starting to hear organizations refer to BC as BR – Business Resiliency. MHA is increasingly moving toward services that ensure that our clients are building resiliency. When the business is resilient, the organization will be prepared for both the catastrophic event and a localized event.

As you consider impact vs. likelihood, think about this: Do you understand the potential impacts of localized events, are you prepared to manage those impacts, and do you have plans in place to recover? Localized events include:

• Power outage (UPS failure or generator failure)
• Network outage (line cut by your provider)
• Infrastructure outage (single points of failure in servers, storage, network)
• Building flooding (sewer backup – it happens more than you think)
• Human resource outage (critical individual with specific knowledge)
• Building access (crime scene, heating or cooling issues, maintenance issues)
• Single application outage (human error, unknown dependencies during a change)

This is not to say that a company should not prepare for catastrophic events. Though they have a low probability, they have a disastrous impact. However, planning only for the “smoking hole” will leave your organization vulnerable to more likely events that will have a significant impact on your business. Remember, Murphy’s Law will always be there, ready to rear its ugly head. Don’t get caught planning for a worst-case scenario, only to be done in by an unexpected  power outage.

By Richard Long, Senior Advisory Consultant, MHA Consulting