Earlier this week, the British Chancellor, George Osborne announced his spending review of government spending in 2015-16.
He had hoped to further reduce the deficit by the economy growing and collecting more taxes but instead has announced a further £11.5bn cut in government spending. Political commentators have been saying the Chancellor didn’t think, when he took office that three years later he would still be trying to reduce the budget deficit. I don’t think he anticipated the possibility of the downturn being this bad, and that he’d have to change his plans.
One of the things I have observed during business continuity exercises is that those responding always think the best and rarely anticipate what could go wrong. One of my favourite exercise scenarios is the discovery of a world war two bomb close to the organisation being exercised in. The scenario gives a denial of access to their building for up to a week, plus the risk of the bomb exploding and destroying the building.
On over 50% of the exercises I have run, I have had to prompt the organisation to consider the risk of the bomb going off and destroying the building. I think in the end, most of us are naturally optimists and by nature we think things are going to be ok. I think for business continuity people this can be dangerous.
I think as part of our incident response we need to always be thinking through our plans, what are the risks associated with us recovering? Also, what else could go wrong? This brings us on to Eeyore.
Eeyore is the donkey in the Winnie the Pooh stories who has been characterised as being pessimistic, gloomy, and depressed. In your incident response plan you should designate one of the members of your incident team to play Eeyore. Their role throughout the incident is to look at the risk’s to the recovery and also what else could possibly go wrong. Only once you start to understand what could go wrong or “what do you not want to happen” can we truly attempt to anticipate.
To ensure we identify the risks, which could derail our recovery we should including the following within our business continuity plans.
1. Assign someone the Eeyore role and make sure at all times they identify risks and challenge solutions.
2. Include within incident team agenda an item to look at risks to the recovery and identify mitigation measures to prevent them from occurring.
3. Keep a risk register for the incident you are responding to and make sure it is updated.
4. Be aware in advance of the risks, which could affect your organisation in order to ensure that a second risk does not materialise, while you are responding to the first one.
5. Be aware of your risk assumptions. Most incidents have a number of warning events, which precede them, and often they are ignored and only recognised in the investigation following an incident. This is usually because there is “group think” and usually a management or systemic failure to recognise them. If you properly understand your operations and the risks associated with them, you should be able to identify the warning events before a major incident takes place.
In business continuity we must always be pessimists as we know we are always one step away from a disaster, but we must manage our business continuity with the enthusiasm of Tigger!