For want of a nail the shoe was lost.
For want of a shoe the horse was lost.
For want of a horse the rider was lost.
For want of a rider the message was lost.
For want of a message the battle was lost.
For want of a battle the kingdom was lost.
And all for the want of a horseshoe nail.
—Nursery rhyme variation ca. 14th Century
A horse, a horse! My kingdom for a horse!
—King Richard III (per William Shakespeare)
My grandchildren delight in perpetrating and experiencing the unexpected, especially around Halloween with sneaking-up-from-behind cries of “Boo!” and displays of gruesome masks. Adults struggle with unplanned disruptions like mechanical failures, health issues, and ransomware attacks. Standard recommended organizational approaches for controlling such uncertainties—for managing risk—are avoidance, mitigation, transfer, acceptance. Another approach practiced all too often, unfortunately, is denial. Basing business survival expectations on that hopeful approach is ill-advised. In a 1977 speech, basketball coach John Wooden observed that “when you fail to prepare, you’re preparing to fail.” (A word to the wise from someone who won 620 games in 27 seasons and 10 NCAA titles.) NIST’s risk management framework (RMF) steps outline a reasonable approach for managing business risk:
The first three comprise the planning phase.
Preparing for Adversity
Walking through “what if” scenarios is a best practice to avoid suffering through “if only” regrets. A business continuity plan builds on top of probable risk scenarios by evaluating both the likelihood of a given threat and that threat’s business impact. It is more than a computer incident response plan. IT system uptime may be less material to business survival than a robust supply chain! Many variations on “the want of a horseshoe nail” exist today.
One example from my restaurateur nephew is the Bahn Pho noodle shortage[i]. Covid-related factory production levels and Vietnam exporting restrictions have contributed to a 100% (or more) increase in the cost of a key ingredient for soup.[ii] Another example from the automotive and agricultural machinery sectors is the global chip shortage. GM’s net income dropped 40% in 3Q2021 due to the shortage.[iii] Even consumer-grade agricultural machinery (think lawnmower) products are affected. One friend was nonplussed to realize that the electric lawnmower she’d bought online was delivered as promised, but without a battery due to the chip shortage. (I guess the on-time delivery KPI neglected to specify that the product should be usable for something other than a whimsical garden sculpture.)
Categorizing (i.e., Triaging) Pain
Building a holistic business continuity plan is essential. The first tactical step for managing risk is to understand the organization’s risks, vulnerabilities, exposures, and resources. According to NIST SP 800-34r1[iv], a business continuity plan (BCP) “focuses on sustaining an organization’s mission/business processes,” whereas a continuity of operations plan (COOP) focuses on “restoring an organization’s mission essential functions (MEF)” but at an alternate, temporary site. The rub here is in categorizing organizational resources with respect to their criticality, sensitivity (for company- or client-proprietary information), and their recoverability:
- Can the business survive without the asset—and for how long?
- Can the business survive without the asset operating at full (or customary) capacity?
- Can the business survive liabilities associated with loss or degradation of the asset?
Part of the categorizing step also includes determination about the recovery time objective (RTO) and recovery point objective (RPO). As we have learned during Covid months, the recovery point—the new normal—might look different from what was previously considered normal. Once the respective business impact (criticality, sensitivity, and recoverability) of organizational resources is evaluated, it is time to evaluate the likelihood of their failure and build out a risk matrix, as described in NISTIR 7621.[v]
Those areas in the red (high) zone definitely merit further exploration, as may those in the amber (medium-high) zone.
Selecting Relevant Scenarios
The US Army looks at essential functions and their performance PACE profile. In this case, PACE is the acronym for primary, alternate, contingent, and emergency. By building out and thinking through various scenarios, organizational teams can share insights about how to manage disruptions and thus determine which risk controls and damage mitigation strategies to include in the plan. Scenarios should be multidimensional and include failures that affect multiple resources and assets (aka, cascading failures) so that worst-case scenarios are explored holistically. Role-playing is a useful tool during this step so that organizational team members from different departments gain an understanding about how a situation would likely be perceived and experienced by their colleagues. Miles’ Law is applicable here: “Where you stand depends on where you sit.”[vi]
Planning for Business Continuity
During the recent 2021 Economic Development Council of Colorado (EDCC) conference, breakout sessions focused on the challenges that entrepreneurs are facing throughout Colorado. Common areas of concern were workforce (skill gaps and affordable housing needs in addition to Covid-related shortages), supply chain disruptions, and broadband availability/affordability. Another relevant area for discussion was customer portfolio diversity. Dependence on a single customer or even set of customers within a single industry conveys both excellence in that industry but also fragility, should that industry suffer a downturn. In part for that reason, a diversified customer portfolio that includes, for example, both commercial and government sectors should be more resilient—and able to thrive regardless of what product line is up or down.
Preparing the Plan
The business continuity plan does not have to be complicated, but it should be complete and highlight the most likely adverse event(s). The overall outline (based on NIST SP 800-34r1) is straightforward:
- Policy, purpose, and scope
- Goals and objectives
- Business impact analysis (BIA) results
- Key roles and responsibilities
- Risk mitigation plans
- IT (e.g., offsite equipment, data, and storage requirements)
- Front office (i.e., customer facing)
- Back office (i.e., administration and support)
- Production, inventory, shipping
- Personnel (including key person backup)
- Business recovery and continuity strategies
- Alternate operating strategies
- Supplier/vendor readiness
- Plan activation and universal response
- Communication and notification plan
- Other stakeholders
- Training, drills, and exercises
- Plan maintenance
Preparation as Prelude to Success
President Dwight D. Eisenhower is credited with observing in 1950 that “Plans are useless, but planning is essential.” In effect, he cautioned that the plan itself was neither an exhaustive definition of possible disruptive, disappointing events nor a talisman against them. Rather, engaging in the planning process itself is a way of creating a heightened sense of organizational situational awareness—of preparing both for failure and for success. “Here’s a rule of life: You don’t get to pick what bad things happen to you.”[vii] Prepare, plan, perform for resiliency.
And that nail—or horse—when you need it.
[iii] “GM net income drops 40% in Q3 from chip shortage,” Automotive News (27 October 2021). https://www.autonews.com/automakers-suppliers/gm-q3-earnings-drop-40-24-billion-amid-global-chip-shortage