Building resiliency: Get ready for your black swan event

By: Michael Puldy

Building resiliency into a business starts with anticipating the types of threats that keep you awake at night. Many businesses are only concerned about data loss, so they make a single backup copy. More sophisticated companies worry about data loss and finding themselves unable execute the key business processes required to run their company and retain their clients.

The most sophisticated companies go beyond that. Industry pacesetters defend their businesses by expanding the sophistication of their resiliency program to include concepts like airgaps to protect against ransomware and viruses, and geographically diverse work distribution to protect processes. My IBM colleague Mike Errity posted a great blog on this topic in March.

But what about planning for an event where the potential impact is massive but the probability of it actually happening is rare? Consider the black swan scenario.

Face the impossible

A black swan scenario is extremely rare or perceived to not even exist — much like the probability of seeing a black swan itself. The problem is that this kind of event is so crazy and unrealistic, it’s difficult to rationalize that it will ever happen. If it’s unlikely to ever occur, why prepare for it?

Dirty bomb in London? Loss of the power grid on the east coast of the United States? A malicious virus shutting down SWIFT and disabling bank-to-bank financial transactions throughout the world? Yes, there’s a very low probability of these events actually happening. But are they impossible? No.

People are starting to take potential black swan events into consideration. Recently, a session at the Milken Institute Global Conference in Beverly Hills explicitly reviewed concerns about how cyber warfare could trigger repercussions of unprecedented magnitude. During Berkshire Hathaway’s annual shareholder meeting, Warren Buffet responded to a question about how he prepares for a major cyber-related disaster: “This is uncharted territory and it’s going to get worse, not better. You’re right in pointing that out as a very material risk that didn’t exist 10 to 15 years ago, and will get more intense as time goes on.”

The point is that a black swan must be faced head-on. While the conversation is becoming more prevalent both in government and in public, this isn’t enough. Privately, you should model potential impact and outline options to protect your business.

Start with a brainstorming session to discuss top threats to your business. Perhaps a smoking hole for a data center, or the Pakistan typhoid problem becoming a worldwide pandemic. Cyber events are top-of-mind for most executives, and the cost of a data breach continues to be high. Since cyber events are plausible, it’s easy to start here — but keep going. Dig deeper into event-related outages that are outrageous but not impossible.

Ask the right questions

At the macro level, focus the discussion around unavailable people, locations and computer systems, or a regional outage that might take down a combination of ingredients required for your business.

What if 50 percent of your staff is no longer available? Or what if your databases were wiped out? Looking at these questions makes it easier to think about how you might approach the problem.

What if you lose a building? Would a work-from-home strategy be effective, or would you rely on an office space work area recovery solution?

What if you lose staff? Try to calculate your business breaking point. Could you run with 20 percent of your staff absent? What about 50 percent? In many cases, companies have no idea of their breaking point.

What if you lose computer resources? IBM Cloud helps address this question, because systems can be easily created, and physical locations are often far away from a primary physical business. Don’t forget to build cloud air gaps for your data combined with automatic recovery mechanisms. Data separation and automation tools like IBM Resiliency Services Orchestrator are becoming more important than ever. In the case of a regional situation, having these tools and technologies could mean the difference between you being online and your competitor struggling to recover.

Spending a huge amount of effort worrying about these low-probability events may not seem cost-effective, but taking some time to analyze and document your biggest threats and how you would solve them is a great investment.

Let’s face it: Outages happen. IT disaster recovery and business continuity plans (BCP) are the backbone to resiliency. And when you need a stable of superheroes to respond to a Marvel comic book-sized disaster, it’s important to seize any advantage possible.

To learn more about IBM Business Resiliency, or to ask any questions regarding disaster recovery (DR) and business continuity, schedule a one-on-one consultation with an IBM Business Resiliency expert.

Related topic: Data Center Services.

In depth: business continuity topics

Understand how to plan for and react when business disruptions are happening.

Adapt and respond to risks with a business continuity plan (BCP)

How to defend against cyber attacks

Do you have your disaster recovery plan (DRP)?

Defend against ransomware attacks?

What is data breach and how to defend against one?

What is a recovery time objective (RTO) and how does it affect disaster recovery for your enterprise?

What is an RPO (recovery point objectives)?

Topics: , ,

About The Author

Michael Puldy

Director of Global Business Continuity Management for Global Technology Services, IBM

Michael is responsible for long term strategy, tactical guidance and governance for business continuity management and resiliency programs across the globe at IBM. For the majority of Michael's career, he has focused almost exclusively on business resiliency. From his personal experience in the financial industry through his services and product tenures at IBM, he has... Read more