The naysayers of the past have all but gone away, and the cold hard truth has risen to the surface in mainstream society where acceptance of climate change has arrived. In fact, the US Senate even voted on it recently and with a 98 to 1 vote confirmed it for us, officially that is. Never before was it more prevalent in the United States than when Hurricane Sandy hit the US Northeast causing catastrophic damage and disruption to the operations of companies and government services.
On another front, not only has the volume of earthquakes around the world been growing dramatically, but we are now seeing earthquakes in areas where they were rarely seen before. Some speculate one cause or another, but the undeniable fact is that there is a rising trend. If that was not enough to motivate organizations to start taking business continuity planning and management seriously, in the past two decades we have seen a dramatic rise in terrorism and geopolitical instability. In 2014 ISIS publicly threatened attacks on US soil.
Sounding like a conspiracy theorist's website? Sorry, these are facts recorded by scientists and authorities, with no tracks back to any government sinister plot. This is just a reality of our current state regarding the evolution of technology, the earth, and other influences in the universe. So what are organizations doing about this? Unfortunately, not enough.
When speaking with a client CIO, I was asked to help them understand what IT Disaster Recovery capabilities should the organization consider establishing to support its limited business continuity planning and capabilities.
For the purpose of conversation, I offered that there are generally five degrees of investment an IT Department could make, which include:
creating backups of sensitive and business critical data
offsite storage of the data
creation of a recovery plan
engagement of a warm or hot site
testing the plan
This client then inquired as to what would motivate them to make such an investment? They offered that they were not in a highly regulated industry which mandates this degree of investment, so why should they go through all this trouble? Base on our knowledge of the client, we knew that their company was listed on the New York Stock Exchange. As a publicly traded company, the CEO of the company was obligated to sign an annual agreement in which he attested to adhere to the standard of due care to ensure the interests of the shareholders of the exchange were protected. When discussing this general point, he asked us to help them understand the degree to which they would arrive at the notional 80 / 20 rule, or put in other terms, when would they limit their liability to an acceptable level. Now as you can imagine, this company did not have a risk management program in place yet, nor had they taken any steps to articulate their threshold or acceptable risk tolerance level. So we solicited the guidance of the client's own legal department to help us respond. The end opinion by their Chief General Counsel, was that no liability was reduced until all five steps reference above were in place, and nothing other than number five could pass the reasonable person test in law.