How to Maintain Operational Continuity During Disruptions

Instead of starting with threats or systems, I start with the value stream. Why? Because business continuity isn’t really about hurricanes, power outages, or servers going down. It’s about something much simpler: preserving the flow of value through the business. Executives don’t care which database is offline. They care that customers can’t buy, contracts can’t close, or invoices can’t be sent. That’s the flow you’re protecting. Here’s how I break it down: 1️⃣ Identify the process that directly supports revenue or mission-critical outcomes. - What activity actually creates value? - For a SaaS platform, it might be the software deployment pipeline. - For a manufacturer, it might be raw materials through production to distribution. - For a hospital, it might be patient intake → treatment → billing. 2️⃣ Map each step in that process — people, systems, vendors, tools. - Who touches this? - What tech or suppliers does it rely on? - Where are the single points of failure? 3️⃣ Estimate what percentage of the company’s total revenue depends on this process. - If it fails, how much of your annual revenue would actually pause or disappear? - Is it a core process that drives 80% of revenue or a supporting function tied to 10%? 4️⃣ Estimate how much of that revenue is at risk in a realistic disruption. - Will you lose all revenue immediately? - Or just delay it? - Be conservative and credible — executives hate inflated numbers. 5️⃣ Spread that loss over operating hours to create an hourly cost of disruption. - Take the annual revenue at risk, divide it by 8,760 hours (for 24/7 ops) or by working hours for narrower processes. - Then add recovery costs (staff overtime, consultants) and reputational or compliance penalties. What you end up with isn’t perfect — but it’s credible. It turns abstract “criticality” into a number: This process costs $X per hour when it’s disrupted. Why this works: ✅ It sidesteps technical jargon — you’re talking value, not servers. ✅ It reframes continuity as a business problem, not an IT problem. ✅ It gives executives a simple, repeatable model to prioritize investments. ✅ And yes, it’s executive-friendly — because it speaks in dollars, not downtime. I’ll walk through a concrete example in my next post. But first, let me ask you — what would you add or improve in this approach? Have you seen a better way to make the financial case for continuity?

Waiting until you have an incident to understand which of your systems are critical can have serious consequences, sometimes even life or death consequences. Here is an unusual example: It was recently reported that hackers launched a ransomware attack on a Swiss farmer's computer system, disrupting the flow of vital data from a milking robot. See https://lnkd.in/eVhzu429. The farmer apparently did not want to pay a $10K ransom, and thought he didn't really need data on the amount of milk produced in the short term. In addition, the milking robot also worked without a computer or network connection. The cows could therefore continue to be milked. The farmer, however, apparently didn't account for the fact that the data at issue was particularly important for pregnant animals. As a result of the attack, the farmer was unable to recognize that one calf was dying in the womb, and in the end, this lack of data may have prevented the famer from saving the calf. While most of us will hopefully not find themselves in this exact situation, the takeaways are the same for all of us: 1. CONDUCT A BIA: Consider conducting a business impact assessment (BIA) to understand the criticality and maximum tolerable downtime (MTD) of all your systems, processes, and activities, from a business or commercial standpoint. Of course, such analysis should include the health and safety impact of downtime. 2. VENDORS: As part of the BIA, consider assessing the MTD for each vendor as well. This will help you decide which primary vendors require a secondary, as well as define the terms of your contract with the secondary vendors. More details on backup vendors can be found here: https://lnkd.in/e-eVNvQz. 3. UPDATE YOUR BC/DR PLAN: Once you have conducted a BIA, update your business continuity and disaster recovery (BC/DR) plan to ensure that that your recovery time objective (RTO) and recovery point objective (RPO) are consistent with the MTD determined through your BIA. 4. PRACTICE: Conduct regular incident response (IR) and BC/DR tabletop exercises, as well as full failover exercises, to test and improve your ability to respond to a real event. Advice on conducting successful tabletop exercises can be found here: https://lnkd.in/eKrgV9Cg. Stay safe out there!

Emergencies are unavoidable—fires, floods, shootings, cyberattacks. The only thing worse than an emergency is being unprepared for it. Just ask yesterday's "Worst Employer" nominee. A well-crafted Emergency Action Plan (EAP) keeps everyone safe and your business running. Here's 10 things to consider in creating one: 1./ Assess Your Risks Identify the emergencies most likely to hit you—whether natural disasters, workplace violence, or data breaches. Prioritize based on impact and likelihood. 2./ Get Employee Input Your employees are on the front lines and often spot risks management misses. Including their insights builds a better plan and fosters buy-in. 3./ Assign Clear Responsibilities Who calls 911? Who initiates evacuations? Everyone should know their role before an emergency strikes to avoid confusion in the heat of the moment. 4./ Map Out Evacuation Plans Chart exits, evacuation routes, and assembly points. Make sure everyone can evacuate safely, including employees with disabilities. 5./ Establish Communication Channels Use multiple methods—emails, texts, and phone trees. Keep clients, vendors, and other stakeholders informed, too. 6./ Stock Emergency Supplies First-aid kits, fire extinguishers, and flashlights are must-haves. Regularly check supplies so nothing fails in a real emergency. 7./ Plan for Business Continuity Know which processes must keep running and how to do it—whether remote work, cloud backups, or backup vendors. 8./ Stay Compliant Verify if OSHA or other laws require specific elements in your plan. Non-compliance can mean fines. 9./ Train, Drill, and Support Your Team Hold regular drills, offer training refreshers, and provide mental health support after stressful events. 10./ Debrief, Report, and Improve After every emergency or drill, debrief with your team. File necessary incident reports for OSHA or insurance. Assign someone to review and update the plan regularly. Emergencies aren't predictable, but your preparation should be. A well-thought-out EAP protects your people and helps your business bounce back as quickly and easily as possible.

"Everyone has a plan until they get punched in the mouth." — Mike Tyson In complex business management, the unexpected is inevitable. Challenges will arise when navigating a major transition, market shift, or critical carveout. While you can’t predict every issue, you can prepare for them with strategic contingency planning. Contingency planning is more than just a safety net; it’s essential for mitigating risks and ensuring resilience. The process begins with identifying critical processes—those functions that must continue regardless of circumstances. This includes operations like payroll, IT systems, and customer service. Next, assemble a planning team with diverse expertise from finance, operations, HR, and IT to ensure a comprehensive approach to risk management. Assess your business's most significant risks and develop targeted strategies to address them. This might involve creating backup systems, cross-training employees, securing alternative suppliers, or establishing clear communication protocols for crises. Once your plans are in place, you can rigorously test them through simulations and drills to identify weaknesses. Update and review your contingency plans regularly to keep them relevant. Adjust your strategies to reflect new risks or priorities. In high-stakes situations like corporate carveouts, where continuity is crucial, robust contingency plans are vital. Ensuring that critical operations are covered gives you peace of mind and prepares you to face the unexpected confidently. No plan can account for every scenario, but by focusing on what can be controlled and preparing for likely risks, you position your organization to handle surprises with agility. So, what events would cause you the most concern? How prepared is your business to navigate them? Solid contingency planning will mitigate risks and build a more resilient organization. #RiskManagement #BusinessStrategy #Leadership #ContingencyPlanning #CrisisManagement #Execution

Recent risk assessments have highlighted the escalating concerns surrounding macroeconomic and geopolitical risks, particularly in relation to shifts in policies and priorities impacting operations and market conditions. The sensitivity of businesses to geopolitical and security issues, such as tariffs, sanctions, embargoes, and trade restrictions, poses a real threat to operations. To address these risks effectively, proactive risk organizations are implementing integrated risk management practices. These practices involve continuously reassessing enterprise risks, updating exposure information, and aligning operations to develop informed contingency plans. Some of the key considerations and actions being taken include: - Supply Chain Diversification or Re-location: Exploring options to diversify supply chains or relocate operations to mitigate risks associated with geopolitical and macroeconomic uncertainties. - Negotiated Price Lock-ins, Cost-sharing, or Hedges: Engaging in negotiations to secure price lock-ins, cost-sharing agreements, or hedging strategies to manage financial exposure to fluctuating market conditions. - Inventory Buffers: Building up inventory buffers to cushion against supply chain disruptions or delays resulting from geopolitical tensions or policy changes. - Tariff Engineering, Product Reclassifications, or Exemption Filings: Strategizing tariff engineering tactics, reclassifying products, or filing for exemptions to navigate changing tariff landscapes effectively. - 'Wait and See' :): Monitoring developments closely and adopting a cautious 'wait and see' approach to assess the evolving geopolitical and macroeconomic landscape before making strategic decisions. By aligning risk management practices with operational strategies, organizations can enhance their resilience in the face of geopolitical and macroeconomic uncertainties, ensuring a more robust and adaptive business model.

“Researchers: Work from home is key to business continuity” (TechTarget) Summary As natural disasters like Hurricane Milton become more frequent, businesses are being urged to make remote work readiness a cornerstone of their continuity strategies. A study titled "Digital Resilience: How Work-from-Home Readiness Affects Firm Performance" found that companies prepared for remote operations before COVID-19 significantly outperformed those without such capabilities, especially in sales and net income. Researchers Sebastian Steffen, Wang Jin, and Erik Brynjolfsson stress that remote work infrastructure, such as cloud-based systems and secure collaboration tools, is vital for sustaining operations during crises. They recommend hybrid work models to balance flexibility and on-site needs, especially in disaster-prone areas like Florida. Further suggestions include assessing remote feasibility by role, prioritizing employee safety through flexible policies, and investing in digital tools despite upfront costs. The key takeaway: businesses with WFH readiness are more resilient in crises and better equipped to protect both employees and operations. Dr. Gleb’s Take The research makes it clear: remote work readiness isn’t just a nice-to-have — it’s a critical part of business survival. Companies that treat remote work as a contingency instead of a core strategy are setting themselves up for failure when disaster strikes. The benefits of WFH aren’t just about productivity; they’re about keeping operations running when the unexpected happens. It’s short-sighted to skimp on digital infrastructure, especially with climate risks increasing. Forward-thinking businesses should invest in remote capabilities now, rather than scrambling when a crisis hits. This isn’t just about weathering storms — it’s about building a resilient, adaptable workforce for the future.

Another Wake-Up Call for CISOs and CIOs: Supply Chain Resilience Is Not Optional. United Natural Foods, a key player in the food distribution industry, is now limping through operations following a cybersecurity incident. When your supply chain is your business, even a few hours of downtime can ripple into lost revenue, broken trust, and empty shelves across the nation. Read more:▶︎ https://lnkd.in/efbCfmWa Let’s be clear, this is not just an IT issue. This is a business continuity, incident management, and operational survival issue. The lesson here? ✅ Incident response plans must be more than paperwork . They must be tested under real conditions. ✅ Business Continuity Management (BCM) should align with operational realities, not just compliance checklists. ✅ Supply chain security needs the same rigor we apply to endpoint and cloud security. ✅ The CISO & CIO must be in lockstep, not just during the crisis, but in preparing for it. ✳️ Are your contingency plans updated for ransomware targeting ERP, logistics, and warehouse ops? ✳️ Do you know how your vendors would respond to a cascading cyber event? ✳️ Is your organization able to sustain core functions if your primary systems go offline? This is the kind of incident that should drive tabletop exercises, executive simulations, and frank discussions with your board. It’s not “if,” it’s when and when it happens, your preparation (or lack of it) will define your outcome. #CyberResilience #SupplyChainSecurity #CISO #CIO #BusinessContinuity #IncidentResponse #Leadership #OperationalRisk #Ransomware #UNFI #DarkReading #Cybersecurity