Philosophical phriday - anticipation vs. prediction
Both objectives are asymptotic: the effort and investment required to progress increase exponentially as we get ever closer to those two goals, ultimately putting them both beyond our means given finite resources (oh and one or two other things to pour our money into!). In other words, despite our best intentions, we know we are doomed to fail at some point.
That's not merely a pessimistic outlook: I'm an optimist by nature. In this case, I'm being a rational realist, and a pragmatist. By all means aim and strive for the best, but don't bet the farm on it. Just as any sensible person doesn't pour their life savings into roulette (since, ultimately, the casino always wins), managers should be planning and preparing for the occurrence of serious incidents or disasters, despite their not-inconsiderable investment in incident avoidance, prevention and detection.
We are all subject to the natural law of "stuff happens".
Here's a laborious illustration in the Business Continuity domain ...
Classical scenario-based IT Disaster Recovery approaches and playbooks document the processes for restoring information services that have failed under the circumstances imagined in each scenario. IT DR exercises typically revolve around the scenarios, with limited variations or scope for creativity. It is important to demonstrate, for instance, that following, say, hardware failures, the Finance or HR systems can be successfully restored from backups onto fresh servers or clouds, recovering networked services to users within sensible timeframes with limited data loss.
Cool. With cunning and proven IT DR arrangements in place for all the essential IT systems, networks and services, that's it, job done, right?
Errrr, no, not so quick.
Proven IT DR is fine (hopefully!) if those particular circumstances occur more-or-less as predicted. However, IT DR is not designed to handle all possible situations since that would be literally impossible. Aside from variations in the incidents covered, there may be coincident incidents, practical constraints, technical failures and so forth. A pre-planned IT DR exercise conducted at a convenient point in time can only ever approximate the realities of a critical incident or disaster that happens whenever it happens, probably without warning.
Since even 'proven' IT DR processes cannot be totally guaranteed and entirely, completely, absolutely relied-upon in practice, sensible DR strategies allow plenty of leeway in both the scenarios and the responses, hinting at a contingency approach: decisions, actions and resources required are, to some extent, contingent (dependent) on the precise nature and sequence of the unfolding situation. Contingency approaches give us options and degrees of freedom lacking in more specific plans.
This tips us gently into the area of resilience, focusing on maintaining core business processes, services, systems and networks albeit perhaps with reduced capacity and performance. We prepare little stockpiles of general-purpose resources and build strong yet flexible capabilities that are likely to be of value under multiple circumstances - including, by the way, when things are going well.
In parallel, let's assume the corporate culture is transformed to boost workers' true grit through some magical combination of management edicts, training, awareness and recruitment policies. Go on, assume away. [Hinson tip: this is neither a quick nor a certain fix.]
BC exercises typically include but extend beyond IT DR testing, covering more significant and wide-ranging scenarios, involving additional people, departments and maybe organisations under hypothetical but generally realistic situations that explore the boundaries of the plans and preparations.
Coupled with the organisation's determination to get through, whatever, we are clearly progressing on our maturity journey, aren't we? So please tell me it's knocking-off time now ... ?
Hmmm, sorry, no. Although we've made demonstrable and valuable progress at this point, a number of uncertainties (== risks!) remain. Here are just two:
- Our cunning IT DR plans allegedly/supposedly address "all the essential IT systems, networks and services". Even if that's true (which is difficult to ascertain, and hinges on the precise interpretation of 'essential': essential in what respect, to what degree, to whom and for what purpose?), the business doesn't stand still. What was absolutely crucial last decade/year/month/day is not necessarily so today. Even in a mature, stable organisation, things change.
- How can you be sure those myriad disaster scenarios you have so diligently foreseen and addressed will play out as described, and that nothing else could possibly go wrong? You've catered for all permutations and combinations? Wow, that's an amazing confidence, an impressive claim - even within the artificial confines of a carefully-constructed theoretical model!
So, if we can't predict but can only anticipate an uncertain future, what does that mean?
It means accepting that we might be wrong, things may not play out as and when anticipated and other things may happen - so we will have to face up to and deal with the situations that unfold.
It also means doing what we can to improve our ability to deal with unanticipated situations - identifying them, gathering information, evaluating it, deciding what to do, doing it, confirming that the response is working out, and so on. Rapid identification of serious incidents, rapid escalation through the management structure, rapid assessment and initiation of the response - these are all aspects that we can address and systematically improve, using a combination of everyday incidents and exercises with a strategic focus and suitable resources.