The Lingering Global Impact of the Microsoft Outage

The scale and scope of the outage’s impact were sweeping, including but not limited to:

• 911 line disruptions
• Broadcasting interruptions
• Grounded flights

The cascading effect on a single software update has further highlighted the interconnected and third-party risk factors we’ve seen growing in complexity. Or, as Ciaran Martin, the former chief executive of Britain’s National Cyber Security Center and a professor at the Blavatnik School of Government at Oxford University, put it in a New York Times article, “This is a very, very uncomfortable illustration of the fragility of the world’s core internet infrastructure.”

And when it’s not just external cyberattacks you’re navigating, but an internal code disruption, it can be hard to know where to look first. The calls are coming from inside and around the house – but it’s no time to hang up or hide in a corner. Instead, it’s time to get a better grasp of your third-party risk management, operational dependencies, remediation strategies, and business continuity plan.

Reminders and Lessons Learned in Business Continuity Planning (BCP)

The goal of your business continuity plan is always to minimize the impact on operations, employees, and customers during and after a disaster or significant disruption. It should into consideration and be prepared to address:

1. System Downtime: Do you have a plan in place if access to apps and services disrupts daily operations for many businesses, leading to delays, reduced productivity, and potential losses?
2. Reputational Damage: Can you communicate transparently and effectively during such incidents to maintain trust with customers and stakeholders?
3. Regulatory Compliance: Can you demonstrate due diligence and preparedness to regulators?

Key Elements of BCP: Start Your Planning Here

Your Business Continuity Plan should have three foundational elements:

1. Risk Assessment and Business Impact Analysis (BIA): The Microsoft outage illustrates the importance of understanding the dependencies on IT systems and the potential fallout from their failure. Identifying potential risks and their cascading impact on your business operations is crucial.
2. Recovery Strategies: Developing plans to restore business functions as quickly as possible includes having backup systems, alternative work arrangements, and clear communication plans.
3. Plan Development and Testing: Creating a detailed response plan is step one. You then need to regularly test them to ensure its ongoing effectiveness.

As businesses increasingly rely on external providers for critical services, identifying, assessing, and controlling risks associated with this outsourcing becomes more nuanced. Stay one step ahead of your third-party risk management with:

1. Vendor Risk Assessment and Due Diligence: Evaluate the potential risks posed by third-party vendors and understand the risk profiles of all vendors involved in your supply chain.
2. Contractual Safeguards: Ensure that contracts with vendors include provisions for business continuity and disaster recovery. This includes service level agreements (SLAs) that specify response times and remediation processes in case of an outage.
3. Continuous Monitoring: Regularly monitoring the performance and security practices of third-party vendors. Continuous assessment helps in identifying and mitigating risks before they materialize into significant issues.
4. Contingency Planning: Despite thorough risk assessments and preventive measures, unforeseen events such as natural disasters or infrastructure failures can disrupt third-party operations and pose significant risks to organizations. Risk professionals must develop contingency plans and business continuity strategies to mitigate the impact of such disruptions. Contingency planning involves identifying alternative vendors, establishing redundant systems, and implementing recovery procedures to ensure continuity of operations in the event of a crisis.
5. Liquidity Planning: Just like your contingency plan of action, ensure you don’t face financial constraints while production is impacted by strategically allocating funds. One way to do this would be to quantify these risks and simulate value-at-risk (which shouldn’t exceed your risk-bearing capacity).
6. Stakeholder Communication: Effective communication fosters transparency and collaboration in third-party risk management efforts. Risk professionals should maintain open communication channels with internal stakeholders, third-party vendors, regulatory authorities, and other relevant parties. Transparent communication facilitates the exchange of information, facilitates risk awareness, and enables prompt response to emerging threats or concerns.

What We’ve Learned:

Ensuring that your Business Continuity Planning and Third-Party Risk Management frameworks are robust and up-to-date can significantly mitigate operational risks and help your teams navigate through disruptions effectively. As technology continues to evolve, so too must the strategies to safeguard business operations against unforeseen events.

The key takeaway is clear: proactive planning and vigilant risk management are essential to maintaining business resilience in an interconnected world.