Erwood’s Laws of Business Continuity and IT Disaster Recovery

Posted on by Keith Erwood
ERWOODS LAWS

 

Erwood’s Laws of Business Continuity and IT Disaster Recovery

Executive Summary: Erwood’s Laws of Business Continuity and IT Disaster Recovery

Erwood’s Laws of Business Continuity and IT Disaster Recovery, authored by Keith Erwood and inspired by Murphy’s Laws of Combat, delivers a sharp, pragmatic perspective on the realities of managing business crises. Comprising 25 laws, this framework highlights the unpredictable nature of disruptions and the indispensable need for robust preparation, rigorous testing, and grounded expectations. For executives, these laws underscore that effective crisis management is not merely a technical exercise—it’s a strategic priority that safeguards operational continuity and organizational reputation.

Key Themes

The laws distill critical insights into five actionable areas, each with profound implications for leadership:

  • Planning and Preparation
    • Core Principle: No plan fully withstands the chaos of a real crisis.
    • Takeaway: Comprehensive planning must be paired with adaptability. Regular drills and scenario exercises are vital to prepare for diverse, unexpected disruptions—not just the crises you anticipate.
  • Testing and Validation
    • Core Principle: Untested systems and backups are points of failure.
    • Takeaway: Stress testing and validation of recovery processes are essential to expose and resolve weaknesses. A system untested under pressure is a risk waiting to materialize.
  • Human Factors
    • Core Principle: People are the linchpin—and the wildcard—in crisis response.
    • Takeaway: Success hinges on ensuring key personnel are trained, available, and aligned across departments. Clarity of roles prevents critical breakdowns during high-stakes moments.
  • Budget and Resources
    • Core Principle: Underfunding preparedness inflates recovery costs.
    • Takeaway: Proactive investment in continuity and recovery capabilities is a cost-effective alternative to reactive spending post-crisis. Executives must view this as a strategic necessity, not a discretionary line item.
  • Realism and Expectations
    • Core Principle: Overconfidence and ignored risks amplify disruptions.
    • Takeaway: A vigilant mindset and realistic risk assessment are non-negotiable. Small issues, if overlooked, can cascade into enterprise-wide outages, especially under tight deadlines.

Strategic Imperative

Erwood’s Laws are more than witty observations—they are a blueprint for resilience. They compel executives to:

  • Prioritize Investment: Allocate resources to build and maintain robust continuity and recovery frameworks.
  • Embed Preparedness: Institutionalize testing and training as core business practices.
  • Ground Expectations: Plan for the inevitable, recognizing that disruptions defy predictions.
  • Drive Accountability: Learn from each crisis to refine strategies and prevent recurrence.

In an era where disruptions—from cyberattacks to natural disasters—are a question of when, not if, Erwood’s Laws offer a compelling case for proactive leadership. By embracing these principles, executives can transform crisis management from a reactive burden into a competitive advantage, ensuring their organizations endure and thrive amidst adversity.

Introduction

This is my reinterpretation of Murphy’s Laws of Combat as applied to Business Continuity and IT Disaster Recovery. While it is meant to be fun and playful, each point should also drive home the importance and seriousness of being properly prepared.

They are each based on events that have happened to businesses and no doubt will happen again. Enjoy them and use them as points to ponder against your own planning and preparedness measures as you ask yourself how you’re accounting for each of them.

Erwood’s Laws of Business Continuity and IT Disaster Recovery

 

  1. No disaster recovery plan survives first contact with an actual crisis.
    Plans look perfect on paper, but real-world disruptions introduce variables you didn’t anticipate.
  2. The backup you didn’t test is the one that fails.
    Untested backups are as good as no backups. Always assume they’ll crash when you need them most.
  3. The system you thought was redundant isn’t.
    That “failover” server or secondary site? It’s either misconfigured, outdated, or dependent on the primary system.
  4. If the business says, ‘We can’t afford downtime,’ it’s guaranteed to happen.
    The more critical the system, the more likely it’ll fail at the worst possible moment.
  5. The minor issue you ignored becomes the enterprise-wide outage.
    That “small glitch” in the network? It’s the precursor to a full-scale disaster.
  6. If it’s working perfectly, you’re not testing it hard enough.
    A system that hasn’t been stress-tested will crumble under real-world conditions.
  7. The crisis you prepared for isn’t the one you get.
    You drilled for a cyberattack, but the flood, power outage, or human error will hit instead.
  8. The vendor you rely on will be unreachable during the outage.
    Your cloud provider or IT support? They’re either on holiday or “experiencing higher-than-normal call volumes.”
  9. If you’re short on everything but problems, you’re in a crisis.
    Budget cuts, staff shortages, and outdated tech? Welcome to disaster recovery.
  10. The executive who demands instant recovery never approved the budget for it.
    They’ll expect miracles while having rejected your request for redundant systems.
  11. The failover process works—until it’s needed.
    Lab tests are great, but live failovers reveal dependencies you didn’t know existed.
  12. If the crisis seems under control, you’re not looking hard enough.
    That resolved issue? It’s masking a bigger problem waiting to surface.
  13. The employee who knows the system best is on vacation during the disaster.
    Your go-to IT guru or process owner will be unreachable when the servers go down.
  14. The more critical the deadline, the slower the recovery.
    Need to restore before the quarterly report? Expect every step to take twice as long.
  15. Friendly fixes cause outages too.
    That well-meaning sysadmin’s patch or workaround? It just took down the production environment.
  16. If you skip the post-mortem, the same disaster will strike again.
    Failing to learn from a crisis guarantees a repeat performance.
  17. The cloud is always up—except when you need it.
    “99.999% uptime” sounds great until a regional outage or misconfiguration locks you out.
  18. The more you explain the impact, the less management listens.
    Detailed risk assessments and business impact analyses get ignored until the crisis hits.
  19. If it’s stupid but it keeps the business running, it’s not stupid.
    Duct-tape solutions, manual workarounds, or legacy systems—whatever works is gold in a crisis.
  20. The ransomware demand always arrives on a Friday afternoon.
    Disasters time themselves for maximum inconvenience, like right before a long weekend.
  21. The single point of failure is the one you didn’t document.
    That critical server, process, or vendor dependency? It’s the one nobody wrote down.
  22. If you don’t drill, you don’t recover.
    Skipped tabletop exercises or DR rehearsals? Expect chaos when the real thing hits.
  23. The stakeholder who says, ‘This isn’t my job,’ is the one you need most.
    Cross-departmental crises reveal who’s essential—and who’s dodging responsibility.
  24. When in doubt, rebooting causes more problems.
    The classic IT fix often escalates the issue in a complex disaster scenario.
  25. The disaster recovery budget is always cut until the disaster happens.
    Prevention is underfunded, but recovery costs are always approved—after the fact.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>