In 2024, a faulty software update from a widely trusted cybersecurity provider disrupted an estimated 8.5 million Windows systems globally, grounding airlines, interrupting hospital operations, and freezing financial transactions. For many organizations, the response was immediate and chaotic. For others, it was controlled and measured. According to Patrick Cowan, a BC/DR Consultant, the difference was preparation, rather than luck.
"Companies that had already mapped vendor failure scenarios, tested updates in controlled environments, and built rollback plans were back online quickly," Cowan explains. "The ones that relied on assumptions were still trying to understand what happened."
That contrast reflects a broader pattern he has observed throughout his career in business continuity, disaster recovery, and crisis/incident management. According to him, disruptions themselves are rarely the problem. The issue lies in how organizations think about risk.
Cowan's perspective is grounded in decades of experience that began unusually early. He explains learning operational resilience as a child, studying ship systems and damage control through his father's work in the US Navy. That foundation later formed his work managing large-scale disaster recovery efforts and building continuity programs for complex organizations.
Across those environments, he has seen the same mistake repeated. Businesses tend to evaluate risk at a high level, focusing on the organization as a whole rather than the specific functions that keep it running. "They are looking at risk to the business, not to the functionality of the business," Cowan says.
This distinction becomes critical during disruption. "A company may recognize that a system failure is a risk, but without identifying the function that the system supports and the impact of its failure over time, decisions become reactive," Cowan says. His approach centers on quantifying those impacts, assigning measurable values across safety, financial, legal, regulatory, and reputational dimensions, then mapping them against recovery timelines.
"The moment leadership sees it in numbers, it changes the conversation," he says. "It is no longer a guess."
To make this idea more tangible, he often uses a simple analogy. The function is getting to work. The application is the mode of transport. If one option fails, the function still needs to be fulfilled. "If you only rely on one way to get there, then when it fails, you are stuck," he explains. "If you understand the function, you already have alternatives."
In many organizations, he notes that the attention is directed toward systems and tools rather than the outcomes they enable. "This creates a fragile structure where a single failure can cascade quickly," he says. "The cost of that fragility becomes most visible in how companies respond under pressure. Without a predefined plan, decisions escalate, communication slows, and recovery becomes more expensive than the original issue." According to Cowan, this is where the real damage occurs.
"When something goes wrong without a plan, everything becomes a decision," he says. "That slows you down, and that delay costs more than the problem itself."
By contrast, a structured continuity framework allows most decisions to be made in advance. Cowan notes that most response actions can be embedded into a board-approved plan, enabling teams to act immediately with predefined authorities when a disruption occurs.
From his perspective, the persistence of these challenges is not due to a lack of awareness but a pattern of short-term decision-making. He notes that organizations often accept losses or defer investment in resilience rather than addressing underlying gaps.
He points to his experience building a global continuity program within three years as an example of what effective planning can look like. The approach, Cowan explains, focused on identifying each critical function, mapping the components that support it, including people, systems, vendors, and equipment, and aligning their recovery priorities accordingly. "It is not complicated," he says. "You just have to understand how your business actually works."
From Cowan's perspective, that mindset is increasingly relevant as organizations navigate a landscape shaped by cyber incidents, lack of documentation, and knowledge transference tied to infrastructure disruptions, and evolving operational dependencies. He notes that in such environments, even minor failures can have disproportionate consequences when underlying systems are not fully understood.
The message of Patrick Cowan to leaders is direct. The question is not whether disruption will occur, but how prepared the organization is when it does. He encourages decision-makers to move beyond high-level risk assessments and examine the operational reality beneath them.
"What happens to each critical function when something breaks?" he asks. "Do you know the answer, or are you guessing?"
That question, he suggests, is where preparation begins. The organizations that navigate disruption effectively are not those that avoid risk altogether, but those that understand it in practical terms and act on that understanding before it is tested.
"The companies that get through disruption are the ones that have already decided what they will do," he says. "Everyone else is deciding in real time."
