A recovery plan can describe every system and still be impossible to execute
The plan says the network may be isolated. Who can authorize the interruption? It says backups will be restored. Who decides which point in time is trustworthy? It says clients will be informed. Who determines whether the facts justify contact? These are not administrative details around recovery. They are the mechanism through which recovery becomes legitimate. Technical teams often possess the ability to act without the authority to accept the consequence. Executives may possess formal authority without access to reliable facts or secure communications. Vendors may hold practical control over systems while waiting for instruction from a person who is unavailable. Continuity is therefore an authority problem before it is a technology problem.
Decision rights must survive the incident
Under normal conditions, authority is distributed across committees, policies, contracts, management roles and technical permissions. Disruption places those instruments under stress at the same time.
- The directory containing the escalation list may be unavailable.
- The executive authorized to declare may be travelling or unreachable.
- Counsel may need evidence before advising on a step that operations cannot delay.
- A provider may refuse an emergency change without a named contractual contact.
- The person with the system privilege may not be permitted to decide whether it should be used.
A serious continuity design assumes that one authority route, one communication channel and one key person will fail.
The five rights that must be explicit
- Declare — who determines that ordinary operations have ended and exceptional authority applies.
- Isolate — who may interrupt connectivity, disable accounts or stop a service.
- Restore — who selects the recovery point, environment and order of return.
- Communicate — who may inform staff, clients, counterparties, authorities or the public.
- Accept — who can knowingly accept legal, financial, client or operational consequence.
Each right needs a primary owner, a successor, an evidence threshold and an expiry. “The crisis team” is not an answer unless the team’s composition, quorum and powers remain available under incident conditions.
Align formal and technical authority
The operating test is simple: can the person legally empowered to decide cause the system to obey, and can the person technically able to act demonstrate that the decision was legitimate? Map each critical action against four layers.
- Mandate — policy, contract, board authority or legal instrument.
- Decision — the role permitted to authorize the action.
- Execution — the account, key, provider or person able to perform it.
- Evidence — the record proving what was decided, by whom and on what facts.
A gap in any layer creates delay or uncontrolled action. A mismatch is more dangerous: the wrong person can execute quickly while the right person cannot.
Tabletops should test decisions, not memory
A useful exercise presents a condition where facts remain incomplete and normal authority is impaired. Participants must decide whether to isolate a revenue system, use an alternate channel, restore from a contested backup or communicate before scope is known. The exercise should record where people request information that would not be available, rely on a person not in the room, or assume a provider will accept an instruction it has never agreed to accept. The output is an authority repair list, not a score for participation.
The doctrine
Resilience is the ability to continue making legitimate, informed and executable decisions while systems, facts and people are degraded. That capability cannot be improvised during the event. It must be expressed across mandate, access, communication, provider arrangements and evidence in advance. Systems recover when authority remains coherent enough to direct them.
