Are companies war-gaming the scenario where they may lose everything? Usually, the answer is no. In most organizations, "doomsday" is a line item relegated to the IT department, managed under tight budgetary constraints that rarely correlate to actual revenue risk. This disconnect creates a "Resilience Gap" where the cost of a catastrophe far outweighs the investment in prevention until the catastrophe occurs.
The IT-Revenue Disconnect
The common mistake is treating disaster recovery as a technical checkbox rather than a fiscal strategy. Downtime costs escalate rapidly. Industry data points to incident response costs averaging $4,537 per minute across technology organizations (Secureframe, 2026).
- The Revenue Reality: For a mid-market firm with $10 million in annual revenue, even a single hour of unplanned downtime represents significant direct and indirect losses, including lost transactions, productivity paralysis, and recovery overhead. When organizations factor in these cascading costs, actual incident recovery typically exceeds initial budget estimates by 3 to 5 times.
- The Budget Disconnect: IT leaders estimate downtime costs in precise per-minute terms, yet median renewal budgets for redundancy and backup infrastructure rarely correlate to these documented risks. The result is a systemic under-investment in the systems most likely to prevent catastrophe (Secureframe, 2026).
Vendor Fragility: The VMware Lesson
Market consolidation introduces structural risk. When a vendor's business model shifts abruptly, or when acquisition dynamics force rapid repricing, organizations with single-vendor dependencies face acute exposure.
- The Broadcom-VMware Shift: The acquisition, completed in November 2023, eliminated perpetual licensing entirely. By mid-2024, subscription-only bundles rolled out with reported price increases ranging from 300% to 1,200% for organizations migrating from perpetual to subscription models (Avasant, 2025). Smaller deployments faced particular strain from new 72-core minimum requirements, which forced over-licensing costs.
- The Concentration Risk: Organizations relying on a single vendor for mission-critical infrastructure have limited negotiating leverage if that vendor undergoes financial stress, a strategic pivot, or an acquisition. The VMware precedent is instructive: customers discovered their cost structure could shift by an order of magnitude within quarters, with limited recourse.
The Intelligence Leak: Human Single Points of Failure
Organizations often underestimate the fiscal cost of losing institutional knowledge. Key person dependency is not merely an HR risk; it is an operational and financial risk that boards rarely quantify until it materializes.
- Knowledge Loss and Institutional Risk: When a subject matter expert departs, the individual takes undocumented decision logic, vendor relationships, and system workarounds that are difficult to replicate. For large firms running legacy or mission-critical systems, a single departure can stall infrastructure modernization roadmaps for months while a successor builds competency.
- Modernization Drag: Replacement candidates rarely arrive with equivalent domain expertise. The learning curve for specialized roles typically extends 12 to 24 months. During this period, risk-averse decision-making dominates and innovation stalls. The cost is measured in deferred modernization and extended system support lifecycles.
Implementing the Klein Pre-Mortem
The term Pre-Mortem was coined by psychologist Gary Klein in 2007. It is the practice of "prospective hindsight"—imagining a project has already failed and working backward to determine why (Klein, 2007).
I recommend conducting a Pre-Mortem quarterly or at the start of any high-stakes initiative. It should not be the concern of the CFO alone; it requires a cross-functional team to identify blind spots that a single department cannot see.
Reporting to the Board
The pre-mortem output requires executive translation. Frame the results in financial and strategic terms:
- Quantify Impact Tolerance: Define the maximum duration of disruption the organization can withstand before brand or revenue damage becomes permanent. This "impact tolerance" varies by business model and should inform investment in redundancy.
- Map Mitigation Value: Show how proposed investments directly reduce financial exposure. A specific investment in disaster recovery that prevents a multi-million dollar outage is not a cost; it is an insurance premium.
"By moving doomsday planning out of the IT basement and into the boardroom, you demonstrate true fiscal maturity. A leader who has already lost everything in a war game is the only one who truly knows how to keep it."
Sources:
Avasant. "The Impact of Broadcom's Acquisition of VMware." 2025. https://avasant.com/report/the-impact-of-broadcoms-acquisition-of-vmware/
Klein, Gary. "Performing a Project Premortem." Harvard Business Review, 2007. https://hbr.org/2007/09/performing-a-project-premortem
Secureframe. "Disaster Recovery Statistics for 2026." 2026. https://secureframe.com/blog/disaster-recovery-statistics
