System breakdown is inevitable in large organisations. The question is not whether breakdown will occur, but whether the organisation has designed for recovery when it does.
Recovery design determines whether breakdown becomes a learning event or an organisational setback. It determines whether recovery capability is built before crisis arrives or attempted under pressure when the organisation is least capable of clear thinking.1
Most organisations approach recovery reactively. The system breaks. The organisation mobilises emergency response. Individuals work extended hours. Governance lapses. Once the crisis passes, attention moves away from recovery systems and back to normal operations. The organisation has recovered from the specific breakdown but has not built recovery capability for the next one.
Effective recovery design requires thinking about breakdown as a design problem, not an operational problem. It requires designing the structures, authorities, decision-making processes, and information flows that will enable the organisation to stabilise, diagnose, and restore when systems fail.
The Cost of Undirected Recovery
When system breakdown occurs without recovery design in place, the response follows a predictable pattern. The broken system creates cascading operational problems. Teams attempt fixes ad hoc. Some fixes conflict with other fixes. Decisions are made without clear authority. Information about the scope of the problem is unclear.
The organisation stabilises eventually. But the path to stabilisation has consumed more time, effort, and cost than structured recovery would have required. The recovery has been directed by whoever could mobilise fastest, not by whoever was best positioned to make recovery decisions.
More importantly, the undirected recovery has reset the system to a pre-breakdown state without examining why breakdown occurred. The factors that caused the initial breakdown remain. The next breakdown is likely to follow similar patterns. Each recovery is treated as unique crisis management rather than as an instance of organisational learning.
Recovery Design as Governance Infrastructure
Effective recovery design requires explicit governance infrastructure built in advance:
Recovery decision authority must be clear before breakdown occurs. Who has authority to make decisions during breakdown? What is the escalation path? Where are authority boundaries? If this is unclear in normal operations, it will remain unclear during crisis.
Recovery information flows must be defined. How will the organisation know the scope of the breakdown? Who collects information? How is it synthesised? Who communicates it to whom? During normal operations, these information structures are implicit. During breakdown, implicit structures fail.
Recovery trade-off frameworks must be established. Breakdown requires choices. Restore this system or that system first? Allocate resources to stabilisation or to diagnosis? Accept temporary operational impact to permanent system state changes? These trade-offs must be decided against clear criteria, not negotiated in real time by whatever stakeholders have most urgency.
Recovery role clarity must be explicit. During breakdown, role ambiguity creates duplicated effort and conflicting actions. Roles for diagnosis, stabilisation, communication, decision-making, and sustained recovery must be defined, assigned, and rehearsed before breakdown occurs.
Recovery Design Must Address Root Causes
The most common failure in recovery design is treating recovery as a return-to-normal problem rather than as a diagnosis-and-redesign problem. When the system breaks, the immediate impulse is to restore it to its previous state as quickly as possible.2
But if the system broke under normal operating conditions, restoring it to the same state merely restores the conditions that caused breakdown. Effective recovery design requires the organisation to ask: Why did the system fail? What factors in the system’s design, load, or operating model caused it to exceed capacity?
These are structural questions, not operational questions. They cannot be answered during crisis. They must be addressed in the recovery period after the immediate crisis has stabilised.
This requires recovery governance that separates stabilisation activities (restore minimum functionality as quickly as possible) from diagnostic activities (determine why failure occurred) from redesign activities (implement changes that prevent recurrence).3
Without this separation, the organisation conflates urgency (fixing the breakdown) with priority (understanding the breakdown). Stabilisation gets attention. Diagnosis gets deferred. Redesign never occurs. The next breakdown follows similar patterns.
Recovery Planning and Scenario Design
Effective recovery design requires scenario planning. The organisation cannot predict exactly what will break. But it can identify the classes of breakdown most likely to cause cascading failure: infrastructure system failures, data system failures, key-person dependencies, supply chain disruptions, coordination failures across teams.
For each class of breakdown, recovery planning asks: What would we need to stabilise first? What decisions would we need to make? What roles would be critical? What information would we need? What trade-offs would we face?
This scenario planning is not prediction. It is preparation. It builds decision frameworks, authority structures, and information flows in advance, so that when breakdown occurs, the organisation is not designing recovery under pressure — it is executing recovery design that has already been thought through.
Scenario planning also identifies recovery dependencies. Some breakdowns cascade because systems are tightly coupled. If system A fails, system B fails because it depends on information from A. If systems A and B fail together, system C fails because it depends on them both. Recovery design must identify these dependencies and prioritise recovery sequencing accordingly.
Governance Questions About Recovery
Effective recovery design raises explicit governance questions: Does the organisation have clear recovery decision authority, or does breakdown decision-making become a function of whoever can mobilise fastest? If breakdown requires fast decisions about trade-offs, who has authority to make those decisions?
Does the organisation have recovery role clarity, or do multiple teams attempt similar recovery actions under the assumption that someone else is handling it? If recovery requires sustained attention across multiple functions, are roles and accountability clear?
Does the organisation have recovery information flows that synthesise data about the scope of breakdown, or does each function see only its own problem and react independently? If recovery requires coordinated response, how is information coordinated?
Does the organisation separate stabilisation (immediate restore-to-minimum-function) from diagnosis (understand why failure occurred) from redesign (implement changes to prevent recurrence)? Or does the organisation treat recovery as undifferentiated return-to-normal? Does the organisation have scenario-based recovery planning, or does breakdown governance get designed under pressure? If the organisation cannot predict breakdown, can it at least prepare for classes of breakdown?
The Escalation Problem in Recovery
Breakdown creates escalation pressure. Whoever faces immediate operational impact escalates urgently to whoever has authority or resources. Escalation is rapid, urgent, and often undirected. In the absence of pre-designed escalation governance, escalation creates its own coordination problems.
Effective recovery design includes escalation governance: What is the escalation path? What information must accompany escalation? What decisions can be made at each level before escalation? What decisions require escalation? At what point does emergency response convert to managed recovery? Without escalation governance, breakdown response becomes a free-for-all of competing escalations. The organisation responds to whoever escalated loudest, not necessarily to whoever escalated about the most critical problem.
Why Recovery Design Is Deferred Until Crisis
Recovery design is consistently deferred. Organisations focus on prevention (avoid breakdown) and normal operations (manage steady state). Recovery planning feels like an optional luxury for crisis management specialists, not a core governance function. This deferral reflects a deeper belief: that breakdown is rare enough that recovery planning is not cost-justified, or that crisis management will be obvious when crisis arrives. Both beliefs are incorrect.4
Breakdown is common enough that most organisations will experience significant system failures multiple times during a multi-year strategy cycle. And crisis creates the conditions where clear thinking is least possible — time pressure, incomplete information, emotional intensity, and competing stakeholder interests all converge. Effective recovery design is cheap insurance. It costs far less to design recovery governance in advance than to discover under crisis that decision authority is unclear, that information flows are inadequate, or that role clarity is missing.
-
Weick, K. E., & Sutcliffe, K. M. (2007). Managing the Unexpected: Resilient Performance in an Age of Uncertainty (2nd ed.). Jossey-Bass. Weick and Sutcliffe establish that high-reliability organisations build recovery capability as a structural design feature rather than an emergency improvisation — they invest in preparedness, simulation, and pre-designed response protocols precisely because they understand that crisis is the worst possible moment to design a response. The cognitive and coordination resources required for effective recovery design — clear thinking, authority clarity, information synthesis — are exactly the resources that crisis consumes. Recovery capability built before breakdown is an organisational investment; recovery capability attempted during breakdown is an organisational liability. ↩︎
-
Argyris, C., & Schön, D. A. (1978). Organizational Learning: A Theory of Action Perspective. Addison-Wesley. Argyris and Schön’s framework maps directly onto the distinction between return-to-normal (single-loop) and diagnosis-and-redesign (double-loop) recovery. Single-loop recovery restores the system to its prior state by correcting the error within the existing frame of governing assumptions — it answers “how do we fix this?” Double-loop recovery questions the governing assumptions that produced the error — it asks “what in our design caused this?” Without double-loop recovery, the structural conditions that caused breakdown are preserved intact in the restored system, guaranteeing that breakdown will occur again under similar conditions. ↩︎
-
Perrow, C. (1984). Normal Accidents: Living with High-Risk Technologies. Basic Books. Perrow’s analysis of failure in tightly coupled, interactively complex systems establishes that breakdown response requires different organisational structures than normal operations. In normal accidents, the interactive complexity means that well-intentioned recovery actions can couple with the ongoing failure to produce additional failures. The separation of stabilisation, diagnosis, and redesign is a structural requirement, not a management preference: each activity requires different decision authority, different information, and different timelines, and conflating them under a single “recovery” activity creates the conditions for the response to amplify the breakdown rather than contain it. ↩︎
-
Sterman, J. D. (2000). Business Dynamics: Systems Thinking and Modeling for a Complex World. McGraw-Hill. Sterman’s framework of underinvestment in intangible stocks explains why recovery capability is systematically deferred. Recovery governance is a stock — it accumulates through investment in planning, scenario design, and governance preparation — but its value is invisible until the stock is drawn down in an actual breakdown. Organisations underinvest in stocks whose value is not visible during normal operations, preferring investment in flows that produce immediate, visible returns. The belief that recovery planning is not cost-justified is the systematic undervaluation of stock-building investment that characterises underinvestment dynamics; the actual cost of undirected recovery consistently exceeds the cost of prevention. ↩︎