It’s likely that something unlikely will happen
Most business continuity life cycle diagrams include risk management or risk assessment somewhere in the process.
For many this means one or more risk assessment workshops, whereby a number of risks are identified and rated, based on the likelihood of each risk occurring and the impact if it does. This is a tried, tested and commonly-used approach in a number of risk management applications, from health and safety to operational risk, so it’s often used for assessing business continuity risks too.
The problem with this approach in a business continuity context is that the risks identified are, more often than not, of the low likelihood, high impact variety. So, whatever rating system is used (the most popular being to multiply the likelihood and impact ‘scores’), the overall rating for the vast majority of the identified business continuity risks usually comes out as low; or, at best (or worst, depending on which way you look at it), medium. Which means that, in the risk register, they’re colour-coded as green or amber and seldom, if ever, is any meaningful action taken to mitigate any of them. Which, in turn, means the exercise was, in all probability, largely a waste of time. Whilst this may seem a cynical observation, unfortunately it’s a depressingly common scenario.
But importantly, whilst each individual risk may have a low likelihood of occurring, taken collectively there’s potentially a much higher likelihood that something, at some point, is going to go wrong. As Aristotle once said “Είναι πιθανό ότι τα πράγματα μάλλον απίθανο να συμβεί θα πρέπει να” (at least according to Google!). Or to put it another way “It is likely that unlikely things should happen”. And he was right. Unfortunately, though, it’s nigh on impossible to predict with any certainty what that something might be or when it might happen.
So, whilst there may be a few obvious risks that we probably should consider (provided, of course, that we’re actually going to do something to mitigate them), rather than spending a huge amount of time brainstorming oodles of different low likelihood, high impact risks that no-one thinks will happen anyway, a more productive use of management time and brain power might be to put more emphasis on identifying the impacts of losing our key assets, whatever the reason.
Because the good news is that if we get our business continuity strategies and solutions right, whilst we might not be able to prevent everything that could possibly go wrong, the resulting contingency plans should mitigate a large proportion of those low likelihood, high impact risks that would otherwise languish undisturbed in the depths of our risk registers.