It must be human nature to worry more about serious dangers that are unlikely to happen than moderate ones whose likelihood of happening is high.
This would explain why the term “shark attack” brings up 98 million results on Google and the word “sunburn” brings up only 22 million results, even though the odds of a beachgoer getting attacked by a shark are one in 11.5 million, according to Wikipedia, while the Centers for Disease Control says that half of all people under thirty report having gotten a sunburn in the past year.
The chances of a beachgoer’s getting bit by a shark are less than one in ten million and of someone getting a sunburn are one out of two, but we’re roughly three times more likely to write and post—and presumably talk, think, and worry—about shark attacks.
Sunburn is no joke since serious cases are associated with an increase in skin cancer later in life.
On the other hand, shark attacks are not only potentially catastrophic, they’re also perversely entertaining to think about. Sunburn, not so much.
“SUNBURN PROBLEMS” AND BUSINESS CONTINUITY
We at MHA Consulting have noticed that a similar pattern prevails in business continuity management (BCM).
The BC community focuses a great deal of attention on such high-drama but low-probability scenarios as a hurricane wiping out a data center, a plane crashing into a facility, or an active shooter entering the workplace.
Obviously, all of these do happen, and they are very serious and potentially catastrophic. The responsible BCM program includes plans to handle all of these types of incidents. (Of course, they should focus on the type of impact rather than the particular scenario, as we’ve discussed before.)
But there are many BC problems which are more like a sunburn than shark attacks: they aren’t especially dramatic, but they do bring pain and discomfort and sometimes worse, and they happen almost constantly.
In today’s post, we’ll set forth some of the most common “sunburn problems.”
It’s essential to conduct enterprise risk assessments that look at the most serious potential impacts to the organization. But don’t forget to also consider these more modest but highly likely problems.
COMMON “SUNBURN PROBLEMS”
The following problems are not likely to shut down your organization, but they can be damaging, and the chances of them happening to you sooner or later are very high.
- Key people leave, taking institutional knowledge with them. Are there any people at your organization who are a “single point of knowledge” or the only individuals possessing a certain skill? What would happen if they left? Such departures might not shut the whole organization down, but they can significantly impact a department. An example in sales would be someone who has a close, exclusive relationship with a key customer. In technology, it might be a person who is the only one who understands a complex data and processing flow. Other people could likely figure out the flow if they had to, but this would take time, which would likely be in short supply in the midst of an outage. In identifying areas where this might be an issue, look for aspects of a process where teams or departments commonly say such things as, “Joan always handles that.” This is a tip-off that there is probably specific information or actions which only that one person knows.
- Simmering problems go unaddressed over time and eventually become critical. These problems are frequently the subject of water-cooler talk. People are aware of them and gossip about them, but nothing is done to address them. An example might be a flaw in a process or technology which has not caused an issue, but with the right condition would impact the availability of the process or technology with significant consequences.
- Single points of failure lurk in the organization, either undiscovered or known but not addressed. This could involve technology, such as a single server or single network device, or a person who is the only one possessing certain specific knowledge or expertise (see “key people leave” above). For more information, see our recent post, 7 Bad Things That Are Likely to Happen This Week.
- Intentional misbehavior or ethical actions put the organization at risk for lawsuits or regulatory penalties. Could the conduct of individuals at the organization be exposing it to unaddressed dangers? Rogue employees might be creating dangers by committing financial irregularities or willfully disregarding compliance processes.
- Risks relating to the potential for human error. Human error is a common driver in accidents and in mistakes. People may lack discipline in following processes or just believe the process is unnecessary. Even if the conscious actions of people can be minimized, the beauty of humanity is we are not perfect and will make mistakes. It is impossible to prevent all errors but the potential can be assessed and some protections can be implemented. The human condition is perennially fascinating and also an ongoing challenge to risk managers.
- Outside influences. Consider those areas which may be outside your sphere of influence or ability to control such as competitors’ actions, the political climate, laws, and regulations. An organization’s policies and business practices, while completely ethical and legal, could be attacked due to the current social pressures or public discourse. How are the actions or your competitors adding to or changing the risks to your organization?
- A negative culture creates unnecessary risk. What is the culture of the organization and how might it be adding risk? Sometimes organizations punish those who call attention to problems. Sometimes people feel pressure to, for example, “show that all projects are green,” regardless of the actual state of the project or environment. Companies where people are empowered by their managers and are encouraged to take a collaborative approach tend to do better in identifying and managing risk. Organizations where people operate in an environment of fear and conduct themselves merely as the followers of orders tend to have larger amounts of unexplored, unaddressed risk.
- Cyber and data risks. Cyber and data risks are an anomaly: they are the one kind of problem that is both common (like a sunburn) and potentially catastrophic (like a shark attack). These problems are mostly an IT issue, but the BC department should consider how the organization’s policies and potential responses to a data breach (for example) are likely to impact the organization.
- Technology outside the organization’s control. What would the impact be if internet access was shut down? Many organizations would assume that loss of internet access would not be a problem as core systems would still be available. However, in today’s environment, we are dependent on research tools on the internet and many organizations are highly dependent on cloud-based applications such as email, human resources tools, customer service, etc.
- The impact of change. What is different at the organization today compared to last year? Five years ago? Ten years ago? In terms of technology, we frequently hear people say that they use their computers a fraction as much as they used to, with most of the work now being done using mobile devices. Many organizations have not adapted to this type of change. In assessing the risks at your company, be sure to consider the potential impacts of lost devices and related mobile-only vulnerabilities.
ALWAYS APPLY SUNSCREEN
Getting bitten by a shark is no one’s idea of a good time. But sunburn is no fun either, and it’s a lot more likely to happen. Most people are aware of the need to protect themselves from this common and potentially quite serious problem by applying sunscreen. Likewise, your organization should protect itself from “sunburn problems” by thinking about the issues set forth above and following good BCM practices to mitigate their risks.