Murphy's Laws & Business Continuity
Gaddum's post can be summed up by saying, you must always conduct a risk assessment, invest in risk prevention, there is always residual risk, there is always an impact. He's not wrong!
Last week I was reading Robin Gaddum's post for Continuity Central describing how he communicates the concept of risk management in business continuity by applying Murphy's Laws. Gaddum's proposed three laws as follows:
If it can go wrong, it will go wrong If it cannot possibly go wrong, it'll still go wrong In real life, puppies die... Get over it. (Or, disasters always have an impact)
The thing about Murphy's law; there is really only one. The adage usually goes "Anything that can go wrong, will go wrong," there are also less polite ways of putting it, but us humans generally accept that 'stuff' does happen, and there is little we can do about it. Murphy's law helps our brains rationalize and bring order to what is otherwise a wildly chaotic universe, to an extent we try to control that chaos, but not always or all ways.
Of course, I understand that Gaddum is looking for the best way to communicate the concepts of risk management in relation to business continuity, but I'm inclined to think that thinking about risk in relation to "stuff happens" only really achieves an in-depth risk analysis.
The Risk Assessment is a vital part of a Business Continuity Plan and should never be underestimated; all too often have I seen senior manager dismiss a risk because their preconceived ideas are still stuck in the "It'll never happen to us" or "we'll deal with it when it happens... until then" mentality. In this situation I always like to ask them how they would feel if the Captain and Co-pilot on their next commercial flight had the same attitude?
When it comes to business continuity, and aviation for that matter, there's plenty that can go wrong; regardless of how well we prepare things still do go wrong, accidents still happen. More often than not when examining the contributing factors and cause of an incident, but after the fact, human error is identified as the most significant contribution. As they say, "aeroplanes don't have accidents, pilots do." As a result Human Factors makes up a significant part of the Aviation industry, where planning, assessing, designing, building & monitoring around the way 'humans' do things and behave is the key.
Gaddum makes a point to remind us of the importance of a business continuity plan, which he describes as:
"...our last ditch defense to enable recovery once that most improbable and unforeseen event has taken us out."
But I find this quite alarmist, after-all how many BCP documents include an Emergency Action Plan for meteor strikes, or herds of marauding donkeys? Those are "most improbable" and certainly "unforeseen". Why not think about this in terms of human failures instead - what are the most likely human failings that will cause your business suffer an outage?
Reliance on Murphy and his (or her) tendency to be right in hindsight will leave us worrying about those donkeys. Instead think about what your admins might get wrong when they're overly tired, or when they have made multiple changes at once, will mean your BCP doc is much more relevant. It'll also mean your BCP Planning Team have considered the individuals in your organizations and how their actions could affect your continuing business. Looking for a human cause and effect angle takes time but is well worth it in the long run, just ask a pilot.
This is a much more powerful place to be; better than staying awake at night wondering how high a donkey-proof fence needs to be.