When the word ‘disaster’ is said, the first things which come to mind are fire, flood, earthquake or terrorism. If we look at the most simple definition of the word disaster – “an event that has an unfortunate outcome” – we can note that it doesn’t even need to be a large scale event to have what can be regarded as disastrous consequences.
Gert Vancoppenolle, in The Definitive Handbook of Business Continuity Management,provides a possible classification of disasters as:
- Acts of nature, which are the events commonly regarded as disasters such as floods, earthquakes and hurricanes;
- External man – made events, such as terrorism and security breaches;
- Internal unintentional events, including employee error which results in data loss;
- Internal intentional events, which can be easily illustrated as a disgruntled employee(s) striking or removing data;
- Non – compliance, from regulatory to legal and even governance failure;
- Business failure, as a result of incorrect or unsuccessful business strategies or practices.
It logically follows that in order to prepare for a disaster, and in turn mitigate the harm caused by it, we must be aware of the risk. Upon further analysis, we can also see that many of the events listed above have a low probability of materialising – often resulting in businesses giving the risk little to no consideration. This represents a gap in the thought process between how we approach personal risks, and those posed to our business.
An analogy to this could be the consideration of income protection – from a specific income protection plan to an emergency savings account, all of which are considered necessary and often catered for within our personal capacities despite the fact that the probability of ourselves no longer being able to create an income is uncertain and, although dependant on a multitude of factors, relatively low. Yet, businesses are reluctant to spend time and resources on ensuring that it can continue making an income in the face of an uncertain and low probability risk. This concern is highlighted when the fact that, according to the Federal Emergency Management Agency (in the USA), only 40% of businesses who suffer a disaster are able to fully recover.
A final point on the consideration of unexpected disasters, and what can possibly be seen as the root of the issue, is the distinction between a disaster and the possible impact on business operations. Too often the low probability of the risk materialising is considered first and then no more thought is given to the matter, whereas business should first be considering the impact of the risk on operations should it materialise, and then moving to the probability of it materialising.
In closing, be cautious of writing a risk off as low probability. The thought of ‘act don’t react’ rings true – considered risks pose less of a danger to business than ignored risks.