Dealing with threats that you can’t envision
What do natural disasters, anarchists and terrorists, fraudsters and thieves, and religion have in common? They all present potential threats (of generally low individual probability) for which generic preparation can offer a significant degree of solution. Our goal is to manage vulnerability, to transfer risk, or to reduce risk to a level with which we can comfortably live.
In order to do this, we must stop thinking of causes, and deal with effects. The reason we need to do this is that we know that under the best of circumstances we can’t affect threats, and we certainly can’t affect threats of which we haven’t thought. We also can’t deal much with vulnerabilities, that portion of the risk formula over which we do have control. If we don’t know the threat we can’t identify the associated vulnerabilities. What we have left is worst-case scenarios.
As an example, we once looked at a company that had its computer room next to the parking lot. If a large truck lost its brakes and backed through the wall they would lose their computers. This was a threat (brake failure or bad driver) coupled with a vulnerability. But what if some unknown threat knocked out a computer room that had been protected from every threat of which they could think? It would still be gone.
What actions could they take if they asked what would happen if the whole computer system disappeared, independent of the cause? Well, for a start, they could have one or more backup sites, geographically separated so that if one disappeared, for whatever reason, they still preserved their options. While this would not address the immediate vulnerability (which did need to be addressed), it would still be a better choice.
The good news is that with some small amount of effort, you are likely to be able to identify critical resources without which your organization has a serious problem, and may simply disappear. If you can protect these resources, you don’t really care from whence the threat comes.
The bad news is that few organizations bother to do this. We recently asked a senior official in a major metropolitan law enforcement agency whether his department had anyone who sat around thinking about how bad people could do bad things, and how to prevent these bad things from happening. The answer was no, he knew of no such group.
We strongly urge you to delegate a team to identify critical resources. Work out the most cost-effective way to ensure the organization’s survival in the face of threats to these resources that you cannot even begin to imagine.
