People who deal with risks and risk management on a daily basis do not trigger storms of enthusiasm when they raise an issue. The subject simply lacks sex appeal.
However, we all do it on a daily basis, but mostly unstructured and almost always undocumented. Think about this: when you cross the street at a yellow traffic light, you weigh the risk of being hit by a car against the chance of crossing the junction faster. You perform the same assessment in business e.g. what can we earn going into a new market and what are the arguments against it.
What is “Full Loss Risk Management”? What if a data center, production plant, office building is no longer there the next day, or cannot be entered due to a pandemic? The full loss case has occurred. If you take measures to cope such a drastic case, then you are well prepared for most of the smaller events.
With this approach, you get to the core quickly and thus also achieve rapid risk reduction. It also encourages those involved to think about it.
The next counterargument would be – it is too costly to duplicate the infrastructure of offices, plants etc. Of course it is! But that is not the point. The point is that, if you simplify things, it demystifies the issue and you can still be well prepared.
You have to take precautions to survive the full loss case. And usually the solutions are cheaper and easier than you might think. A mirroring into another data center, a contract for office containers on call or similar. Taking small steps and thinking about achievable measures will guide you to the right solution.
This first full loss preparation can always only be the preparation for further analysis. As an example. For legal requirements alone, you often have to perform a fire protection analysis and establish fire protection measures.
So instead of focusing on all possible threats, the idea is more to focus on the impact and the outcome of a full loss scenario as you can never be sure that you will identify all causes and establish enough measures to prevent the full loss case.
For example, I can state that an extinguished fire can still make a building unusable.
So, I hope that the remarks have given you food for thought, as that is the goal.
Author – Andreas von Grebmer, CISO of 360inControl® the Internal Control Solution for the digital age.
Please contact us – we will be happy to support you.