I believe that everything in life is a learning opportunity. Further, I believe all facets of our lives are interconnected. So, if something happens in my personal life I try to think about how it relates to some aspect in my professional life.
Case in point - I recently blew out my knee playing hockey. Now, I'm still in the discovery stage trying to figure out what exactly is wrong so that I can understand what the impact is going to be. But, my mind is already thinking about how this relates to what's going on at the office...
As with anything, when I play a sport I'm assuming some amount of risk. In this case, I've been playing for years now and thought the risk was minimal. What I really didn't truly consider was the impact if that risk came to bear.
What I mean by this is I know I could have gotten hurt, but I really didn't take into account to what degree AND what the impact to my life it would really have. While I know I'm not going to be permanently disabled, to say I'm only slightly impacted is an understatement! Forget about hockey for the moment, I can barely walk.
The same goes for risk evaluation in the "real" world. I don't know how many clients we talk to on a daily basis who decide things based only on the risk involved and NOT truly taking into consideration the impacts of that risk. And further, that "risk" they're usually basing their decision on is the statistically incorrect assumption that since "we've never had a crash therefore we never will".
Or, when it does happen "we have a backup so we'll be fine". More often than not, this "backup" is a tape backup of only part of their data. Restoring it will be a time consuming nightmare at best and at worst will only provide for part of their daily needed information.
So, while they're considering risk, they should more importantly really be thinking about the impact - ie: when we go down, what will this really look like? And what will the true impact be to our business? And how much is it worth to NOT have to go through this? These are really the questions that should be considered in any Business Continuity discussion.
Way too many clients think "backup" means they'll be "back up" and in some (unfathonable) short amount of time. Nevermind, that the (partial) tape backup runs all night (so how could it possibly be restored in less time?).
Or that the clients are missing their install CD's, or licensing codes aren't documented, or versions aren't kept current and the drivers don't work w/ the latest operating systems (these are only some of the hurdles we have to clear during a frantic disaster recovery).
But then it's our fault because it's taking too long (to get them back up and running). Frustrating to say the least.
Unfortunately, there are so many "moving parts" involved in managing technology infrastructure that when you have discussions about risk of failure it needs to be more of an ongoing discussion than a one time thing. Keep in mind, often times these discussions could become outdated within the same year.
This only complicates the concept because the bar is always moving. And while we understand each and ever nook and cranny involved, clients simply don't. When you clearly explain one concept, 6 months later it's outdated (whether because the technology has changed or the client's requirements have changed) and you need to explain it again only differently.
And failure isn't only one thing. Nothing happens in a vacuum. Points of failure are merely links in a chain. Everything is interconnected. You have hard drives, power supplies, RAID configurations, tape vs disk, BDR's, offsite storage, network storage, server virtuatlization, cloud services, etc. All of these impact the impact (of failure) differently. But, most importantly they impact the discussion needed.
Again, my point is - it's really more about impact than it is about risk. We need to be dilligent with our clients on this. And unfortunately, right now I know this personally only a little too well.