You need to prepare your organization for the unexpected. But there are too many risks to predict everything. I propose 9 types of scenarios. They are based on three levels of problems: one-off, recurrent, disaster and three types of causes: involuntary, voluntary, natural.
It is up to you to choose the scenarios that are most applicable to your context.
The common denominator is unpredictability. These events always come at the worst possible time. No one plans their week with a disaster.
Problems and incidents: the daily operational routine
Breakdowns and incidents are common. Your teams manage them every day. The most frequent ones are fortunately the easiest to manage. You probably have procedures for restarting recalcitrant equipment and systems or changing routine wear parts. The operational teams are in charge of the repairs. Whether it’s industrial equipment or a server, these people have the knowledge, the procedure and the tools to correct problems.
Some breakdowns or incidents are more complex, in which case the situation is escalated to the level 2 team: industrial maintenance or IT department. They have more knowledge, access, tools and can in turn escalate to an external supplier or specialist if needed.
When breakdowns keep on happening
In the heat of the moment, your goal is to restart production. But at the end of each failure, you must document. Indeed, if a failure is out of the ordinary, it may be a weak signal of a larger failure in the making or signs of sabotage. The 5-Why analysis will help you determine the probable cause of the failure. Documenting will also help you to know the recurrence of failures and take the right actions to avoid a disaster.
For various reasons, you can be the victim of a malicious act: an individual internal or external to the organization causes a breakdown in your systems. You use your usual methods, but the problem comes back or gets worse or is difficult to repair.
Disaster: the realization of the worst case scenario
The disaster has arrived: you are living the worst scenario imaginable. The consequences are major, and you are overwhelmed by events. Your company is blocked, nothing works anymore. You did everything you could to avoid this situation, but unfortunately, it happened anyway. You must act quickly and make the necessary decisions to minimize the damage and restore the situation as soon as possible.
Accidents and errors: unintentional events
Human errors can have serious consequences for a company’s systems and operations. In these situations, the person involved did not mean to do anything wrong. It simply lacked training, used outdated technology or an incomplete process.
However, this type of risk is the only one over which the company has control. By implementing proper training programs and ensuring that the most up-to-date technology and processes are used, errors and accidents can be avoided.
Criminal incidents: voluntary events
Cybercrime is on the rise and poses a real threat to businesses. This risk is now far greater than the theft of equipment or the arson of your buildings.
Cybercrime attacks trade secrets and locks access to your data by demanding a ransom to unlock it. Hundreds of companies fall victim to ransomware or online fraud every month.
To protect your business from these threats, it is important to reduce your attack surface by securing your systems and training your teams in good security practices. It is also crucial to have a disaster recovery plan in place in case of an attack, so that you can quickly recover your data and resume your activities.
Natural disasters
This is the most uncertain risk. Depending on where you live, floods, earthquakes, tsunamis and other extreme weather events can strike at any time. As we have seen recently, health disasters can also take on an unsuspected magnitude.
In both cases, abrupt changes in the environment changes your short-term priorities. You have to adapt quickly, without really knowing when “normality” will return, and what the next step will look like. Areas may become uninhabitable, your business model may become unworkable under new conditions.
Examples of scenarios in each category
| Cause | One-off problem | Recurring problem | Disaster |
|---|---|---|---|
| Involuntary | A network administrator deploys a misconfiguration and causes a short-term outage of the Wi-Fi network An operator puts the assembly jig upside down and blocks the machine. | An administrative employee regularly clicks on phishing links. A technician regularly uses the wrong product to clean the machine | An untrained system administrator destroys a critical virtual database server that is used in production. A machine operator cuts off the electrical supply to your main site. |
| Intentional | An angry IT employee reboots a system without warning. An operator kicks a fragile piece of equipment on the shop floor. | A malicious analyst exfiltrates data on an external drive every month. An operator voluntarily disrupts a machine every Friday. | A cybercriminal group accesses your systems and encrypts your data for ransom. An activist destroys the fiber optic feed to the main server room. |
| Natural | Lightning strikes your building, the circuit breaker goes into action and cuts off the electricity. | Mice nibble on your cables and cause recurring network outages in an office building. | Your main building is destroyed by a flood. |