When Tom Cruise came out with no pants, sliding around the floor in his socks, were you calculating the likelihood of him suffering a slip and fall while assessing the possible damage to both his body and the personal effects in the house? I doubt it. But, imagine someone asked you to do just that … would you feel qualified?
I ask because, years ago, I found myself in a somewhat similar position — now, I wasn’t running around in a men’s button-up shirt and whitey tighties lip-syncing to Bob Seger, but I was asked to fill out a risk matrix.
That’s right — every franchised hotel you’ve slept at has probably completed a risk matrix and submitted it to corporate. I say probably because I’m in a generous mood, but the truth is, they probably haven’t, or, if they have, someone like me filled it out, so it’s useless.
Before this assignment, I had never seen or heard of a risk matrix. The concept was easy to understand — it was a chart with likelihood on the Y-axis, and consequences on the X-axis. The higher up the Y-axis you go, the more likely, and the further you travel to the right of the X-axis, the more severe the consequences. In the middle are a bunch of color-coded boxes — green is pretty safe, yellow requires caution, and red signifies a serious risk. But, how can you accurately assess all potential risks?
“It doesn’t matter,” my regional manager told me. “Just fill it out.”
So, I did. I rated both the likelihood and the severity of every risk — fire, earthquake, tornado, power outage, robbery, active shooter, flooding, choking, slip and fall, suicide, etc. — based entirely on my opinion. There was no science, data, or strategy at all behind it. It’s not that I was lazy and didn’t care — the owners made me feel like it wasn’t worth much of my time because I knew it wasn’t worth theirs. But, the main problem was, I just didn’t know where to go to gain any insight. Until recently …
One of the assignments for the Certified Data Center Design Professional (CDCDP) course through CNet Training was to perform a risk assessment. Our instructor explained how important it was for the CDCDP to invite all stakeholders to brainstorm every possible risk, determine the likelihood and severity, and develop a mitigation strategy. For the project, we were broken up into a team and assigned to carry out a full risk assessment meeting that ended with a completed risk matrix.
Our team comprised a software engineer, facility manager, security officer, someone else in another position I can’t remember, and me — a journalist. Looking back on our discussion, an old adage comes to mind: “You don’t know what you don’t know.”
After five days of class, I had a whole slew of risks that came to mind, and I figured the rest of my team would have the very same ideas. Wrong. They all thought of things that never even crossed my mind. The gal who’s in charge of managing a data center said, “It seems like common sense, but there should be no food or drink allowed inside the data hall.” And she’s right — it does seem like common sense, but is it? What is the likelihood that Tom Cruise (or anyone else) will show up at your facility, walk into the server room, take a few bites of a TV dinner, sock-skate through a puddle of dielectric fluid, slam into a server rack, and destroy the data hall? I’d say it’s pretty low, but what do your team members say?