doc_strange: (Default)
doc_strange ([personal profile] doc_strange) wrote2006-05-19 08:50 am
  • Add Memory
  • Share This Entry

Testing contingency plans... too expensive!?

"If the risk or cost of testing failover is too high, the risk of actual failure is too high.”

That has become a catchphrase of mine. It made me wonder:

"If the risk or cost of testing a contingency plan is too high, the risk presented by actual disaster is too high.”

These may not be equivalent in value or accuracy. Discuss?
Flat | Top-Level Comments Only

[identity profile] marsgov.livejournal.com 2006-05-19 08:06 pm (UTC)(link)
I've had a busy morning; I meant to comment earlier.

A "drill" wherein Chicago is evacuated (dirty bomb? metorite strike?) would cost millions of dollars, result in the wholesale destruction of empty neighborhoods by fire, and kill a few dozen people. Regardless of potential threat, a drill evacuation won't happen. I'll go out on a limb and say that I'd resist to the best of my ability an order for a "test" evacuation of my home, much less my neighborhood.

[identity profile] docstrange.livejournal.com 2006-05-19 10:11 pm (UTC)(link)
Hmm. And yet they used to do air raid drills.

Should one just assume any evacuation will fail, or maybe that they should just wing it according to plan and hope for the best (even if in practice the plan is a flop)?

Fault tolerance planning is clearly not contingency planning - but if you can't test a contingency plan because it's too expensive to test, maybe that's strong evidence your situation is inherently too risky?

[identity profile] marsgov.livejournal.com 2006-05-19 10:29 pm (UTC)(link)
I can't really chat pre-Shabbat, but my philosophy is a bit different: Is a plan really needed to evacuate Chicgao? Is someone going to tell me I have to drive instead of bicycling (my current plan, BTW)?

I suspect that central planing may create more disaster than an unplanned evactuation.

[identity profile] cruiser.livejournal.com 2006-05-20 12:57 am (UTC)(link)
For the most part, the cost of air raid drills was only time, something which most people waste a lot of anyway (like me, reading LJ, for example).
The decision to do a Chicago evacuation drill or not has a number of factors, not the least of which would be how many people would just ignore the drill (look at the number of people who ignore *real* mandatory evacuations because of hurricanes). The most important factor, though, is how many people would die and how much would a drill evacuation cost vs. how many additional people would be saved multiplied by the chance of an evacuation being necessary. Having participated in lots of drills in the military, it often takes a lot of practice to get something right - which means we're not talking just one drill to have a positive effect in evacuating Chicago, but several.

[identity profile] docstrange.livejournal.com 2006-05-20 01:22 am (UTC)(link)
So I say again:

"but if you can't test a contingency plan because it's too expensive to test, maybe that's strong evidence your situation is inherently too risky?"

[identity profile] cruiser.livejournal.com 2006-05-20 07:37 pm (UTC)(link)
It also could be evidence that the contingency that the contingency plan is designed to mitigate is so bad that any plan, even a bad one, is better than no plan at all. It also probably means that the situation is so unlikely to happen that the cost of testing the plan is greater than the cost of the problems created by the situation. multiplied by the probablility of it happening.

[identity profile] docstrange.livejournal.com 2006-05-20 10:03 pm (UTC)(link)
I agree. It could be evidence that the harm to which the risk points is hard to mitigate. One should then check the likelihood of the risk materializing over /n/ timeframe. Your approach seems akin to the Learned Hand rule in essence.

But if the cost testing of the contingency plan is high, and the risk is also likely within a given timeframe, then one should look to remediating/reducing not only the effect of the harm (as you say, the plan being better then none at all) but the risk of occurrence. That's where I come to the point that the "too expensive to test" contingency plan can be evidence of too high a risk: risk that perhaps could have been reduced in depth or likelihood. Such a plan can also be, I agree, for unlikely-but-high-cost risks, a cost that may be as much as it's worth given the low likelihood.

While the military makes plans for all kinds of extremely unlikely scenarios, I don't think business tends to - and for straight-up economic reasons; ergo if there is a plan it would be for a not-entirely-unlikely risk. That's why the comparison of my first quote (very business oriented) with the second (much broader) is interesting to me.

Good comments - thanks!
Flat | Top-Level Comments Only