Oh yes you DO need to know Probability! Many of Professional and Thought-Leaders have said that ‘there is no reason to know probabilities to know that a big risk exists’ and that it should be intuitively obvious that losing a datacenter would be very bad. So then, if the IT-infrastructure risk is so self-intuitive then value does not lie in identifying the most serious risks, these risks are self-evident. The value lies in determining the optimal ‘investment’ to mitigate the most serious risks. In this context, optimal means to allocate the organization’s resources to those actions that will yield the best overall performance.
So even if these self-intuitive, gut feeling about the risks are right, it is not the most effective way to justify the appropriate level of investment. The fact, this is the reason that many in IT find it difficult to provide a valid ROI for HA/DR solutions; because they fail to understand the value that probability and the associated ‘Expected Loss’ provides to the value proposition.
Many organizations have been told that the ‘cost of downtime’ or the BIA can be used to justify HA/DR solutions. They soon learn that the ‘cost of downtime’ and BIA come up short when making an argument for appropriate funding and resource allocation. This lack of funding creates frustration and has led many to mistakenly assume that there is can be no ROI for HA/DR solutions. The limitation of the ‘cost of downtime’ and the BIA is that they only quantify the ‘potential-for-loss’ and systematically ignores probability of occurrence. This probability neglect causes excessive worry of statistically small risks and distorts perceptions about serious threats. While an organization may have actually experienced downtime that cost millions of dollars; that does not mean it should be expected as a regular occurrence.
The only rational reason to spend money on any HA/DR solution is the expectation that the benefits outweigh their costs. But what are the benefits of HA/DR solutions that can be quantified? What does the organization get for all the money it spends on HA/DR? To understand the benefits we must go beyond the ‘potential-for-loss’ (loss potential) and understand the losses that can be reasonably expected (expected loss). HA/DR solution reduce expected-loss.
The first thing to recognize is that investing to In HA/DR solutions is that it is a very different kind of investment decision because HA/DR solutions address operational risk. The vast majority of business investments expect a return; an expected-gain. For these types of investments capital is ‘wagered’ with the expectation of a payoff, something greater than the original investment. This expected-gain is what makes taking the risk worthwhile. When investing to reduce an operational risk, however, there is no obvious payoff or no expected-gain; the best that can be expected when addressing operational risk is to prevent something bad from occurring, to avoid an EXPECTED-LOSS. So when it comes to HA/DR solutions there is no upside gain; we can only limit losses.
Now, there are two ways that increase the return on investment; (1) increase the expected-gains and/or (2) reduce of expected-losses. By far, most ROI’s only estimate the increases to expected-gains. Reductions to expected-losses, however, are just as valid as the increases to expected-gains. Expected-loss is what provides the economic cause-and-effect relationship that is deficient in the BIA and ‘cost of downtime’. Expected loss will ensure better priority setting of the serious risks and provides the business process to evaluate multiple alternatives using the standard ROI technique.
Expected-loss is not something subjective like ‘risk appetite’ ‘risk aversion’ or ‘risk tolerance’. Expected loss uses the principals of ‘Expected Value’ which is a notion developed by Blaise Pascal and Pierre de Fermat during the middle of the 17th century. Simply put 'Expected Value' is the value of an event times the probability that the event will occur. Expected Loss, therefore will be the ‘loss potential’ times the ‘probability’ that the loss will occur. We can apply expected loss to a real business problem of HA/DR; the inherent risk of the IT-infrastructure. The ROI of alternative HA/DR solutions can be evaluated based on their ability to either reduce the consequence of an event or reduce its occurrence rate, or both and measured by the reduce in expected loss..