Today we've been chatting about this on the ISO27k Forum:
"Let's assume that the company is willing to accept risks with a potential financial impact less than $50k. Obviously after performing risk assessment, we need to decide which treatment option we should follow. In case when the potential impact of the risk is below $50k - (risk appetite), we should accept the risk, right?
My question is: what happens if for some reason, multiple Low Risks (below risk appetite value/already accepted) occur at the same time? Should the Risk Appetite represent an aggregation of all low risks or just reflect the appetite for a single risk?"
I suggested considering 'coincident risks' as another entire category or class of risks, some of which may well be above the risk appetite/acceptance threshold even if the individual risks fall below it.
It gets worse. There are many other coincidences, errors, failures, issues and exceptional circumstances that could occur - in extremis, it's an infinite set of possibilities given all the permutations and combinations.
Our collective failure to identify and take seriously the possibility of a pandemic landed us in the poo we’re in now. Even those organisations that did have pandemic controls in place have found the going tougher than anticipated, some discovering that their stockpile of sanitizer and masks had not been properly stored and maintained, and hence was next to useless when called upon.
Trust me, it can be a sobering exercise to run a risk workshop focused on rare but extremely impactful events, the outliers that we tend to ignore in routine risk management because it’s hard enough dealing with the commonplace extreme events, let alone the rarities. Every well-managed organisation needs to deal sensibly with the scarily vague “something else happens and lands us in serious trouble” situations, when classical scenario planning runs out of steam. There are far too many possibilities to even enumerate, let alone evaluate and treat individually: a more general-purpose approach is required.
That line of thinking leads us through incident and crisis management into business continuity planning, in particular the resilience and contingency aspects. Insurance is another possibility, for some but not all situations: insurance against unbounded classes of incident can be risky for both the insured and the insurers, although business interruption insurance is available, at a price, with various constraints as the insurers protect their own businesses against interruption. Hopefully.