How to be resilient to catastrophic events
A Catastrophic event is an incident which results in substantial damage or loss requiring major financial resources to repair or recover. Catastrophic events for an organisation are treated as rare but in reality their likelihood is mostly unpredictable. Popularised as 'black swan' events by the insightful Nassim Nicholas Taleb, these unpredictable catastrophes have the capacity to be extremely painful for your company (and for you, too).
Likely to have been considered black swans by the impacted companies:
Misrepresented clinical data costing $500 Million in fines
Opioid drug settlement - $1.6 Billion over 8 years
Ransomware attack - true cost as of yet unknown
GDPR breach and leaked data costing $200 Million in fines
An unfortunate contributor to being impacted by 'black swan' events are our biases. A collective misunderstanding on past events (called hindsight bias) hampers our natural ability to understand the significance of calamitous & rare future events. What does seem predictable is our collective ability to fall afoul of these black swans. It seems we have a bit of work to do.
Recognising black swans is not something that comes naturally to us, or to your organisation. Counteracting innate biases and reducing the pain of black swan events will require an approach that is deliberate and 'immunised' against the following:
A) Not giving identified risks enough significance, increasing your susceptibility to them B) Not detecting black swans or even being aware of them in the first place
A Fear of Straight Lines
Risk Management in place?
An already defined risk management approach is at least a basis for starting the conversation around the potential black swans that will be especially painful. Regulators are realising that companies identifying their own potential for pain to their clients or to the market is better immunisation to black swans than compliance to policy alone. A risk management strategy is a front and centre strategy for modern regulatory expectation and this self-assurance is a deliberate effort to inherently mitigate 'black swan' risks that have an unbounded downside potential.
Does your risk approach invoke an image of a straight line from your low risks, through medium all the way to what is identified as high risks? Oops, your risk management approach might just be falling foul of our bias toward straight lines, or a "linear projection fallacy".
As a result, we tend to overestimate the significance of the potential risks in the middle, and underestimate the significance of catastrophic 'long tail' risks perceived to be rare when the likelihood is actually unknown. A power law distribution can help us to better perceive the significance of potential pains and refocus our effort:
Pains that have the potential to be catastrophic are often easily dismissed due to a perceived low likelihood. In reality, their likelihood may be completely unknown, and their potential for being painful way greater than other risks historically recognised as more significant.
The power law is more than a math function, it is also a powerful mental model.
B lack swans
So identified black swan pains can be given the appropriate significance, great. But how can we immunise ourselves against the black swans we don't even know about ("unknown unknowns")?
An unknown unknown is a blind spot in your organisation, where the potential for a black swan event is not even identified in the first place. As you can imagine, the resulting calamity is even more painful than the organisation imagines (clearly). As your company is a constantly changing organisation, so too are these blind spots which makes them particularly challenging to keep on top of.
As they are currently unknown, we need to strive to reliably investigate, learn and improve our understanding about new risks, and seek the gains that will help immunise the organisation from any potential black swans and build resilience over time.
Factors that elicit meaningful change in identifying black swans:
Training - employee awareness training can start the mindset change that's required for resilience
Experience - the unique experience of subject matter experts or your peers will give a unique perspective that you won't have. Get the right 'mix' of experience in the room
Data - Being diligent in seeking data points on key business attributes may help you see what you currently do not
Culture - Nurturing imagination & creativity in combination with experience contribute to identifying unrealised black swans, but what if there is nobody to listen?
Open Reporting - A quick way to empower employees in a new way of thinking is to present an open forum where peers will listen, such as anonymous reporting forms (can help build data points), and dedicated risk workshops.
A mix of creativity, experience and empowerment will have your organisation preventing massive pain and taking advantage of massive gains. This is how we like to think about it:
Preventing known failures alone does not guarantee success. Building towards organisational resilience involves continuously seeking the gains of a high reliability organisation.