04 January 2014

Black Swan: Strategy Execution for the "Outlier"...

The Black Swan is a surprise event and the idea that a catastrophe can strike without warning. What does your organization plan for? The low consequence high frequency incident or the high consequence low frequency incident? The ratio can tell you what your "Resilience" factor is to Operational Risk loss events. Key Performance Indicators (KPI's) can give you some forward looking view into the risk portfolio yet what about the resilience to the Black Swan?
A black swan is a highly improbable event with three principal characteristics: It is unpredictable; it carries a massive impact; and, after the fact, we concoct an explanation that makes it appear less random, and more predictable, than it was. The astonishing success of Google was a black swan; so was 9/11. For Nassim Nicholas Taleb, black swans underlie almost everything about our world, from the rise of religions to events in our own personal lives.

Why do we not acknowledge the phenomenon of black swans until after they occur? Part of the answer, according to Taleb, is that humans are hardwired to learn specifics when they should be focused on generalities. We concentrate on things we already know and time and time again fail to take into consideration what we don’t know. We are, therefore, unable to truly estimate opportunities, too vulnerable to the impulse to simplify, narrate, and categorize, and not open enough to rewarding those who can imagine the “impossible.”
Your organization is no doubt spending time on the Operational Risk Management (ORM) events that consistently are in the high frequency "In Your Face" category. In a highly regulated industry sector such as finance, health care or energy the oversight mechanisms require a continuous analysis of risk based upon the criticality of these sectors to the overall resilience of the economy. Yet it is the "Outlier" incident that comes at the most unexpected time that is the real threat and the incident catalyst, that could be your "Black Swan". You never know when it is going to be coming, so you must plan, prepare and imagine that someday it will happen.

Enabling Global Operational Risk Management (ORM) requires thinking beyond models and outside the box analysis of the "Resilience Factor," should an outlier impact the organization, the state or the country. The resources, personnel and systems focused on these areas of risk are small today. But not for long. Just ask those people who had been working 24/7 since the "Fukushima" or "Lehman Brothers" crisis. Or more importantly, the plaintiff lawyers preparing their briefs for the inevitable aftermath of litigation over, who knew what, when.

One prediction into the future could be that litigation will follow all "Black Swan" incidents. If you are in a highly vulnerable industry sector because it's part of the critical infrastructure of the global grid, then you already know you are in the middle of the target zone. What is amazing to many in the after-action reporting is how much we continue to under estimate the magnitude of a lack of planning and resources devoted to these low frequency high consequence events.  Enter Target Corporation:
Is Target to Blame for Its Data Breach? Let the Lawsuits Begin 
By Joshua Brustein December 26, 2013 
The lawsuits started almost immediately after Target’s (TGT) admission that hackers had stolen information related to the credit-card accounts of 40 million shoppers. At least 11 customers are now pursuing class-action suits against the retailer, claiming it was negligent in protecting their data. 
Losing control of sensitive customer data is a fact of life for American companies. They’re collecting more of it, and they are often outgunned by hackers, who are highly motivated to get at it. It’s not even clear how much legal responsibility they have to protect it. “There is limited judicial guidance on what constitutes negligence in the cybersecurity area,” says Craig Newman, a partner at Richard Kibbe & Orbe who follows legal issues related to security.

No comments:

Post a Comment