Being Unprepared for the Crisis Does Not Make it a Black Swan
I may be going out on a limb and stepping on a lot of toes right now by frustrating some careers and reputations of risk managers. Simply put, this global pandemic/crisis is not a black swan event. I am finding too many GRC and specifically risk management professionals are trying to cover their behinds by claiming that the pandemic is a black swan. Being unprepared for a risk does not make the risk a black swan.
You may ask what is a black swan?
A black swan is defined as an unforeseen/unpredictable event has a significant impact on the organization (or industry, or economy). The term refers to how in Europe it was understood that all swans, as in the bird, are white. There was no concept of a black swan. Then some explorer overseas finds a black swan and changes the paradigm of what swans are.
The truth is that we have had pandemics in the past. We have had threats of pandemics. We have been warned countless times about it:
- World Economic Forum Global Risk Reports. This has been on the chart of top risks by the World Economic Forum for years, including the most recent. It has been a topic of conversation in the past at Davos.
- Business Experts Have Pointed it Out. The most vocal being Bill Gates and his predictions.
- Governments Have Been Reporting On It. Look at this report from the Council of Economic Advisors from the White House.
- History Teaches Us. There has been a recorded history of pandemics, some recent, some going back hundreds of years.
The reality is that this should have been on the ‘risk radar’ of organizations but it was not for many. Now there are a lot of risk managers trying to misdirect scrutiny on them by claiming it was a black swan. Again, being unprepared for risk does not make it a black swan.
I find that too many risk management programs (e.g., corporate risk management, enterprise risk management, operational risk management, GRC, IRM . . . pick your favorite label) have been hijacked by IT security, a department that really does not understand environmental, health and safety, and other risk areas that have a potentially big impact on the organization and its objectives. If we look at the WEF report, the top risks the world faces are environmental risks and health and safety risks.
Don’t get me wrong, IT security is a huge risk area; one of great concern that can impact the organization's objectives. My issue is that too many risk management programs have overly focused on IT security where it was not balanced and ignored other risks such as the pandemic we now face.
I would like to see the organization that has been tracking this. That on the corporate risk heat map (I am not a particular fan of heat maps and find them misleading and misused) they have tracked this from a high impact low likelihood event six months back and can show how their risk monitoring has moved this risk event over month by month to week by week to a high impact and high likelihood event. I would estimate that 99.9% of organizations have failed in tracking and monitoring this risk with regular reporting at a board and executive level. Which of these organizations have actually quantified the risk and its various scenarios in how it unfolds to put actual numbers to the risk and the impact on the organization? Which organization has the best case study in how they have been historically monitoring this type of risk and have been the best prepared for it?
I remember a decade back, coming out of the Swine Flu pandemic that cost 200,000 lives, that many organizations were building continuity plans and even doing cross-industry table-top exercises and scenarios to prepare for the next pandemic. Were any of these organizations that worked on this then ready now? Most closed the history ledger of even recent history in their risk planning and monitoring.
Coming out of this crisis, we will see enterprise risk strategies that are more balanced with a broader understanding of risks to the organization’s objectives. Environmental, health and safety, quality, supply chain/procurement, and others will have a stronger and more active role at the enterprise risk management roundtable of the organization.
We are also going to see a lot of regulations across industries and around the world come out of this that is focused on operational resiliency. This is already happening in the financial services industry in the United Kingdom with the Operational Resiliency requirements from the FCA, PRA, and Bank of England. I predict we will see operational resiliency regulation that requires an integrated approach to operational risk and business continuity across industries and geographies.
What are your thoughts on this crisis and how unprepared organizations are but should have seen this coming?
Check out GRC 20/20’s upcoming webinars and events in this time of crisis . . .
- April 7 @ 8:00 am – 9:00 am CDT : Policy on Writing Policies
- April 8 @ 12:00 pm – 1:00 pm AEST : Agile GRC: from Theory to Reality
- April 9 @ 12:00 pm – 1:00 pm CEST : Operational Resilience in a Time of Unprecedented Uncertainty
- April 9 @ 1:00 pm – 2:00 pm EDT : Navigating Chaos: Engaging The First Line Of Defense In A Time Of Crisis
- April 14 @ 8:00 am – 9:00 am CDT : 3 Steps to Integrate Regulatory Change Management into Operations
- April 15 @ 10:00 am – 1:00 pm CDT : IBM RegTech Virtual Summit
- April 15 @ 10:00 am – 11:00 am CDT : Navigating Chaos: Effective Policy Management & Communication During a Crisis
- April 21 @ 8:00 am – 9:00 am CDT : Ensure Resilient & Agile Compliance in the Midst of Crisis
- April 23 @ 10:00 am – 11:00 am CDT : Risk and Compliance Pros: Distinguish Your Role in Uncertain Times
- April 28 @ 11:00 am – 12:00 pm CDT : Best Practices for Effective Policy Management
- April 28 @ 1:00 pm – 2:00 pm EDT : Navigating Chaos: Monitoring Risk In The Second Line Of Defense In A Time Of Crisis
- May 6 @ 12:00 pm – 1:00 pm CDT : Risk as a Team Sport: Taking a Cross Functional Approach to Risk Management
- May 12 @ 1:00 pm – 2:00 pm EDT : Navigating Chaos: Providing Assurance And The Role Of The Third Line Of Defense In A Time Of Crisis
- May 18 – May 19 : MetricStream GRC Virtual Summit US 2020
Cybersecurity Consultant | GRC | Compliance | Risk Management
4 年Perfectly stated! Good job challenging the profession...but would this better fit into business continuity and resiliency groups who sometimes operate separately from core compliance teams?
Engage. Transform. Repeat | Optimium.in | Engagement Platform for Strategies, Plans & People
4 年Michael Rasmussen Very aptly put. My 3 cents: 1. We go through experiences (H1N1, cyclic financial meltdowns etc) but it does not translate to knowledge as most the expertise moves away with people. Documentation and artefacts do not help much either. 2. We will forever remain reactive to most such instances that occur with long gaps (3 to 4 years or more). 3. I like the following statement in your posts as it shows how tightly "Risks" are tied up to what an organisation does (in this case geographically dislocated external risk's impact on operational preparedness). Karthik Shivaprakasam also mentions in his response below that we need an integrated approach. "?I predict we will see operational resiliency regulation that requires an integrated approach to operational risk" I believe our categorisation of risks is lopsided (Operational, strategic, internal, external) as this itself creates silos in our approach to Enterprise Risk Management. As an Enterprise Risk professional, I do feel dismayed and lost. But this is not the last such response we will see. Next financial risk is already brewing and will be soon in the horizon. But then that will be another day!
Head of: Security, Investigations, Admin Compliance & Industrial Relations.
4 年A superb coverage of account... Jumping over straight to IT Security to address a Risk mitigation project, has been a common practice by sidelining the 'physical' Risk areas... The article aptly define the importance of prioritizing the 'actual' threats especially in today's Corona-struck environments....
Head of Enterprise Risk Management at riskHive Ltd
4 年Hi Michael, ? I completely agree – I was thinking the same thing.?Perhaps the speed and the action of governments has taken a few people unawares – but (not claiming to be an epidemiologist) surely this is the nature of a pandemic?? ? Perhaps, the term is just being used ‘incorrectly’ - I have heard the term Black Swan a lot on the media, and you know what they are like with buzz words! ? I hope that this horrific experience will prepare us better for the next time (as I there will be a next time) and that we really learn from this. ? The consequences of this will be felt for years and in ways that I have probably not even thought about. Off now to read up on Grey Rhino's as I confess I have not come across that term yet...an opportunity for all us Risk Professionals to learn more and support our businesses better for the future.