Seeking and Planning for Threats

Over the last two days I’ve been delving into why it’s critical to plan for bad times—or for the specific negative phenomena that can undermine your strategy, and as have a reasonable probability of occurring.

Of course, the problem with this admonition is that it’s not easy to decide what has a reasonable probability of happening. And our psychology pushes us toward giving pessimistic changes a low probability. But, if you use good, objective models to make these assessments, you end up with at least relative estimates of likelihood. Enough to tell the difference between those changes with infinitesimal likelihood, and those that are genuine threats.

In other words, you probably don’t need a plan for invasion by Martians. But you should craft a way to contend with a natural disaster, a recession, a supply chain stoppage, a dearth of new investment, or a ransomware attack.

Insurance vs Strategy?

For some of those, it may seem like the plan is simple: insurance. But, while insurance is a good start—it is not a strategy.

The difference between insurance and strategy is noteworthy. And it’s not a distinction we often make. Having lived through a couple of hurricanes, I can report that, while insurance was a helpful hedge, it contributed almost nothing to the real, on-the-ground recovery and (for my own business at that time) pivoting as the entire market for my business vanished overnight, and my existing clients had completely new needs and problems to solve.

Yesterday, we talked about the way that scenario planning explores those changes and how they will impact our plans and our projections. At the very least, scenario planning illuminates those possible changes. But identifying threats is insufficient - we need signals that tell us to change course and respond to imminent changes. Ideally, we want to get those signals as far in advance as possible, so that we have time to course-correct.

Little Bighorn and Turkeys

History provides many examples of leaders clinging to sinking ships when the conditions changed and annihilated their prospects. They persisted without change despite clear signals of doom, and despite their own cognitive dissonance. The examples are legion, from Custer at Little Bighorn to Napoleon’s invasion of Russia. Organizations exhibit similar tendencies, discounting evidence that their strategy is faltering.

Of course, there are risks that we can’t anticipate. While it may seem less so in hindsight, the Covid 19 pandemic was not on any organization’s scenario plan. Perhaps it could have been, but it fell into a category of risk that would have seemed immeasurably small in 2017.

That’s the kind of danger that reminds me of Nassim Taleb’s turkey problem. The turkey is fed by the kindly butcher for 1000 days and every day’s feed increases the statistical strength of the turkey’s belief in his own safety and the butcher’s kindness…. until day 1000.

While we don’t want to be like that Thanksgiving turkey, we can’t possible anticipate every outlying possible problem. But we can build processes to identify risks in advance of their irreparability. That demands creating not just signals for known threats but signals for changes that will only become destructive through second and third order effects. That’s a genuine danger.

Don’t mistake the absence of evidence of a threat for evidence of the absence of threat. Threats originate in domains we may be ignoring and as radiating phenomena. [Tweet this thought.]

Waiting for a New Oven

When I say that threats can come from unlikely domains, I mean they can be second or third order threats that have unusual origins.

When China began to lift lockdowns and re-open factories, supplies started to flow back onto ships. But because the timing was a deluge rather than the staggered schedule of normal times, port capacity was too low for the number of container ships. Whether in Los Angeles or Miami, ships sat at anchorage for weeks and months, waiting for dock space to unload.

The second order effects were ubiquitous. But few businesses anticipated the disruption —both when supplies were low because of shuttered factories— and again, when they were slow to arrive because of port traffic jams.

Carmakers couldn’t get critical parts, leaving new vehicles unfinished on lots. Construction projects stalled waiting for materials. If you needed a new refrigerator or to get a part replaced on your car, you might wait 6 months.

A few organizations built robust plans anticipating these second-order risks. Toyota stockpiled chips and began pivoting its logistics early in the pandemic. They also developed custom pandemic playbooks after past crises revealed over-reliance on just-in-time delivery.

Of course, most organizations did not use the pandemic to reinforce their ability to handle these kinds of threats. In a PwC survey, only 36% of executives said their pandemic response included mitigating indirect impacts on other sectors.

Fractals

Traditional planning often assumes linear cause and effect. But reality branches like fractals. A heat map illuminates risks radiating from an initial disturbance. Second-order effects cascade into third-order, and so on. Mapping and monitoring these chains creates a strategic early warning system.

War gamers call this process “branches and sequels.” Planners chart hypothetical decision points branching into alternative scenarios, rehearsing responses. While I’m not a huge fan of war as a metaphor for business, strategy is strategy. And whether you’re fighting a military foe, or trying to overcome the challenges of a competitive market and an opaque customer base, you need to do the work of branches and sequels.

Crows Nest Process

Similar imagination exercises envisioning multi-step implications from market or technology shifts are important for strategy in organizations. It equips you to anticipate decision points and have new tactics at the ready.

There are lots of easy-to-overlook risks. The rare but fatal ones are often called “black swans”, but there are also “grey rhinos”. Those are the threats of neglect or disinterest; technical debt, crumbling infrastructure, even something as trivial as poor passwords. They’re insidious but deadly.

One approach is to appoint a person or team who scan both the outward horizon and insights from the organization’s employees. Coupling that expertise and remit to a process for doing the branching work of looking for second order effects can hedge against those risks.

The pandemic demonstrated that rare “black swan” events do transpire. And those unpredictable shocks have predictable impacts like straining hospitals, rattling markets, and increasing cybercrime.

When you’re developing strategy, pay special attention to threats and possible obstacles by doing meticulous scenario planning that you stress test with “pre-mortems”. These are imagination exercises in which you put yourself in a future in which the plan has been an abject failure. Given that as the outcome, the team must then reconstruct the story of why it failed. By casting it as a backward-looking exercises, it changes our perspective. It alone may help identify possible plan weaknesses that could be reinforced.

There are lots of models, tools and approaches. But fundamentally, there is no way to even begin this process without a willingness to put aside the abiding pressure for “positivity” and optimism. That’s a crippling cultural artifact. And if you take nothing else from these 3 article series, I hope it is a strong sense of skepticism about the admonition to be positive!

Watching for unexpected threats is fundamental to many technical leader roles, including CTOs and CISOs. But it can be lonely, and under-supported. The Leaders Lab Mastermind program is specifically for technical leaders who want to build their skills, their leadership, their communities and create lives they love. Schedule a call with me or learn more here.