Enterprise Risk Management, BC, COOP Blame woes On imaginary “Black Swan”

 

AN ARTICLE IN ENGLAND'S The Guardian with the headline Businesses worldwide count cost of coronavirus outbreak (https://tinyurl.com/vc3t3yv) quoted the boss of China’s biggest listed company, Alibaba, as describing the coronavirus outbreak as a “black swan” event that could have a significant economic impact.

 

”Black Swan” No.

Peking Duck, maybe.

Incompetent risk management planning: ABSOLUTELY.

 

Black Swan defined

According to England-based The Business Continuity Institute, a “Black Swan” is an event that strikes as a surprise, with a high impact on those affected. The Black Swan Theory was coined by Nassim Nicholas Taleb in 2007 and it revolutionised the way organizations think about risk management and forecasting.(https://tinyurl.com/r4zo5gg)

One of the main messages the author tried to convey is that current risk models are not efficient enough and hard-to-predict disasters can occur due to lack of perspective, the article continued.

I was, for many years, a risk management practitioner, I even was certified by The Business Continuity Institute (BCI), despite having some severe philosophical problems with it.

“Black swans” was one of the issues on which The BCI and I parted ways.

 

 

Practitioner’s cop out

To this scrivener, a “Black Swan” is a cop out. It shows the practitioner held too narrow a “perspective” — which may have been determined by the client — and a pathetic lack of knowledge of history.

 

Are rapidly spreading diseases something new in 2020? World War I claimed an estimated 16 million lives between 1914 and 1918. The influenza epidemic (H1N1) that swept the world in 1918 killed an estimated 50 million people. (https://tinyurl.com/j27npgb)

There is plenty of recent history of rapidly-spreading disease.

A quick search of the WWW turns up a Centers for Disease Control and Prevention (U.S. CDC) page titled Influenza (Flu) Past Outbreaks. (https://tinyurl.com/yx5l2h5r)

So where is the “Black Swan”?

 

Absences by the thousands

All along the supply chain, deliveries are interrupted.

Quarantines by governments stop or delay shipments.

Absences of personnel disrupt deliveries.

Vendors’ vendors fail to meet service level agreements..

Vendors fail to meet their customers’ service level agreements.

Sales personnel either are absent or quarantined to a specific locale.

Manufacturing slows or stops for lack of raw materials and personnel to turn these raw materials into product.

Office staffs are reduced to skeletons so A/R and A/P are delayed.

Finished products remain on the shelf.

Customers cannot sell products they don’t have (the manufacturer being a vendor).

Dominoes.

Every time there has been an epidemic, the supply chain takes a hit. The more wide-spread the epidemic, the longer the duration of the epidemic, the greater the impact.

Has this scenario ever played out before?

Yes, yes, and yes again.

So where is the “Black Swan”?

 

Narrow perspective

Too many practitioners are little more than IT Disaster Recovery people with a new title: “Business Continuity.”

Even many Business Continuity planners think only in terms of facility.

There HAS been some interest in supply chains, but this interest usually terminates at the critical vendors.

I was fortunate to work for American Express on a contract basis many years past. The Amex group for which I was engaged utilized vendors for almost everything.

One of the things I recommended, and my Amex boss agreed, was to have each vendor provide Amex with the vendor’s business continuity plan. Amex realized that a few vendors had good plans, a few not so good plans. Each plan was critiqued and the critique returned to the vendors. Amex knew which vendors could be expected to meet their service level agreement “no matter what,” and which vendors needed a secondary (alternate) vendor as backup.

 

Playing the “What if?” game

If a practitioner is thorough, that person will talk with everyone in the profit center and ask: What if? What could possibly go wrong?

This works best with groups of people; one idea generates another. No idea is too far fetched. (That’s why planners have risk vs. probability charts.)

Practitioners who think, having done one plan for a customer in Enterprise A that they know everything there is to know about ALL Enterprise A organizations need to be disabused of this faulty notion “yesterday.” Like snowflakes, no two are alike.

 

Ubiquitous other

When we worked together, my friend and IT guru, Ace Jackson would be amused that all of my risk lists included at the end: “ubiquitous other.”

The risk may have been a “Black Swan,” but since we were looking at the entire operation and what might happen if a risk we failed to consider occurred, we still were confident that the organization had mitigated “whatever it is” and could recover from “whatever it was” based on The Plan, The Training, and The Plan Maintenance.

My “ubiquitous other” may have been, strictly speaking a “Black Swan” it still would not be able to impact the organization the way the coronavirus has impacted many of Alibaba’s customers.

 

Black swan? It’s a lazy practitioner’s cop out.

---

PLAGIARISM is the act of appropriating the literary composition of another, or parts or passages of his writings, or the ideas or language of the same, and passing them off as the product of one’s own mind.

Truth is an absolute defense to defamation. Defamation is a false statement of fact. If the statement was accurate, then by definition it wasn’t defamatory.

Web sites (URLs) beginning https://tinyurl.com/ are generated by the free Tiny URL utility and reduce lengthy URLs to manageable size.

 

Comment on Black Swans

ERM-BC-COOP: Futurist SME

You can find things of ERM interest in many different places.

I’m reading a novel* that involves organogenesis and some Wall Streeters who were buying life insurance policies at 15 cents-on-the-dollar from people with diabetes and other life-shortening diseases, people who due to the economy or cost of medical care were unable to continue paying policy premiums.

The ERM connection is that the Wall Streeters thought they had covered all the bases to assure their scheme would be highly profitable - the Wall Streeters would buy the policies, pay the policy premiums for what they expected to be a limited time, and then collect the policy's face value when the former policy owner died. They even hired a company to "run the numbers" based on actuarial statistics to assure the worthiness of their scheme.

Unfortunately, the Wall Streeters and their statistics vendor were putting their eggs into the proverbial basket based on history. They overlooked near-future possibilities such as the development of test-tube organs (organogenesis).

Moneyman: “You guys didn’t see this coming?”

Wall Streeters: “It’s a once-in-a-century breakthrough; you can’t do projections for being hit by an asteroid.”

No one - neither the statisticians nor the Wall Streeters - apparently were aware that growing replacement organs for human transplantation was as advanced as it is; in particular organogenesis of the panaceas, the critical organ for diabetes patients.

It's a good yarn, and for ERM practitioners it offers a lesson, perhaps several.

Most ERM practitioners look at statistics - call it "historical facts" if you will - to try to ascertain what threats are possible and probable for any given organization. What are traffic patterns? What do the neighbors do? What is the MTBF and MTTR for critical hardware; computers, mailers, PBX, etc.? What are the environmental risks: hurricanes, floods, earthquakes, tornados, etc.?

We also are concerned with an endless series of "What ifs." What if a vendor fails? What if a primary client cancels a contract?

What we usually don't consider is where are science and technology going?

The product or service need not be sophisticated or high tech. Consider light bulbs. Who would have guessed that the government would mandate CFLs and effectively ban manufacture and sale of incandescent bulbs?

Shedding light on more bulbs, who predicted that automobile headlights would shrink from large sealed beams to tiny halogens?

For the Wall Streeters in the novel, the advanced stage of organogenesis was a "black swan," but it should not have been a swan of any color. While the Wall Streeters thought they had done "due diligence" by relying on historical information and by engaging a statistics firm to "run the numbers," they overlooked both the current stage of organ growth and the speed at which the process was advancing.

In the novel, there was information available on the status organogenesis. Perhaps not anything useful on the internet, but within medical literature there was sufficient to cause the Wall Streeters to reconsider their scheme before moving forward. Unfortunately for the Wall Streeters, no one thought to read the available litrature.

Why would they seek advice from the medical community? If you are betting a segment of the population (diabetics) will die at a relatively young age, it behooves you to know (a) what is killing these people and (b) what treatments are available to extend life.

Obviously, if the product was headlights, investigating medical issues would be of less importance. The type and depth of research will vary by product or service. (Any organizations ramping up to support CP/M systems? Not likely.)

ERM practitioners need to include futurists - or at least people with a curiosity of what's both possible and probable for all things that could interrupt "business as usual," including new developments by competitors - as well as Legal, HR, Finance, Production, Insurance, and too-many-other internal and external functions to list - to get a total view - yesterday, today, and tomorrow - of the threats facing an organization.

Futurists need to look not only at science and technology, the issue in the novel, but also politics (will the president order an attack and if so, when, how much, with what?), keeping in mind the organization's product (e.g., missiles, ships, MREs) and services (fleet maintenance, fuel, R&R).

Someone, and the ERM practitioner need not be that "someone" but the practitioner should press to assure there is a "someone," needs to look at threats that might be coming from all directions. Prioritizing the threats and implementing means to avoid or mitigate the threat normally remain management functions. However, failing to at least gaze into the crystal ball fails the due diligence test, just as the Wall Streeters failed to investigate issues that could impact their product.

I always stress the importance of keeping up with the news; reading physical and digital newspapers and magazines, particularly trade publications; I'll now add "books from the Local Lending Library" to the list.

A good yarn, with a good lesson for ERM practitioners as a bonus.

 

---

* Death Benefit, Dr. Robin Cook, ISBN-13: 978-1-4104-4494-3

 

If I wrote it, you may quote it.

ERM-BC-COOP: No longer a “black swan”

 

According to a Global Security Newswire (GSN) release titled 'Soft Targets' Remain Vulnerable to Terrorist Attacks, “so-called soft targets -- places like malls and movie theaters, as well as sporting events -- always have been vulnerable to terrorist attack, especially given how much harder it is to attack aircraft since 9/11.” ( http://tinyurl.com/d4d885s)

Now you know and the swan is slain.

“Soft targets” are. For the most part, targets that should have risk management plans in place. Those plans must, if they are to be complete, consider how to mitigate a crazy’s attack and how to respond when it happens.

I do NOT believe attacks can be prevented 100 percent. But attacks can, and must, at least be mitigated.

Yes, there are some measures that can be taken depending on the venue and the available of trained personnel, equipment, and the funds to put all this into place, but I know that unless there are frequent attacks, we will slide into the “it can’t happen to me” mentality.

WHAT mitigation factors can be put into place depend in part on the venue.

In all venues, training staff to be aware of their surroundings and the behavior of the people at the venue is, I am convinced, the single most important and cost effective measure to implement. There is more to this “awareness” than just looking for unattended objects, although that is a critical part of the program. Awareness includes noticing unusual-for-the-venue smells, a change in lighting, and, again, human behavior.

Being a people watcher may seem to be “profiling” and the U.S. Supremes (stupidly) prohibit profiling, but in this case the profiling is not racially based nor apparel based or even age or sex based. “Profilers,” if I may use the term, are looking for actions - or perhaps inactions; is someone going against the flow? Failing to go with the flow?

I am most assuredly not a profiler, but there are people who have developed this skill and their expertise should be employed to train others.

Let’s assume that a suspicious object is discovered.

What is to be done?

Clear the area of all non-essential people.

Surround the object with material to contain an explosion.

Oops. Where is the material to contain an explosion?

Waiting for the local bomb disposal unit to arrive on scene may be too late. Translation: practitioners need to talk with bomb experts to find out what materials can be used to contain an explosion, where to acquire same, and how to store it.

Meanwhile we are entering some murky legal morass. Who is going to risk their life to dress the potentially explosive device? Are there volunteers? Time to bring in the legal staff; remember this is risk management, not just “business continuity” and must consider risks beyond the immediate one at hand.

The GSN article correctly, I think, concludes that “The idea of placing a metal detector in every mall in the U.S is not realistic. So, what’s stopping a terrorist from going to a department store or a sporting event and causing mass casualties?”

The bottom line, according to both this scrivener and GSN “is simple and for those in Washington well-known: If you see something, say something. Homeland Security officials consistently say that everyday Americans should continue to stay vigilant and aware of their surroundings.”

However, since the average person lacks awareness training, and since the typical facility lacks the funds to monitor every corner at all times – which could be illegal and an invasion of privacy – individual awareness training of all regularly on-site personnel is the only logical defense.

In a mall environment, that means not only training guards, but training store and maintenance/cleaning personnel as well. A central clearing point – an always attended phone – must be known to all so that if anything seems amiss, the anomaly can be reported and the report acted upon (e.g., clear the area, call 9-1-1).

No one wants to think “something” might happen to him or her, but it does.

We cannot prevent all attacks, but we can reduce the risk and mitigate those that occur. It begins with awareness.