ISACA Journal
Volume 3, 2,016 

Features 

Black Swans—From Expecting Risk to Expanding Technology 

Mustafa S. Poonawala, CISA, ITIL 

In today’s world, one of the fastest-growing and changing aspects of human lives is technology. Almost every day, a new idea pops into the market and, in turn, it gets more difficult to keep up with this lightning pace. This leaves organizations vulnerable and open to “black swans.” Nassim Nicholas Taleb’s theory of the black swan is, in short, a rare, unpredicted and unknown event with significant impact.1 Every organization, big or small, faces its own black swan and there is little one can do to avoid it. What can be done is taking steps to ensure that its impact is minimal.

The concept of the black swan, though introduced over two decades ago, is still not widely assimilated in the mainstream market. Many organizations are not aware of how to deal with it. In fact, many small to mid-sized organizations still do not understand the risk of data loss or cybercrimes and are woefully unprepared to face them. Programs like disaster recovery/business continuity management (DR/BCM) and cybersecurity are still new and not widely used. A survey by Deloitte comparing awareness and commitment of executive management to implementing these programs states that: “In somewhat smaller (but still large) companies with 10,000 to 50,000 employees, aware management outnumbered committed management by a substantial margin: 62 percent to 38 percent.”2 A survey of 200 IT security executives working for utility companies found that 40 percent believe their industry’s vulnerability toward cybercrime has increased and about three out of 10 believe their company is not prepared for a cyberattack.3

The question is, should these companies plan for a black swan if they are not yet ready for basic security measures? The answer is that if an organization is ready for a black swan, it is ready for anything. So, how to go about it?

Each company, based on its size, prepares differently for a crisis. Every organization has its own opinion about what could go wrong and what is the best mitigating solution. “You can’t prepare for an event, but you can prepare for the impact,” says Nancy Green, executive vice president, strategic account management, Aon Risk Solutions. “For that, companies need to step out of their day-to-day operations and think in terms of institutional readiness for the future.”4

In simple terms, preparing for a black swan needs a two-way approach: expecting the risk and expanding the technology. Such an approach ensures that all the aspects are covered and everything humanly possible is done to reduce the impact.

Expecting Risk

The old saying “hope for the best, prepare for the worst” aptly describes how a black swan should be handled. Companies should design and reevaluate strategies and programs on a continuous basis to ensure that they can minimize the impact on the organization. Nearly every possible risk should be expected and strategies should be tailored to meet them. While designing a strategy, the following questions should be kept in mind:

  • What is the value to the organization—the data, brand, resources, etc.?
  • From what kind of threats does the organization need protecting—environmental, economic, political, societal or technological?
  • What is the maximum number of threats expected in a single instance?
  • How many threats can repeat within a three-year period?
  • Is the executive committee aware of the threats and is it ready to fund the defense against it?
  • Does the organization have the expertise to mitigate the threats?
  • How big of an impact can the organization survive?
  • What is the minimum time for recovery?
  • Has the new strategy or solution been stress tested? Has it been evaluated for the impact?

Expanding Technology

Once a strategy is in place, it is time for action. An organization should utilize every resource (human, creative, technological, environmental) that is available to it and prepare a business continuity management (BCM) program as per the decisions made in the strategy. The BCM program should include the following elements:

  1. Tailor the BCM program—An employee was explaining to the owner of the company the advantages of having a geographically remote backup solution. While speaking, he said that even if they faced a tsunami, their data would be secure and retrievable. The owner replied, “What if I, as the owner of the company, am not saved in the tsunami?”5 The point of this anecdote is that it is essential to ascertain the limit of a BCM program. As Kathleen Lucey states in her article “10 Steps to Building a Black Swan-free BCM Program,” first, determine to what extent of crisis the organization wants to survive. Second, define the extent and scalability, which will depend on the value of information. It is not just the data of the organization as a whole, but each department will have different ratings, impact and value. Third, get support and funds from the executive committee. Fourth, develop different kinds of plans, including individual business unit plans, emergency management and communications plans, logistics support plans (i.e., physical security, insurance, restoration, move, employee support), and IT infrastructure and individual IT application plans.6
  2. Unify a diverse culture—In 1653, the Taj Mahal was designed to survive earthquakes. Delhi, India, is not an earthquake-prone area, but the architects who designed it came from such a location and added this layer of security. As modern-day globalization is mixing cultures and societies faster and more homogeneously, a diversified approach to security is available. For example, a technical person from India might create frameworks focusing on power surges, while an American might focus on safety against storms and hurricanes. So mixing cultures in the technological field could bring out more valuable thoughts and solutions in a BCM program in order to mitigate the impact.
  3. Innovate beyond innovation—Leonardo Da Vinci is considered a great thinker who had ideas which were far ahead of the technology of his age. The need of the hour is innovative management that takes into consideration the possible risk and threats of the nonexistent and imagines the impossible. These creative and critical thinkers reduce the impact on the organization.
  4. Acquire certifications and expertise—Big data arrived in the early 1990s and the big is getting bigger, in fact vast. The pace of its growth has brought challenges. Certifications play an important role in providing the benchmarks to handle these challenges. But as the field of study in many areas is so vast, basic certification or foundation courses may not help. Therefore, expertise in any course is mandatory. As black swan sightings are increasing, the possibility of having specialized certifications in black swan management may come to be.
  5. Understand human nature—The pressure is immense when a crisis hits. It creates a negative impact on human nature, which diminishes the power of positive thinking. Under pressure, humans tend to make more mistakes. After the crisis hits, who is the person to take responsibility? Will the stakeholders and the steering committee take the responsibility if their reputations are at stake or will they dump the blame on the technical personnel? So, when hiring, it is important to understand that a) human nature and a person’s skills play a more important role than his/her certifications, and b) no matter what advanced technology an organization invests in, the human factor will always play the biggest role navigating through it.
  6. Implement artificial intelligence—The age of artificial intelligence (AI) has been ushered in and it is making tremendous headway. Companies are producing robotic solutions for many areas of life such as home servants, smart houses and vehicle automation. The advantage of implementing AI in a black swan situation is that there might be a higher rate of success in working out solutions during a crisis because AI could be designed for exactly that purpose. These AI processes would be automated and self-triggered and could give organizations an edge when mitigating the adverse effects (both on the company and its employees) during and after a crisis.
  7. Train key stakeholders—Currently, many seminars and conferences are conducted on current topics in the field of IT. Not only do attendees exchange information at such gatherings, but they also gain better understanding of various BCM cultures in different organizations. Thomas Keegan of PricewaterhouseCoopers says, “No matter how experienced you are in business continuity or the wider field of organizational resilience, there is always something new to learn.”7
  8. Transfer risk—This is a common term known to the stakeholders of any company. Basically, it gives a third party the responsibility to handle risk-related situations and asks them to respond during the sighting of a black swan. But why should you do it?
    • To utilize expertise—“Seek help in any profession from its experts.”8 Certain companies specialize in the field of DR/BCM and can provide solutions tailored to individual needs. So consider handing over the problem to people who know what they are doing.
    • To avoid pressure—It is important to think not only of the pressure of responsibility and accountability during a crisis or while executing a DR plan. If a natural disaster hits a city, the technical person responsible for DR will not only be thinking of the welfare of the company, but also his/her family. So, if you have hired an offshore company to handle DR/BCM, in certain crises, that company can provide better help than the organization’s own resources.
    • To prevent blame games—It is not only the risk that is transferred, it is also the responsibility. It is a perfect win situation for the company as the outside company is free from internal politics and will be in a better position to create a BCM program with surgical precision.

Conclusion

Modern society is surrounded by every sort of risk. No matter where in the world one looks, there is either a political, social, economic or technological crisis. This has exponentially increased the risk of black swans and the only way to be ready for them is to keep these points in mind:

  • Constantly evaluate the organization’s strategy.
  • Human nature and skills are vital, but they are generally neglected.
  • Certification is a benchmark for any kind of skill.
  • Innovation and critical, aggressive thinking help reduce the impact of a crisis.
  • Collaboration is the key to getting the job done.

Organizations cannot stop a threat; they can only reduce the impact of the risk.

Endnotes

1 Taleb, Nassim Nicholas; The Black Swan: The Impact of the Highly Improbable, Random House, USA, 2007
2 Deloitte, “‘Aware’ vs. ‘Committed’ Where do You Stand? Business Continuity Management,” December 2013, www2.deloitte.com/content/dam/Deloitte/be/Documents/risk/be-aers-ers-bcm-aware-vs-committed_Dec2013.pdf
3 Preen, J.; “Cyber-Attacks, Black Swans and Business Continuity Management,” Continuity Central Archive, 6 March 2011, www.continuitycentral.com/feature0880.html
4 Aon, “Black Swan Events Are on the Rise. Is Your Business Prepared?,” Aon One, Q1 March 2011
5 Aon, “Black Swan Rising,” Aon One, Q1 March 2011
6 Lucey, K.; “10 Steps to Building a Black Swan-free Business Continuity Management Program,” Continuity e-Guide, 2013, www.disaster-resource.com/newsletter/2013/subpages/v425/meettheexperts.htm
7 Business Continuity Institute’s Middle East Conference, Doha, Qatar, May 2015
8 Rasa’il al-Ikhwan al-safa’ (Treatises of the Brethren of Purity). The author of this book is unknown. The scholar whose quote is taken in the article is not named in the book.

Mustafa S. Poonawala, CISA, ITIL
Has more than 14 years of experience in the field of secure software development and IT service management. Currently, he is working as a software analyst with Protiviti.

 

Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.