I was pleased to be part of one of our partners Turnkey’s virtual risk forum last week, to present this topic. The full session can be viewed via their website, but I wanted to pick out some key aspects from that session in this blog and expand on some in the second part of the blog.

The underlying question was: should the Covid-19 pandemic have been anticipated or at least could it have been managed better, or was it a black swan event?

 

What is a black swan event?

 

Based on the Nassim Nicholas Taleb’s criteria:

• The event is extremely rare, and a surprise to the observer (i.e. unpredictable)


• The event has a major effect, with severe impacts on several areas


• After the first recorded instance of the event, it is rationalized by hindsight as if it could have been expected (i.e. the relevant data were available, but unaccounted for in risk mitigation programs)

Previous black swan events would be the rise of the internet, the personal computer, US terrorist attacks on September 11 2001, and the financial crash of the USA housing market during 2008.

(quick references Black swan theory, Wikipedia. Black Swan, Investopia, 2020)

One consequence of something being labelled a black swan event is the get out clause this gives us: no-one could have expected this, so don’t blame me for my part in the consequences that affect you.

 

Recent pandemics

 

Is the Covid-19 pandemic a black swan? It satisfies a number of the points above except in one key aspect: rarity / unexpectedness. From the table below of a selection of recent pandemics it is clear that pandemics are the opposite of unexpected. And there have been 2 previous coronavirus-based pandemics, specifically, in the last 20 years.

Sources: 20 of the worst epidemics and pandemics in history, Live Science, 2020. Visualizing the History of Pandemics, Visual Capitalist, 2020. Pandemic, Wikipedia. Past Pandemics, CDC.

 

Many voices have also been warning us of the impact of pandemics such as Bill Gates who’s TED talk in 2014 highlights our lack of preparedness and misdirection of spend, the National Academy of Medicine which warned in 2016 we should be investing $4.5 billion annually to help prevent the impact and spread of pandemics, and Nassim Nicholas Taleb himself who states in an article with Mark Spitznagel this year that Covid-19 is not a black swan but a white swan: something that would eventually take place with great certainty.

We shouldn’t really have been surprised with the global impact of Covid-19 either: the financial crash of 2007/2008 had already shown us that key parts of our economy and lives are deeply interconnected. And since then finance, production, distribution, commerce, national infrastructure and our personal lives have become even more interconnected with big data, Internet of Things, integrated business systems, low entry points for hand-held devices, 24x7 uninhibited communications, ease and frequency of global travel by choice, increasing global migration from desperation etc.

Perhaps it is the emotional impact of Covid-19 becoming so personal to so many of us around the world at more or less the same time, with instantaneous sharing, that fuels a burden and instict that it should have been a black swan, rather than the statistical probability of pandemics.

 

Business Culture and Operations Re-imagined

 

What is not so well explained is what to do differently, to deal with high impact events like pandemics. What can companies do, on top of all the other competing priorities they have, to run a business? The short answer seems to be to ensure business or operational resilience.

But before we all rush towards this as the next ‘fashion topic’ of 2021 RFP’s let’s first look at what needs to be in place for this to actually work, in other words to actually deliver on its important intended outcomes.

It’s fair to say change is necessary. But what sort of change is necessary to reinforce businesses and organisations to help them deal with events like pandemics?

First I want to refer to Nassim Nicholas Taleb again, because his book Antifragile discusses just the sort of concept I believe companies need to adopt culturally, operationally and strategically. And I think it’s very helpful to talk about the overarching concept, before we get into a risk terminology debate which I see as often divisive and unedifying.

In summary he defines fragile systems as being damaged by disorder (and more likely to fail), robust systems being unaffected by disorder (but no learning) and antifragile systems benefitting from disorder (grow, strengthen). Antifragile systems and businesses are more likely to be able to deal with a negative black swan and volatility in business. And as importantly are also more likely to benefit from a positive black swan – yes, they exist too!

He says ..[antifragility] is behind everything that has changed with time: evolution, culture, ideas, revolutions, political systems, technological innovation, cultural and economic success, corporate survival, good recipes (say, chicken soup or steak tartare with a drop of cognac), the rise of cities, cultures, legal systems, equatorial forests, bacterial resistance … even our own existence as a species on this planet. Antifragile, Nassim Nicholas Taleb

Second, dipping into emerging statutory responses to protect companies - and let’s face it economies - from events like this, is the recently issued discussion paper on Operational Resilience from the UK’s financial regulators The Bank of England, Prudential Regulation Authority and Financial Conduct Authority. There is a good discussion in International Banker, March 2020, from Howard Womersley Smith but I want to pick out a few elements which although are aimed at Financial Services, apply equally to any industry (italics and {} are mine):

• Identify important business services {and goods} by considering how disruption to these services could impact beyond a firm’s own commercial interests {…so not just internal}


• Set impact tolerances for each, quantifying the amount of disruption that could be tolerated during an incident


• Understand and map systems and processes needed to support the services


• Set measures to keep those systems and processes within the defined impact tolerances


• Test them using plausible scenarios, including outsourcing and supply chain in the scenarios

I would argue this is also a summary of a three lines of defence approach and an internal controls process. It should form part of a framework & process for an antifragile business. The corollary is that a well-executed three lines of defence approach and internal control framework will go a long way to achieving a future operational resilience requirement.

Thirdly I want to highlight what I have often experienced in software sales and implementation cycles: organisations move from one crisis to another ‘fixing’ the problem often within the boundaries of a business silo. Tick the ‘solve the crisis’ box, move on to the next one. Connectivity and integration with other solutions and processes outside the silo is often difficult and/or often not pursued at all. This is what concerns me about rushing into Operational Resilience: it must be fed with prioritised, accurate, current and complete information – for example from a working risk management process with aligned information taxonomy and single version of information truth.

I worry Operational Resilience programs could become victim to the ‘garbage in garbage out’ syndrome.

 

I will continue this topic in the soon to be published Part 2 of this blog