The term “black swan” has captured the imagination of many a manager and pundit. Unfortunately, most managers misunderstand it. As a result, they fail to properly prepare their organizations for black swan events.

Nassim Taleb, who coined the term black swan, defined it as having three characteristics: a rare event, with massive impact, which is unpredictable (except in retrospect).

While most people understand that a black swan is a rare event with massive impact, few comprehend the implications of its unpredictability. This incomplete understanding of the nature of a black swan leads managers down a dangerous path. They waste their time attempting to hunt for black swans that could befall their organization in the hope that they will be able to prevent them (i.e., reduce their potential likelihood). But, by definition, black swan events aren’t predictable. Therefore it’s futile to invest a lot of effort into trying to avoid them.

Instead, a much better use of resources is to focus on building resilience to black swan events when they inevitably occur. Effective resilience demands a high level of preparedness. However, preparing to manage black swan events is different than preparing for more predictable risks. With a black swan, it isn’t possible to predict the event. Therefore, the secret is to focus on determining where the organization is vulnerable and then shore up the weaknesses in its risk response capabilities. In this way, the organization becomes resilient to a whole host of (unpredictable) risk scenarios that could pierce its defenses.

A good example of this is the Y2K issue of the late 1990s. It prompted many organizations to identify their vulnerabilities with respect to information technology. The subsequent preparations made the dawning of the year 2000 a non-event.

When the World Trade Centre’s twin towers fell in September 2001, many of those companies affected were able to dust off and implement the crisis management, business continuity, and disaster recovery plans they had prepared for the Y2K threat. Although the companies hadn’t planned for the September 11 risk scenario in particular, Y2K had forced them to think through a key vulnerability (their dependence on information technology) and their Y2K preparedness efforts paid off by helping them to bounce back from the massive impacts of the unpredictable September 11 event.

History has taught us that black swan events are rarely due to a single underlying cause, but rather are the result of a combination of multiple, often unrelated, factors that combine together to produce catastrophic impacts. However, because most organizations analyze each of their risks in isolation, they fail to understand their exposure to interdependent risk drivers in their business environment.

An excellent technique for understanding the complex relationship between risks is the influence diagram method. It is a simple, visual technique in which risks (shown as ovals) and objectives (shown as diamonds) are connected by arrows that define their relationship to each other. To construct an influence diagram, one begins with an objective and asks: “What risk factor can directly influence (i.e., drive uncertainty in) the achievement of this objective?” Then for each risk identified, one fans out by asking the question, “What can influence this risk?” The process is repeated until all key risks are identified and the relationships between the risks are defined.

The influence diagram methodology is powerful for several reasons. First, graphically mapping the interrelationships between risks immediately communicates the complexities of how risks influence an objective. The influence diagram enables the visualization of how one risk can drive another and the potential for risks to occur in combination or in sequence.

Second, due to its pictorial nature, it is intuitive to use. The visual map makes it easy to identify if the organization is particularly sensitive to certain factors. For example, the factor “effective care” is directly dependent on the successful management of multiple factors including: “training,” “medical processes” and “QA/QC,” and it is also indirectly affected by “operating budget.” It also clarifies how important “patient expectations” are to “patient experience” and why “appropriate communications” and the factors that drive it may be an area of vulnerability.

Third, using commercially available software, the influence diagram can be converted to a Monte Carlo model that enables quantitative risk estimates based on the comprehensive and realistic understanding of the complex risk scenarios depicted in the influence diagram.

Upon completing their corporate risk profile, executives tend to feel certain that they understand their organization’s risk exposure because they have invested a lot of time analyzing what is known about their risks. But is this confidence warranted? Not if it glosses over the uncertainty surrounding the estimate of a particular risk or of the organization’s readiness to respond to it. Another strategy to identify vulnerabilities is to identify what is unknown about the organization’s risk exposure. This strategy forces managers to articulate the assumptions that underlie their risk estimates.

In a hospital, management might assess the risk of “patient expectations being unrealistic” as low. This statement does not reveal that the risk estimate is based solely on the expert judgment of senior managers and that it assumes patient expectations will not change over time and that the signals about patient expectations that senior management is receiving from the frontline are an accurate reflection of reality.

For risks where there is a lot of uncertainty in the risk estimate, it is prudent to reduce that uncertainty by gathering more information. Continuing with the “patient expectations” example, the hospital could conduct a survey of frontline workers or of patients themselves to validate the expert opinion data they have already collected. If it’s not possible to reduce uncertainty, management needs to ask, “If we have wildly underestimated this risk, would our current risk response capabilities be able to handle it?” If the answer is “no,” then the organization will want to shore up its risk response capabilities to address this vulnerability.

In summary, when it comes to managing black swan risks, traditional risk management strategies that focus on anticipating and preventing specific, predictable events are woefully inadequate. Instead, executives need to develop strategies that are aimed at understanding their organization’s vulnerabilities.

 

Diana Del Bel Belluz is president of Risk Wise (www.riskwise.ca).