Risk modeling and business continuity: how far to go?
Risk modeling is a useful tool for business continuity managers, but over-reliance and flawed approaches can create difficulties. By Geary W. Sikich.
Fundamental uncertainties derive from our fragmentary understanding of risk and complex system dynamics and interdependencies. Abundant stochastic variation in risk parameters further exacerbates the ability to clearly assess uncertainties.
Uncertainty is not just a single dimension, but also surrounds the potential impacts of forces such as globalization and decentralization, effects of movements of global markets and trade regimes, and the effectiveness and utility of risk identification and control measures such as buffering, use of incentives, or strict regulatory approaches.
Such uncertainty underpins the arguments both of those exploiting risk, who demand evidence that exploitation causes harm before accepting limitations, and those avoiding risk, who seek to limit risk realization in the absence of clear indications of sustainability.
Unknown or unknowable?
An unknown unknown is not conceivable as it is unknown. Therefore to attempt to simulate an unknown unknown seems to be an exercise in futility and self-deception. By virtue of creating the simulation you have made the unknown known and therefore negate the exercise. One cannot outsmart the future. Seeking certainty seems to be more terrifying than accepting that one needs to be able to react to the consequences presented.
I have always considered unknown unknowns as being unknowable and to be outside the scope of a risk management process. If we accept that identification is a fundamental part of the risk management process, then it is not logical to expect that the risk management process can handle unknown unknowns. This is one reason for differentiating between risk-related contingencies and management contingencies.
Unknown knowns (i.e. factors that are within our knowledge but are missing from the business impact assessment (BIA), threat identification, hazard identification and risk management processes) would include transparent vulnerabilities, oversights, omissions and sources of uncertainty that should really have been identified and assessed in the initial stages of planning. An approach to minimizing unknown knowns is for the planning and risk management process to be carried out using a top-down iterative process. If, instead, one engages a single pass process to develop a detailed BIA, threat, hazard, vulnerability, risk register; your efforts will lack the structure to capture the implications of general sources of uncertainty (unknown knowns).
Approaches based on the critical assumption that the model contains all the factors (including the unknown factors) that could affect the output variables being considered are fundamentally flawed. This assumption is justified as comprehensive models cannot be developed as they would contain such a large number of relevant known variables, irrelevant variables, etc. as to prove extremely cumbersome, essentially useless and unwieldy.
Rather than attempting to model the probabilities of identified risks materializing, a relevant and ultimate benefit is to focus on the consequences of risk realization. In this way you can begin to assess the capacity and capability of the organization to withstand risk realization. An organization’s sensitivity to an outcome (consequence of risk realization) is reflected in the impact of decision making under uncertainty/stress.
Chasing symptoms, ignoring consequences
Complex systems are full of interdependencies that are hard to detect. The result is nonlinearity in responses to random events/shocks; what are often termed unknown unknowns – or in some instances mislabeled as ‘Black Swan’ events. Today we live in a world of complexity. In a complex system interdependencies abound; the notion of cause becomes suspect as it is nearly impossible to detect or it is not really defined. Isolation of causal relationships (direct/linear) is therefore not feasible due to opacity and nonlinearity. Opacity and nonlinearity influence decision making, often leading to decisions that further exacerbate problems rather than resolve them.
The odds of identifying unknown unknowns are simply not computable. Model error swells when it comes to small probabilities. The rarer (the more unknown) the event; the less tractable, and the less we know about how frequent its occurrence. We cannot calculate the risks and probabilities of shocks and rare events, no matter how sophisticated we get.
What we end up with is thinking that what is not seen is not there. This creates a tendency to mistake the unknown for the non-existent. The occurrence of extreme events (unknown unknowns) cannot be predicted by reviewing past history as we often do when developing ‘worst case’ scenarios, BIAs, risk assessments, etc. Worst case events when they happen, exceed the worst case at the time of the new event. The worst past event had to be a surprise, as it had no precedent (i.e., earthquake exceeding historical scale of magnitude). This is an example of a selection bias and it creates a false positive from a planning standpoint. The resulting inconsistency, the so called worst case event, when it happens exceeds the worst case event used as the planning basis thereby deluding the planner into assuming that their plans actually reflect reality.
Time and volatility – the more time; the more events, the more disorder
Since we limit our analysis of past events to a generally set timeframe (100 year floods, etc.); our assessment result will be essentially flawed and of limited value. We get blinded by the odds, overestimating our chances of success in identifying and managing risks, business impacts, etc. This results in gross underestimations of the risk of failure. We overlook capability and capacity at the time of an event, because we have planning on an optimum of capability and capacity that does not reflect reality. We thus are deluded into the belief that our plan will prevent the realization of a risk materializing. The thinking is that nothing can possibly go awry. However, if something that ‘can't possibly go wrong’ does go wrong it will be almost impossible to fix. Over time we experience more events and the more events we experience, the greater our ability to recognize and react to events as they emerge. It is much easier to sell “Look what I did for you” than “Look what I avoided for you.”
Don’t try to outsmart the future
We live in a world of information and data. In fact, ‘big data’ is a hot topic for many. Most of what we are exposed to is ‘noise’ and has little if any value. Noise is what you are supposed to ignore (filter); ‘signal’ is what you are supposed to heed. Noise is random information that is totally useless for any purpose; you need to clean it up to make sense of what you are exposed to. As often times happens; we do not filter the noise and the resulting overestimation or underestimation of risk tends to focus our thinking and efforts. A good example is the meteorite that hit Russia in February. Suddenly we heard more about meteorite risk. The result is the inability to distinguish noise from signal. Access to data increases intervention (overreacting) and mistaking noise for information. Nassim Taleb in his latest book, ‘Antifragile’ gives the following example of micromanaging into chaos – too much data reliance (our tendency to review data periodically creates potential for error):
Too much information (noise) results in too much stress, potentially leading to flawed decisions and/or decision paralysis. We are not made to understand the point so we overreact emotionally to noise. We are living more and more in virtual reality separated from the real world, while realizing it less and less. We mistake the absence of evidence of a risk, threat, etc. for evidence of absence that the risk, threat, etc., exists.
Risk is in the future not the past
We are faced with a new risk paradigm: efficient or effective? Efficiency is making us rigid in our thinking; we mistake being efficient for being effective. Efficiency can lead to action for the sake of accomplishment with no visible end in mind. We often respond very efficiently to the symptoms rather than the overriding issues that result in our next crisis. Uncertainty in a certainty-seeking world offers surprises to many and, to a very select few, confirmation of the need for optionality.
It’s all about targeted flexibility, the art of being prepared, rather than preparing for specific events. Being able to respond, rather than being able to forecast, facilitates early warning and proactive response to unknown unknowns.
Geary Sikich is a seasoned risk management professional who advises private and public sector executives to develop risk buffering strategies to protect their asset base. With a M.Ed. in Counseling and Guidance, Geary's focus is human capital: what people think, who they are, what they need and how they communicate. With over 25 years in management consulting as a trusted advisor, crisis manager, senior executive and educator, Geary brings unprecedented value to clients worldwide.
Geary is well-versed in contingency planning, risk management, human resource development, ‘war gaming,’ as well as competitive intelligence, issues analysis, global strategy and identification of transparent vulnerabilities. Geary began his career as an officer in the US Army after completing his BS in Criminology. As a thought leader, Geary leverages his skills in client attraction and the tools of LinkedIn, social media and publishing to help executives in decision analysis, strategy development and risk buffering. A well-known author, his books and articles are readily available on Amazon, Barnes & Noble and the Internet.
Apgar, David, Risk Intelligence – Learning to Manage What We Don’t Know, Harvard Business School Press, 2006.
Davis, Stanley M., Christopher Meyer, Blur: The Speed of Change in the Connected Economy, (1998).
Kami, Michael J., “Trigger Points: how to make decisions three times faster,” 1988, McGraw-Hill, ISBN 0-07-033219-3
Klein, Gary, “Sources of Power: How People Make Decisions,” 1998, MIT Press, ISBN 13 978-0-262-11227-7
Orlov, Dimitry, “Reinventing Collapse” New Society Publishers; First Printing edition (June 1, 2008), ISBN-10: 0865716064, ISBN-13: 978-0865716063
Sikich, Geary W., Graceful Degradation and Agile Restoration Synopsis, Disaster Resource Guide, 2002
Sikich, Geary W., "Integrated Business Continuity: Maintaining Resilience in Times of Uncertainty," PennWell Publishing, 2003
Sikich, Geary W., “It Can’t Happen Here: All Hazards Crisis Management Planning”, PennWell Publishing 1993.
Sikich Geary W., "The Emergency Management Planning Handbook", McGraw Hill, 1995.
Tainter, Joseph, “The Collapse of Complex Societies,” Cambridge University Press (March 30, 1990), ISBN-10: 052138673X, ISBN-13: 978-0521386739
Taleb, Nicholas Nassim, The Black Swan: The Impact of the Highly Improbable, 2007, Random House – ISBN 978-1-4000-6351-2
Taleb, Nicholas Nassim, The Black Swan: The Impact of the Highly Improbable, Second Edition 2010, Random House – ISBN 978-0-8129-7381-5
Taleb, Nicholas Nassim, Fooled by Randomness: The Hidden Role of Chance in Life and in the Markets, 2005, Updated edition (October 14, 2008) Random House – ISBN-13: 978-1400067930
Taleb, N.N., Common Errors in Interpreting the Ideas of The Black Swan and Associated Papers; NYU Poly Institute October 18, 2009
Taleb, Nicholas Nassim, Antifragile: Things that gain from disorder, 2012, Random House – ISBN 978-1-4000-6782-4.
•Date:12th July 2013 • USWorld •Type: Article • Topic: BC general