Preparing for the Unpredictable

There may be some elephants in the board room from time to time, but what about Black Swans or Gray Rhinos? Many of us might be ignoring the warnings of risks to our business from “corporate Cassandras” — named for the priestess in Greek mythology who was cursed to pronounce true prophecies, but never to be believed. By understanding how risks manifest themselves, organizations can improve their business continuity planning and, ultimately, their resiliency.

In his 2007 book, Nichola Nassim Taleb coined the term Black Swan, an unpredictable and rare event that creates a long-lasting impact. The internet itself and the 9/11 terrorist attacks are considered Black Swans. But calling an event a Black Swan can be a scapegoat or an excuse for failing to plan: “Oh we never imagined that would happen…no one saw that coming!”

Black Swan Sightings

If we can’t predict Black Swans, shouldn’t it be impossible to prepare for them? Quite the opposite. In fact, there are techniques organizations can use to identify and prepare for Black Swans. In IBM’s 109-year history, our crisis management structure and emergency planning process have helped the company meet our customers’ needs during major power outages, floods, tsunamis and terrorist attacks. Comprehensive Business Continuity Planning is essential for preparing for the unlikely, but disruptive, Black Swan. Organizations can:

  • Conduct “what if” analyses to consider impacts to business-critical areas of the organization. Those that have the highest potential impact should have contingency plans designed to mitigate their impact.
  • Stress-test systems and processes. Disrupter Analysis or Chaos Monkey testing is one way to identify the unpredictable.
  • Plan your communications ahead of time. You may not be able to control the situation, but you can control what and how you communicate about it. Identifying key stakeholders, distribution lists and draft communications ahead of time will help to keep focus on the event rather than your lack of preparedness.

Recently, experts have suggested that the U.S. electric power grid might be vulnerable to three potential Black Swans: solar flares, Electro Magnetic Pulses (EMPs) and cyber threats. But cyber threats against the power grid, or our organizations, can no longer be considered Black Swans. Rather, they are examples of Gray Rhinos, a term first introduced in 2013 by policy analyst Michele Wucker.

Gray Rhinos are Everywhere

Gray Rhinos are highly probable events with significant consequences that are headed right for us. They differ from the “elephant in the room” precisely because Rhinos are talked about. Gray Rhinos are often heralded by corporate Cassandras, the technologically savvy worry warts of the organization who are pointing out the charging Gray Rhinos. Acknowledging them can force us to get comfortable with uncertainty and take action. Otherwise, we risk being trampled.

Putting off going to the doctor for testing when you sense there might be something wrong is a personal Gray Rhino. Climate change, extreme weather and national disasters are examples of societal Gray Rhinos that can impact an organization’s business continuity posture. The known vulnerabilities associated with the Internet of Things is another example. How do we make sure our Gray Rhinos are not turning into elephants in the room?

Become a Rhino Spotter

Learn to recognize the Rhinos present in your environment today. Ask your team and yourself: “What is the big issue facing our organization today that will trample us unless we do something?” Then start by breaking long-term strategy into short-term actions:

  • Take 15 minutes each day to imagine what it would take to stay resilient.
  • Do the hard work in turning ideas into action and devise a solution.

If you do not feel you have the power to make change, become the Cassandra and share the Gray Rhino opportunity with someone who does have the power.

Think about the Future

Don’t waste a perfectly good crisis. Let this current pandemic be an opportunity to hop on that Gray Rhino’s back, listen to the Cassandras among us and use the crisis to better prepare for next time.

More from Risk Management

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today