1. First, is there a systematic reason to believe we are underestimating risk and or consequences? That’s a matter of data and analytical methods, and there are lots of people trying to find out. We know that when disaster models are misused, like the financial models, they will tell us garbage with results that may shock us. Again, where’s the news in that. Don’t misuse the models and put into place precautions against doing so.
2. Second, even if the data suggest we need fatter tails (long-standing procedures exist to do that), there’s a policy/greed question. Will finance and insurance companies put enough in their reserves to reflect the risks they face? Or, as a matter of policy, lack of regulation, competitive market pressures, and self-deception, will they simply close their eyes, cross their fingers, and discount cognitively what low risk means, e.g. non-zero risk?
Reminding us of rare, high consequence events is fine. Calling them “Black Swans” doesn’t add anything substantively, although it’s an effective metaphor. But the greatest contribution is in answering the latter two questions I’ve posed. ~~~~~~~~~~~~~~~ Have a look at my recent posts on Black Swans, strategy, and business rules … Search on “Black Swans”a. Business rules cannot be used to help protect against unforeseeable events that have not already happened. b. Business analysts can assess unforeseeable events (black swans) and develop business rules to cater for their potential recurrence.
c. If you don’t have ready access to your current business rules (i.e., know what they are in depth), then when a black swan occurs you can’t immediately undertake point b.
Point c is actually where my emphasis lies. The result is that the organization remains vulnerable for recurrence (and copycat malicious attacks) for a much longer period than necessary (or desirable). How long extra? At least days, more likely weeks, sometimes months. What most organizations don’t realize today is that they don’t actually know what their business rules are. Before they can even begin to rethink business practices in-depth they have to send out ‘scouts’ (business analysts and IT professionals) to discover their current business rules (from people’s heads, source code, procedure manuals, documentation, etc., etc.). When the scouts do find the current business practices (business rules), they have to sort through redundancy, inconsistency, gaps and conflicts. That’s simply no way to run a business! There’s no single-sourcing of business rules, no official, authoritative ‘rulebook’, no structured corporate memory. The result is huge loss of time and energy. The problem is so big it’s hard to see. We simply have to face up to the fact that current methodologies produce a crippled business governance process. And yes, the situation *is* that bad! ~~~~~~~~~~~~~~~~~ P.S. To single-source business rules and retain corporate memory about them, we recommend a ‘general rulebook system’. See http://www.brcommunity.com/BBSGlossary.pdf (page 30) for quick explanation.