Guest Post by Kenneth Watman Deputy Director, Systems Analysis Office of Director of National Intelligence Washington D.C. ~~~~~~~~~~~~~~~~~ Like so many people, I was fascinated and exasperated by Taleb’s book. But, when the book is summed up, I do not believe Taleb has defined “Black Swan” as anything special or remarkable. Near as I can tell, a “Black Swan” is an especially rare event, perhaps completely unanticipated with very large consequences. Well, had we discussed this question before 9/11 and the financial crash, I think we would have said, “Of, course.” If there are 100-year hurricanes, there probably are 500-year hurricanes. A relatively small asteroid has a 1-in-250 chance of hitting earth over some time period with unprecedented effects. So, if you want to label those “Black Swans,” why not? There are two issues of consequence that Taleb doesn’t or cannot answer.

1. First, is there a systematic reason to believe we are underestimating risk and or consequences? That’s a matter of data and analytical methods, and there are lots of people trying to find out. We know that when disaster models are misused, like the financial models, they will tell us garbage with results that may shock us. Again, where’s the news in that. Don’t misuse the models and put into place precautions against doing so.

2. Second, even if the data suggest we need fatter tails (long-standing procedures exist to do that), there’s a policy/greed question. Will finance and insurance companies put enough in their reserves to reflect the risks they face? Or, as a matter of policy, lack of regulation, competitive market pressures, and self-deception, will they simply close their eyes, cross their fingers, and discount cognitively what low risk means, e.g. non-zero risk?

Reminding us of rare, high consequence events is fine. Calling them “Black Swans” doesn’t add anything substantively, although it’s an effective metaphor. But the greatest contribution is in answering the latter two questions I’ve posed. ~~~~~~~~~~~~~~~ Have a look at my recent posts on Black Swans, strategy, and business rules … Search on “Black Swans”  

Let me re-clarify what I am, and am not, saying about business rules and black swans. There’s been some confusion. I did not say that preparing for or responding to black swans is all about business rules. (I’m not that naive!) I did say, however, that business rules “… build robustness to negative [black swans] that occur and being able to exploit positive ones” [Taleb’s words]. My main point is this: If you don’t have ready access to your current business rules (i.e., know what they are in depth), then when a black swan occurs you can’t immediately undertake to respond to negative ones, and exploit positive ones. (See: http://goo.gl/Ny2Cn) A colleague wrote: “For example, Taleb cites 9/11 as an example of a black swan. What business rules would prevent or allow successful response to that?” I make no suggestions about prevention. Hindsight is 20-20. But successful response? You need to quickly review what your current business practices (business rules) are …

• Permissible carry-ons. Box-cutter knives? Immediately banned. Any other sharp items including silverware for meals, banned.
• Access to the cockpit. Special barriers (food cart, steward(ess)) put in a blocking position when a pilot exits the cockpit to use the lavatory. Doors locks reinforced.

We learn as we go. Amounts of liquid over a certain threshold, banned. Shoes must be removed at security. Souvenir ‘blizzard’ globes, banned. You want to roll out these new business rules fast(!). If you don’t know what business rules you already have in place, you simply can’t respond as fast you need to. Make no mistake, most businesses today sadly don’t really know what their current business rules are. That’s what I’m saying!

I’ve gotten a lot of excellent response to yesterday’s post on black swans. Let me summarize yesterday’s points and continue the line of thought.

a. Business rules cannot be used to help protect against unforeseeable events that have not already happened. b. Business analysts can assess unforeseeable events (black swans) and develop business rules to cater for their potential recurrence.

c. If you don’t have ready access to your current business rules (i.e., know what they are in depth), then when a black swan occurs you can’t immediately undertake point b.

Point c is actually where my emphasis lies. The result is that the organization remains vulnerable for recurrence (and copycat malicious attacks) for a much longer period than necessary (or desirable). How long extra? At least days, more likely weeks, sometimes months. What most organizations don’t realize today is that they don’t actually know what their business rules are. Before they can even begin to rethink business practices in-depth they have to send out ‘scouts’ (business analysts and IT professionals) to discover their current business rules (from people’s heads, source code, procedure manuals, documentation, etc., etc.). When the scouts do find the current business practices (business rules), they have to sort through redundancy, inconsistency, gaps and conflicts. That’s simply no way to run a business! There’s no single-sourcing of business rules, no official, authoritative ‘rulebook’, no structured corporate memory. The result is huge loss of time and energy. The problem is so big it’s hard to see. We simply have to face up to the fact that current methodologies produce a crippled business governance process. And yes, the situation *is* that bad! ~~~~~~~~~~~~~~~~~ P.S. To single-source business rules and retain corporate memory about them, we recommend a ‘general rulebook system’. See http://www.brcommunity.com/BBSGlossary.pdf (page 30) for quick explanation.

We preach (and practice) strategy as a key element of business analysis. A key element of strategy is identifying significant business risks. We address such risks in the deliverable we call a Policy Charter. See http://www.brcommunity.com/BBSGlossary.pdf (page 39). Appropriate business policies are developed to protect the company. Sometimes we hear the argument that it’s impossible to determine the risk of some future unknown event. And what’s a rational definition of risk anyway? By “risk” we simply mean what the dictionary (Merriam-Webster Unabridged) means: 1: the possibility of loss, injury, disadvantage, or destruction : CONTINGENCY, DANGER, PERIL, THREAT Yes, the following statement is correct: “It is impossible to determine the risk of some future unknown event.” The operative word in that is unknown. How could anyone argue with that? The implicit reference is to black swans … unpredictable outliers. The only thing business analysts can do to help protect the business against black swans is “… build robustness to negative ones that occur and being able to exploit positive ones.” (Wikipedia on Taleb’s book The Black Swan: The Impact of the Highly Improbable). I maintain that business solutions based on business rules do exactly that. To respond successfully to unforeseen circumstances you must know what your business practices (business rules) are in the first place(!). On the other hand, business people generally do have a good understanding of known business risks. We think it’s crucial to factor that understanding into business analysis. Now who could argue with that?!

Many years ago I was flying home after giving a talk at a conference in Boston. It was Friday and I was really tired. Fortunately, I got upgraded to first class, so I slipped off my tie and my shoes (brown), pushed the seat back, and went into a plane stupor (a zombie-like, non-sleep state).  About halfway home my feet started getting cold. Absent-mindedly, I felt around on the floor with my feet for my loafers. I quickly found one and slipped it on. But the other one eluded me. If you travel much on planes, you soon learn that shoes and other personal items get annoyed when unattended and purposely hide in the most inaccessible places possible. All you can do is tolerate the behavior.  I redoubled my efforts to find the missing shoe. I looked everywhere. No brown shoe. Oddly though, I did come up with a black shoe. I immediately did what any sensible person would do, I panicked. Had I been wearing different colored shoes all day long?! All week long!? What must the people at the conference and in my talk have thought?!   I calmed myself. Wait a minute, I was sure I had taken only one pair of shoes with me on this trip. Couldn’t be my shoe. A simple test would tell the tale, I could just try it on and see if it fit. So I did. And it fit perfectly.  Panic returns, decibels higher. My wife had helped me pack the bag. She would never have let me go off with unmatched shoes. Imagine the scene in my house if I walked in wearing shoes that didn’t match. (I’ll let you do the math on that.)  The plane began its initial descent and the man seated next to me stirred to go to the lavatory. Guess what?! Sure enough, one brown shoe and one black shoe. Now this was a situation I had never faced before. I certainly had no process laid out to follow or any experience to guide me. Exactly what are the best tactics for communicating to a perfect stranger he’s probably wearing your shoe?! Some options: 

1. Make a joke of it. (Since he was wearing a wedding band, he probably didn’t want to go home wearing unmatched shoes either. Would he think it was funny?)
2. Angrily demand my shoe back.
3. Exaggerate my search until he asks what’s wrong or figures it out on his own.
4. Tell him politely, but directly.
5. Get up and ask a flight attendant to intervene

What kind of problem was this? It’s not about process; it’s about strategy. Don’t confuse the two; they’re very different. The key questions were (a) what were my goals (the ends I wanted to achieve), and (b) what course of action (the means) would best achieve those ends.  Clearly my basic goal was to possess my things. But there was certainly more to it; otherwise I could have just picked an option arbitrarily. So I must have had other goals (e.g., respect others), or perceived risks (e.g., escalation of a confrontation), or more likely, both. Perceiving risk(s), by the way, implies yet other goals (e.g., avoid entanglement with airline security).  Life (and business) is so complicated! Would a process model have helped? No! How likely was this scenario ever to happen again? In 35+ years of frequent travel, the scenario has happened exactly once. And I’ve never had anyone else tell me it’s happened to them. Instead, I needed to devise a strategy, one that best balanced trade-offs among conflicting goals.  Look for more from BRS on strategy in the near future. It’s one of the things we do – and we do it extremely well. A good place to start is with the standard: www.businessrulesgroup.org/bmm.shtml.  It’s an easy read and explains how business rules fit in. Business analysts need order-of-magnitude improvements in the techniques they use. Strategy is one.  How did my shoe saga turn out? Suffice it to say I got home with two brown shoes … and had a good laugh with John Zachman over dinner a couple of months later.