By David Jenkins, Intellergy Solutions
A new company, a new website and my first blog.
I agonized over what I was going to write about and in the end I thought I’d give a more detailed explanation about the thinking behind the Intellergy Solutions logo and some early thoughts on risk management,
Every organization has risks, the larger and more complex the organization the greater the variety, scale and exposure. In my experience many organizations have blind spots on risk management where the ‘squeaky wheel gets the grease’ but the silent and potentially catastrophic events receive far less attention. This may be compounded by risk management processes which promote attention to the higher probability x medium consequence events linked to organizational focus on ‘a thing’ while ignoring testing effectiveness of controls needed to prevent a far more serious or catastrophic event because its very low probability puts it in the ‘green’ zone of a risk matrix.
An example is where an organization is committed to delivering ‘Zero Harm’ and is laser-focused on achieving zero Recordable Injuries. It expends a lot of time and leadership effort in analyzing every slip, trip and fall and debating corrective measures while ignoring the effectiveness of critical controls essential to prevent a rare but potentially catastrophic event in their high hazard operations. It’s not the former is unimportant but the failure to address the latter is a dereliction of leadership.
So, back to the meaning behind our logo, a composite of a Black Swan, a Gray Rhino, an Elephant and a Canary.
I term the first three as types of risk which are potential ‘business killers’.
The Black Swan
Black Swan events are rare, unpredictable, and have severe consequences, often catching people off guard due to their unexpected nature. A term coined by Nassim Nicholas Taleb, these events have a significant impact on society, economies, and businesses (Taleb, Nassim Nicholas. The Black Swan: The Impact of the Highly Improbable. Random House, 2007)
EXAMPLES
The 2008 Financial Crisis: The 2008 financial crisis serves as a classic example of a Black Swan event. It was triggered by the collapse of the housing market bubble in the United States, leading to a global recession. The complexity of financial instruments, coupled with inadequate risk management practices, exacerbated the crisis. Unforeseen by most financial institutions and policymakers, the impacts from this event were severe and widespread.
COVID-19 Pandemic: The COVID-19 pandemic serves as a recent example of a Black Swan event. Its rapid global spread, overwhelming healthcare systems, disrupting economies, and causing widespread global social and economic upheaval were largely unforeseen by most governments and organizations. It might be argued pandemics are not really Black Swans as they occur every few decades and might more correctly be deemed Gray Rhinos (remember SARS, H1N1?) but what made it a Black Swan was the severity and sheer scale of the impact.
The Gray Rhino
A term introduced by Michele Wucker, Gray Rhino events have high-impact, are highly probable and often go ignored or underestimated despite clear signs of the risk approaching. (Wucker, Michele. The Gray Rhino: How to Recognize and Act on the Obvious Dangers We Ignore. St. Martin's Press, 2016)
EXAMPLES
Climate Change: Climate change represents a classic Gray Rhino event. Despite ample scientific evidence warning about its consequences, the response from governments, businesses, and individuals is largely inadequate. Rising global temperatures, extreme weather events, and ecosystem disruptions are some of the clear signs indicating the impending impact of climate change, yet action to mitigate its effects has been slow and fragmented.
Cybersecurity Threats: Cybersecurity threats represent a prevalent Gray Rhino event in today's digital age. Despite numerous warnings and high-profile cyberattacks, many organizations fail to adequately address cybersecurity risks. Breaches of sensitive data, ransomware attacks, and infrastructure vulnerabilities are clear signs of impending threats which often go unheeded until a significant incident occurs.
The Elephant
Elephant risks are large-scale, slow-moving threats which are often ignored until they cause significant damage. The literal ‘elephant in the room’, likely evident to many in the organization, they represent foreseeable and known challenges which may require long-term planning or uncomfortable and difficult decisions to address.
EXAMPLES
Workplace Harassment: Sexual harassment in the workplace by a senior leader in an organization is a powerful example of an Elephant risk. Harvey Weinstein’s predatory behavior was alleged and reported for decades until finally emerging into public view, sparking the #MeToo movement. It resulted in significant organizational disruption for the Weinstein Company, with Weinstein being fired from his position and successfully prosecuted for rape and assault. The company faced legal action, financial losses and reputational damage, eventually filing for bankruptcy and sold its assets.
Organizational Inertia: Nokia, BlackBerry, and Kodak are quintessential examples of Elephant risk. Each company enjoyed significant success and market dominance in their respective industries but became complacent and failed to anticipate or respond effectively to emerging trends and consumer preferences. Nokia, once the world's leading mobile phone manufacturer, struggled to compete in the smartphone era, losing market share to rivals like Apple and Samsung. BlackBerry, known for its pioneering smartphones and secure messaging services, faltered as touchscreen devices and app ecosystems gained prominence. Kodak, a giant in the photography industry, failed to capitalize on the shift to digital photography, leading to its decline and eventual bankruptcy.
The Canary
Historically, coal miners faced the ominous threat of methane and carbon monoxide poisoning in underground mines. With these gases being odorless and colorless, miners needed a reliable method to detect their presence before it became fatal. Enter the canary—a small, sensitive bird that served as a living, breathing early warning system.
Miners would bring canaries into the mines with them. These birds, being more susceptible to the effects of toxic gases, would show signs of distress or succumb to the fumes much faster than humans. Thus, a canary's well-being became an indicator of the safety of the mine environment. If the canary exhibited signs of distress or died, it signaled the presence of dangerous gases, prompting miners to evacuate immediately. Saving countless lives around the world, canaries became symbolic of mitigating the risks and dangers associated with underground mining.
Fast forward to the modern era, where risk management practices have evolved considerably.
I’m a great fan of bow ties, they are very effective in providing an easily understood visualization of complex risks and the controls required to manage them. In the realm of risk management bow ties and critical controls bear a striking resemblance to the canary in a coal mine. Just as the canary's well-being was indicative of the mine's safety, critical controls serve as early indicators and frontline defenses against potential risks and their consequences.
Bow tie analysis is a method used to visualize and assess risks within an organization. At its core, a bow tie diagram represents the relationship between potential hazards, their associated consequences, and the control measures implemented to mitigate those risks.
The "bow" of the diagram represents the hazard, while the "knot" symbolizes the event or scenario where the hazard manifests. The "left wing" depicts the causes or threats leading to the event, while the "right wing" illustrates the consequences resulting from it. Controls, positioned along the diagram's strands, serve as barriers to prevent the event from occurring or mitigate its impact if it does. Some of these controls will be ‘critical controls’, ones where their failure or absence has a material impact on whether the unwanted event may occur. An example for Road Transport of People or Cargo can be seen here.
The Canary as an Analogy for Controls Within A Bow Tie
Early Warning System: Much like the canary's sensitivity to toxic gases, critical controls are designed to detect and alert stakeholders to impending risks. These controls are strategically placed to provide early warning signs and prevent hazards from escalating into significant incidents but note not every control is Critical.
Vulnerability Assessment: Similar to how the canary's health reflected the mine's environmental conditions, critical controls highlight vulnerabilities within an organization's risk landscape. By identifying weaknesses and gaps in control measures, organizations can proactively strengthen their defenses and enhance resilience.
Risk Mitigation: Just as miners took swift action upon observing distress in the canary, critical controls enable organizations to respond promptly to emerging threats. Whether through preventive measures or rapid response protocols, these controls minimize the likelihood and severity of adverse events, safeguarding operations and assets.
Continuous Monitoring: Canaries were continuously monitored for signs of distress, ensuring a constant vigilance against potential dangers. Similarly, critical controls necessitate ongoing monitoring and evaluation to adapt to evolving risks and maintain their effectiveness over time.
Implementing Critical Controls in Risk Management
Integrating critical controls into a risk management bow tie requires a systematic approach tailored to an organization's unique risk profile. Some key steps to effectively implement and leverage critical controls:
Identify Key Risks: Conduct a comprehensive risk assessment to identify potential hazards, their consequences, and the underlying causes. Prioritize risks based on their likelihood and impact to focus resources on critical areas. It is essential to involve the right people with the right experience at the right time to ensure there is the broadest perspective of a given risk profile.
Define Critical Controls: Collaborate with those most exposed to the risk and subject matter experts to identify and define critical controls which directly mitigate or prevent identified risks. Ensure these controls are specific, measurable, and aligned with organizational objectives. Importantly, a control which is so poorly defined you cannot undertake a governance audit to determine its presence or effectiveness is not a control.
Implement Control Measures: Deploy the necessary resources and infrastructure to implement critical controls across relevant processes and operations. Train personnel on control procedures and protocols to ensure consistent adherence and effectiveness. Use cross-discipline teams, preferably from outside the business being audited and given the corporate autonomy to report on their findings without fear of impact on their career (are you listening Boeing?).
Monitor and Evaluate: Establish monitoring mechanisms to track the performance of critical controls and detect deviations from expected outcomes. Conduct regular assessments and audits to evaluate control effectiveness and identify areas for improvement. Use independent 3rd party auditing as appropriate.
Iterate and Improve: Continuously review and refine critical controls in response to changing risk dynamics, regulatory requirements, and emerging threats. Foster a culture of continuous improvement to enhance resilience and adaptability. Significant incident investigations should incorporate assessment of critical control compliance and weaknesses into their findings and recommendations.
So there you have it, the Intellergy Solutions logo symbolizes the need for organizations to look beyond lower tier more frequent risks and ensure there is regular assessment and testing of controls for low probability high consequence (business killer) risks. Additionally there should be a structured process continually scanning the horizon for emerging or changing risks which could adversely and significantly impact the business. Leadership is crucial to get the best results. Board members should challenge the business on all these aspects to satisfy themselves the internal reporting of the risk profile, the controls in place and their effectiveness are an accurate reflection of the organization today and, as is reasonably foreseeable, in the future.
Intellergy Solutions can assist organizations achieve excellence in all these aspects - feel free to reach out.
Comments