‘Black Swan’ is a recognized theory within risk management, originally developed by Nassim Nicholas Taleb. For those of you that have ever wondered, the term ‘Black Swan’ originates from the belief that all swans are white because these were the only ones accounted for. However, when black swans were discovered during the 17th century in Australia, this unexpected event in scientific history profoundly changed zoology. After the black swan was discovered it seemed obvious that black swans had to exist just as other animals with varying colors were known to exist. Taleb made his financial trading reputation out of targeting the impact of highly improbably events.
The importance of the metaphor is that it describes an event that is highly unlikely to materialize but if it did, would have a substantial impact. In traditional enterprise risk methodologies the assessment of this type of risk using a likelihood * impact rating would potentially exclude it from the category of risk in risk appetite terms that “must be mitigated”.
This is where black swan events are particularly pertinent to risk management. The objective of risk management is to protect the business from ‘unacceptable’ exposures to possible future events however if one of the largest risks to your business has a less than 0.5% probability of happening but the consequences would be catastrophic, would your risk management solution even detect it? As a board member wouldn’t you want to know about it?
Most risk management systems use traditional measurement methodologies (such as the heat map above) that are not designed to detect an event with a very low probability of occurring and as a result organizations can find themselves exposed to a potentially ruinous risk due to this lack of transparency.
Many of these types of threats are caused by factors external to the business and as such the enterprise control framework has only a limited ability to protect the business. In addition as the likelihood is already very low, mitigating this aspect of the threat is normally not beneficial so all we are left with is the ability to reduce the impact if and when the identified event occurs.
As risk managers, we therefore look for mitigating strategies that reduce the criticality of the potential resource or process to reduce the current level of risk and to key fall-back strategies of continuity planning covering business recovery and insurance covering financial recovery of residual risk.
Unfortunately in several industries where there is potentially significant impact on human lives and the environment, even with appropriate fall-back plans in place the residual risk cannot be fully mitigated. Rather the consequential harm to reputation and those impacted by the event must be reduced as far as possible through funded preventative strategies.
So how are these threats identified in the first instance? Active Risk Manager provides three ways of identifying and managing such risks:
- Manually black flagging a risk: employees across the business can flag a risk as being of such magnitude that the company needs to have a plan in place of how to manage the event. Black flags by-pass all traditional scoring methods and go to the top of the escalation queue for monitoring. This enables the organization to set probability aside and assess the risk based purely on the impact the event will have on the organization.
- Assessing risk against risk appetite for different levels of the business and types of risk. This can be seen below where extreme risk events are categorized as falling outside of acceptable risk appetite levels thereby escalating them for more advanced mitigation strategies.
- Reporting on impact only. Increasing we are seeing customers use ARM to monitor and report on the impact dimension of risks only, with each impact type (financial, reputation, market share, HSE etc) having its own level of risk appetite and reported on in a consolidated manner up through the business regardless of likelihood. ARM’s uncertainty quantitative modelling is often used as a stress test of the “worst case” scenarios.
Once an organization has identified and is able to escalate and communicate black swan events effectively, it then has the starting point from which to consider strategies for accepting, reducing or recovering from such events.
ARM offers the necessary controls, actions and fall-backs that are necessary, often together in a single strategy, to form robust mitigation plans to protect stakeholders and then, most importantly, enable tests to be performed to ensure they can be relied upon.
Organizations can prepare themselves against Black Swan events but first they need to be able to identify and communicate them to key decision makers so they can take appropriate investment decisions to protect the interests of all stakeholders against organizational risk appetite levels.