All Posts by Bob Lewis

|In: Policies and Procedures|Last Updated:

President Donald Trump, at a March 19th briefing, said, “Nobody knew there’d be a pandemic or an epidemic of this proportion.”

This is not an accurate statement (see, for example, last year’s Worldwide Threat Assessment of the US Intelligence Community, 1/29/2019), which, given President Trump’s falsehood rate of 15 per day since taking office shouldn’t be all that surprising.

And yet, in Donald Trump’s defense (you have no idea how hard it was to type those words) …

But before we get to that, here’s a quick recap of how organizations plan their risk responses. It isn’t, in principle, particularly complicated: Risk managers:

  • Establish their planning window.
  • Enumerate the relevant risk categories and specific risks.
  • Estimate each risk’s probability of occurrence within the planning window.
  • Forecast the harm should each risk become real.
  • Determine the logical level of investment for dealing with each risk.
  • Decide which of the four responses to risk is most logical (or are most logical — combinations are allowed):
  • Prevent, also called “avoid” — reduce the likelihood of the risk becoming real.
  • Mitigate — reduce the harm should the risk become real.
  • Insure — for a fee, share the financial harm that occurs when the risk becomes real with a third party.
  • Accept, also called “hope” or “ignore” — do nothing.

Speaking of risk, I’m taking on quite a bit with the above analysis, namely, that members of the KJR community who are more knowledgeable about the subject will blister me for such a ghastly oversimplification. If you’re among them, please share what you know in the Comments.

Where was I? Oh, yes, the Trump administration’s response to the threat of a pandemic, which was to ignore it, in spite of, as explained last week, its statistical inevitability.

Among the questions this raises: How many businesses insured themselves against the threat of a pandemic, prevention being impractical for your average business, and mitigation … for example via supply chain diversification … having severe scope limitations.

My guess: Not many.

The plain, sad fact of the matter is that most businesses, most of the time, have to accept more risks than they respond to through prevention, mitigation, or insurance. Among them:

  • Nuclear war.
  • Stray asteroids.
  • Your sole remaining IMS expert calls in rich from the Caymans.
  • Malware invades the GPS system, resulting in randomly calculated driving routes that disrupt shipping for your products and supply chains.
  • IT’s planners didn’t know their predecessors “solved” their Y2K problems through the use of a “pivot year,” which solution expired last year (and thanks to Al Vyssotsky for bring this to our attention in last week’s Comments).
  • The company you outsourced IT to pulls an Enron and goes toes up.
  • A voice in your CEO’s head tells him to slaughter the rest of the executive leadership team with a machete during its annual planning retreat.
  • Mutant chimpanzees declare war on humanity.
  • Two words: Disco revival.

It’s something you can count on: The next risk that turns into reality will, in all likelihood, be a risk you Accepted because, like most businesses, you can’t afford to plan for every risk you can think of; probably you can’t even afford to plan for all the ones you know are serious and likely.

Does this mean risk management is a pointless discipline? Of course not.

But along the way to effective risk management, before making specific plans for specific risks, should be commitment to these management basics for any Accepted risk that had the poor manners to become real:

(1) Don’t deny; (2) focus your best experts on the problem, whether or not they occupy the most appropriate boxes on the organizational chart; (3) give them whatever resources they say they need without quibbling or negotiating; (4) clear away any institutional roadblocks they bring to executives’ attention; and (5) set the right example — shut down any and all attempts to blamestorm the cause of the situation.

While your experts dig in, you and your fellow leaders should be communicating honestly and directly with employees about what’s happening, what the company is doing about it, and what to expect, to the extent you’re in a position to know what to expect.

Meanwhile, I’m going to take my own advice about not blamestorming our current situation.

No matter how hard I have to bite my tongue to take it.

# # #

But feel free to bait me in the Comments section!

Comments

|In: Industry Commentary|Last Updated:

My all-time favorite editing gaffe garbled a column I wrote about Y2K.

What I wrote: “The money saved dwarfed that spent on remediation.”

What InfoWorld printed: “The money saved the dwarfs that spent on remediation.”

I felt like Thorin Oakenshield with a corrupted database.

Speaking of Y2K, my recent column on COVID-19 and what you should do about it (“When Corona isn’t just a beer,” 3/2/2020) included a reminder of the KJR Risk/Response Dictum: Successful prevention is indistinguishable from absence of risk. I used the global, effective response to the H1N1 virus as an example.

Several correspondents reminisced with me about another, even better example: Global IT’s astonishingly effective response to the Y2K bug, and the ensuing certainty among the ignorati that it was all a hoax.

Y2K’s outcome was, in fact, a case study in what David Brin calls self-preventing prophecy. In the case of Y2K the problem of using two digits to represent the year in date fields, with the 19 prefix assumed, was indisputably real. The potential impact should the world fail to correct the problem was, in the aggregate, unknown and probably unknowable. Concerns ranged from the mundane — employees and customers who, according to HR and CRM systems, would have had negative ages — to the alarming but unlikely possibility of computer-controlled elevators plummeting down their shafts.

For a more in-depth account, read “The Lessons of Y2K, 20 Years Later,” Zachary Loeb, Washington Post, 12/30/2019.

Pre-COVID-19 we knew the overall risk of a viral pandemic soon enough to be worth investing in advance preparedness was high. Which virus, exactly when, exactly how contagious and exactly how virulent? Of course not. The Y2K problem was definitive. COVID-19? The lack of in-advance specifics made, for some decision-makers, the fourth risk response (hope) attractive.

About all we know about the risk of future pandemics is that it’s increasing. That isn’t in any doubt because (1) a pandemic only needs one sick person to get things started; (2) every year, Earth has more persons who could become that one sick person; and (3) every year, more and more people travel to more and more destinations, and “more and more” means a higher likelihood that the one sick person could cross borders to spread their disease more widely.

But never mind all that. Observing the global response to COVID-19, we in IT should be busily patting ourselves on the back again … washing our hands before and after we do, of course.

We deserve the back-patting because if it weren’t for IT, and specifically if it weren’t for our investments in: electronic mail; internal chat; file sharing technology; web conferencing systems; secure remote access to business applications; along with, I hope, broadly available training in their use, coupled with, at this stage of our evolution, peer pressure to master at least the basics coupled with peer knowledge-sharing to provide informal support … if the world of commerce hadn’t embraced these technologies and the idea of remote workers they support, your company’s Business Continuity Plan, sub-section Pandemic Response Plan, would be pretty much worthless.

And right now, if it weren’t for these business innovations that quietly took hold over the past decade or so, the current pandemic’s impact on the world economy would be quite a lot worse.

It’s only ten years ago that I wrote “10 sure-fire ways to kill telecommuting” for InfoWorld (3/30/2009). Some readers got the joke. Even those who thought I was serious recognized that telecommuting was far from universally accepted among business leaders and managers.

Among evolutionary theorists, this sort of thing is called a “preadaptation.” It means a species develops some heritable trait or behavior because natural selection favored it for an entirely different reason. Sometime in the distant future the species makes use of it in some entirely different way that gains an entirely different advantage.

For example, fish developed swim bladders to control their buoyancy. Long, long afterward the swim bladders they had as fish evolved into the lungs they needed as amphibians.

Likewise what we used to call telecommuting and now call remote work. Organizations didn’t embrace it because it would make them more resilient in the face of a global pandemic. They embraced the practice because it reduced the cost of business infrastructure, gained access to a broader pool of talent, and let companies construct project teams out of a broader array of employees.

The moral of this story: You can’t predict all the ways a new technology might create value. So don’t let your governance committees stifle experimentation. You never know when an experiment might turn out to be a preadaptation.

What you do know: If you prevent the experiments then they won’t.

Comments