Short term incentives, goals, and resulting business practices tend to devalue preparing for low-frequency high-impact events. In addition, human cognitive biases like those generally called “availability” and “perception distortion” and a host of others, tend to weaken attempts at effective long-term risk analysis as well. Because catastrophes occur, and because recovery requires activities materially different from dealing with more “normal” negative events, we are required to have plans in place to deal with them (or to have made sufficiently-informed decisions not to). In global Financial Services, I believe that major populations of our stakeholders assume that we are doing so.
This category of events includes, but is not limited to earthquakes, floods, droughts, tsunamis, cyclones and more. Some Financial Services organizations have attempted to address these natural and some political risks via geographic distribution of all critical functions — where the loss of any given locality or region would remain below the threshold of “catastrophe.” That approach is not effective against other types of systemic vulnerabilities. Increasingly interconnected global business and technology infrastructure and operations have added new categories of potential catastrophe. It is likely that there are new vulnerabilities that emerge from a greater degree of interdependency and interconnectedness than executive decision-makers understand. The combination of globalization in the Financial Services industry along with Internet-enabled real-time reach is often highlighted as bringing opportunities to hedge risks through investment, vendor, partner, and customer diversity. The potential that it also brings for strategic and enterprise-wide harm is not so well documented.
Internet “plumbing” like DNS or traffic routing are the product of relatively “ancient” architectures, and in some instances, incorporate decades-old code. Successful widespread exploit of Internet of Internet “plumbing” could result in catastrophic impacts on global financial services — virtually all of our markets depend upon real-time or near-real-time Internet connectivity. Sometimes this is a direct impact, but it will almost certainly damage operations somewhere down the supply-chain. Patching, disinfection, throttling, or containment at Internet scales is a challenge — one that we are not generally prepared for. Successful targeted or widespread endpoint exploit via one or another Internet pathogen has the potential for catastrophic impacts — if hostile agent can employ malware to gain partial or total control of all our infrastructure and/or user endpoints, we don’t own our businesses anymore — that kind of asset-transfer is something all financial services leaders need to be aware of. For many of us, even the failure of a single vendor/partner or a network of vendors/partner presenting a common interface could result in materially-negative, even catastrophic consequences. What would happen to your organization if Amazon, Google, Bloomberg, Bank of New York, (pick your large-scale partner) no longer had an effective Internet presence? How would your enterprise continue to function if broad categories of securities trading and/or settlement went dark because a systemic weakness in that “market” was exploited, and “turned-off?”
I believe that for most of us in Financial Services, this topic deserves more attention than it has generally been receiving.
The World Economic Forum [WEF] has been sponsoring some work on this topic that might be a useful resource in any effort to get this effort started, restarted, or enhanced at your organization.
In their 2014 “Global Risks Report” WEF authors argued that a myopic focus on quantitative risk probability measures can disserve organizations. They also warn of how too heavily weighted “intuitive” thinking about risk can also weaken an organization’s ability to deal with potentially-catastrophic risks.
I strongly recommend reading this the 2014 WEF “Global Risks Report,” especially section 2, pages 38 through 47, where it focusses on cyber-risks and strategies for managing global risks.
As a teaser, glance at their quick review of risk management and monitoring strategies below:Risk-management strategies are guided by a firm’s risk appetite; the level of risk an organization is prepared to accept to achieve its objectives, such as profitability and safety goals. Often, although not always, there is a trade-off between profitability in times of normal operations and resilience in the face of negative events affecting the firm. Examples of risk management and monitoring strategies include:
- Mitigation measures: Actions taken by the firm to reduce the likelihood and/or consequences of a negative event; for example, designing plants to withstand specific levels of natural disasters such as earthquakes, floods and hurricanes.
- Accountability measures: Finding ways to incentivize individual employees not to cut corners in ways that would normally be undetectable but would increase a firm’s vulnerability in a crisis, such as failing to maintain back-ups. Some firms hire external consultants to assess how effectively they are mitigating risks identified as priorities.
- Supply-chain diversification: Sourcing supplies and raw materials from multiple providers in different locations to minimize disruption if one link in the supply chain is broken. Another hedge against sudden unavailability of inputs is to maintain an excess inventory of finished products.
- Avoiding less profitable risks: Firms may decide to drop activities altogether if they represent a small part of their overall business but a significant part of their risk profile.
- Transferring the risk: In addition to the range of insurance products available — liability, property, business interruption — some large firms run their own “captive” insurance companies to distribute risks across their own different operations and subsidiaries.
- Retaining the risk: When insurance is unobtainable or not cost-effective, firms can choose to set aside reserves to cover possible losses from low-probability risks.
- Early warning systems: Some firms employ their own teams to scan for specific risks that may be brewing, from political crises, for example, to storms off the coast of Africa that may become hurricanes in the US in the next fortnight.
- Simulations and tabletop exercises: Many firms simulate crisis situations; for example, by making critical staff unexpectedly unavailable and assessing how other employees cope. Such exercises can capture lessons to be integrated into the risk-management strategy.
Back-up sites: Many firms are set up so that if one or more factory or office becomes unusable, others are quickly able to assume the same functions.
[Italics above quoted from: WEF, GRR 2014, page 44]
World Economic Forum – Global Risks Report 2014