I may be going out on a limb and stepping on a lot of toes right now by frustrating some careers and reputations of risk managers. Simply put, this global pandemic/crisis is not a black swan event. I am finding too many GRC and specifically risk management professionals are trying to cover their behinds by claiming that the pandemic is a black swan. Being unprepared for a risk does not make the risk a black swan.

You may ask what is a black swan?

A black swan is defined as an unforeseen/unpredictable event has a significant impact on the organization (or industry, or economy). The term refers to how in Europe it was understood that all swans, as in the bird, are white. There was no concept of a black swan. Then some explorer overseas finds a black swan and changes the paradigm of what swans are.

The truth is that we have had pandemics in the past. We have had threats of pandemics. We have been warned countless times about it:

The reality is that this should have been on the ‘risk radar’ of organizations but it was not for many. Now there are a lot of risk managers trying to misdirect scrutiny on them by claiming it was a black swan. Again, being unprepared for risk does not make it a black swan.

I find that too many risk management programs (e.g., corporate risk management, enterprise risk management, operational risk management, GRC, IRM . . . pick your favorite label) have been hijacked by IT security, a department that really does not understand environmental, health and safety, and other risk areas that have a potential big impact on the organization and its objectives. If we look at the WEF report, the top risks the world faces are environmental risks and health and safety risks.

Don’t get me wrong, IT security is a huge risk area; one of great concern that can impact the organizations objectives. My issue is that too many risk management programs have overly focused on IT security where it was not balanced and ignored other risks such as the pandemic we now face.

I would like to see the organization that has been tracking this. That on the corporate risk heat map (I am not a particular fan of heat maps and find them misleading and misused) they have tracked this from a high impact low likelihood event six months back and can show how their risk monitoring has moved this risk event over month by month to week by week to a high impact and high likelihood event. I would estimate that 99.9% of organizations have failed in tracking and monitoring this risk with regular reporting at a board and executive level. Which of these organizations have actually quantified the risk and its various scenarios in how it unfolds to put actual numbers to the risk and the impact on the organization? Which organization has the best case study in how they have been historically monitoring this type of risk and have been the best prepared for it?

I remember a decade back, coming out of the Swine Flu pandemic that cost 200,000 lives, that many organizations were building continuity plans and even doing cross-industry table-top exercises and scenarios to prepare for the next pandemic. Were any of these organizations that worked on this then ready now? Most closed the history ledger of even recent history in their risk planning and monitoring.

Coming out of this crisis, we will see enterprise risk strategies that are more balanced with a broader understanding of risks to the organization’s objectives. Environmental, health and safety, quality, supply chain/procurement, and others will have a stronger and more active role at the enterprise risk management roundtable of the organization.

We are also going to see a lot of regulation across industries and around the world come out of this that is focused on operational resiliency. This is already happening in the financial services industry in the United Kingdom with the Operational Resiliency requirements from the FCA, PRA, and Bank of England. I predict we will see operational resiliency regulation that requires an integrated approach to operational risk and business continuity across industries and geographies.

What are your thoughts on this crisis and how unprepared organizations are but should have seen this coming?

Check out GRC 20/20’s upcoming webinars and events in this time of crisis . . . 


  1. Everyone knew it was coming, but its just so much work to get ready for the problems.

    The real crime will be not planning for the recovery that is coming (you pick the month where it will start) – its not just going to be a turn the lights back on event – there are going to be massive complexities, confusing jurisdictional problems, shortages, and a host of other problems.

    Getting a start on this now is imperative, and building an intelligence/situational awareness capability that will run 24×7 until the world hits its new normal is something you can execute on now. TX360 and TX Global are 2 cloud based solutions that can be rapidly deployed and assist you.

  2. Absolutely! I have raised this a a risk scenario for table tops (minimum) with multiple organizations to looks like I was from another planet. In all but one case, it another more common scenario (for which they were already prepared) was selected. This COVID-19 moment is now a concrete event to refer to, as Target is to cyber security and 3rd party risk. So there will be traction with the strong surviving companies. But what thoughts do you have about “selling” risk scenarios that haven’t had such impacts yet -to prioritize preparation for “forecasted (by the experts) but with unknown timing” events?

  3. Adding to my earlier thought (feel free to combine)…to answer your question too: organizations that prepared, were prepared for large swaths of remote work. Those that prepared for broad work from home efforts in their BCDR plans, were in a state of workable readiness. Those that planned to failover to a co-operative, local, separate business site – were unprepared in a large way. Especially if there were also as “we don’t work home” culture as well. A full retro of: what worked; what didn’t; what was outrageous to do and maintain though it worked; what security steps were overrun; and what do we need we could do next time — is the approach that is needed. Regardless of how well (or not) things were made to work in this event.

  4. Well put Michael – I totally agree with you! Any organisation (and country) that hasn’t recognised pandemic risk and put in place controls needs to be ashamed. From a country perspective, the response by several Asian countries to the current crisis has been exemplary, mainly due to having learnt from not being prepared for SARS 15 or so years ago.

  5. Agreed, if we are always preparing for another war then why aren’t we prepared for another global virus outbreak – Covid-19. Its not like this has never happened before.
    Be safe my friend!!!

  6. The three typical business continuity and recovery scenarios are loss of premises, loss of systems (including cyber risk), or loss of people (including pandemic). Certainly in our organisation, we have always considered the third in our assessment – but here is the rub. It has always been from the perspective of not having the people to do the work, i.e. decimation of the workforce. So the resilience was built around cross training, depth of knowledge and succession planning.

    The clue for our resilience, however, was in the first scenario. Our global business has powered on – NOT because of pandemic preparedness, but from being prepared for the potential loss of premises. For us, this pandemic has not been about loss of people (thank goodness none of our 500 people have yet been infected), but about disbursement. Having the tools and the organisation and the decision-making courage to direct everyone to work from home. None of our 9 offices globally are open, but the work goes on. Yes, productivity is taking a hit, but not drastically. We are not an essential service, but we manage the savings of 30 million people around the world, so our alertness and mobility and the leadership we have received, have been fantastic. The next challenge for us, as it is for everyone, is being able to continue this for the foreseeable future. Us humans can be fragile in some aspects. I hope all in the risk community are coping well, and able to assist the first line to keep on keeping on.

  7. Hello Michael, good to flag this. To add… First, Nick Taleb himself doesn’t this is is a “black swan.” https://www.bloomberg.com/news/videos/2020-03-31/nassim-taleb-says-white-swan-coronavirus-pandemic-was-preventable-video. I’d put most all of what Taleb thinks are “black swans” as white. Second, Far more important is to understand “Gray Rhinos” as Michele Wucker terms then. At it’s core this is about brain science, overcoming structural blindness and cognitive bias. These have vexed humans for millennia. The ancient Greeks often termed it “hubris.”

  8. Agree completely Michael. There’s a tremendous amount of ass-covering right now.

    Keep up the good work & stay well.

    ……One other thing – the Nursing Homes here in Ireland are just about being hit badly right now.

    We are in this market for about 12-18 months and have a bunch of customers using Xyea.

    Since the COVID-19 event began in Italy I put a plan together to get an App developed that care home managers can use to track their control measures, audit staff practices, etc……we haven’t had a mobile option up to now.

    The initial panic reaction by home managers/owners to the arrival of the virus, which hasn’t gone away yet, is now beginning to settle.
    It’s a very challenging situation – difficult to get people to slow down, focus, accept that there will be fatalities but do everything possible to prevent and detect………
    ……..so continuously risk assess, track adherence to the control measures daily, carry out the daily audits of staff practice, daily staff testing, etc.

    We’ve been on this day & night since it initially broke – when everyone else is laying off, seeking government help, slashing costs, closing outlets, etc. – and we are well on the way to bringing out our new mobile tool.

    It has to be updated regularly with the new measures being announced by the government here –
    But it should have application for a care home in any jurisdiction (for Infection Prevention & Control not just COVD-19) but also for any sector that is grappling with trying to meet the requirements around testing, distancing, use of PPE, isloation facilities, etc.

    Thanks again & regards,

  9. As an auditor, I regret to not have seen such a high impact event coming. Many friends told me “you’re not alone”, but it’s not consoling enough. I still think what happened is a shortcoming for the internal control and risk management profession. As others suggested, we will have to look for an explanation most probably within the neuroscience than in the management fields.

  10. Agree. I was the Director of GRC for a Fortune 50 company and pandemics were on our risk assessment for many years. This is not a black swan. It will be interesting to see if the plans are actually executed and if they were sufficient. This event shows the importance of planning for what seems to be low likelihood, high impact events.

  11. Very brave Michael, but absolutely correct. Keep it up please we need to remind people continuously of these things. We have a terrible tendency as humans to forget the difficult mistakes, and simply repeat them. There was adequate research done, and many warnings, but it suited people to view this as impossible. People have to learn from their mistakes rather than repeat them

Leave a Reply

Your email address will not be published. Required fields are marked *