The October 2009 issue of Harvard Business Review has a great article on risk that needs to be shared and read inside IT. We tend to look to the past to predict the future and as this article points out, that is a weak and ineffective position to take. We can’t really predict a 9/11 or a Katrina event very well. We think about standard deviations of impact, but a 9/11 event is far outside the expectation that might have been planned in advance.
Instead, we have to focus on being resilient organizations and have resilient processes and infrastructure. I read a book years ago about Managing The Unexpected which was quite good. It talks about managing risk on the deck of an aircraft carrier or in the control room of a nuclear reactor. Few of us have to manage those levels of risk and complexity, and lessons from those arenas might help us think differently.
I tell people that there are two areas that are always going to be worry areas for CIO and those are security and business continuity planning. We try to prepare the enterprise against all possible risks in those areas and as this article discusses, we can’t find all those risks. We can’t predict all the ‘black swans’. Instead, we have to figure out how to be resilent. We have to 1) make prudent investments up front, 2) practice what we can, 3) learn from others and then 4) focus on being nimble, fast and clear in our communications.
In the case of security and business continuity planning, we have to understand that ‘we don’t know what we don’t know.’ We can’t just look internally at our experiences and what we think. We must participate in the trade shows and conferences, listen to experiences of others and seek out input from a diverse set of sources.