- Businesses are used to developing crisis plans to guard against specific potential threats, but not for when those events prove asymmetrical in nature.
- When there are too many factors at play, and different kinds of threats possible, companies need to prepare to be ‘threat-agnostic’.
- Meta-readiness will allow organisations to handle any type of threat by building capabilities that can handle chaos.
If you’re a government or business leader, you probably spend much of your time trying to anticipate threats and preparing for them. You know that heading off a crisis is less difficult and expensive than trying to fix the damage after the fact. Yet for all the time and money spent on crisis prevention, companies and communities are still regularly blindsided by terrible events that somehow slip through the cracks.
In hindsight, the causal logic of a crisis — how one occurrence led to another, and then another — is often clear. That does not mean it could have been easily predicted, let alone prevented. The combination of factors at play gives the event a high level of asymmetry: the seemingly low probability of the event versus the high cost of preparing for such an event and the immense costs and destruction if it occurs.
Most catastrophes have some asymmetric aspect. The devastation rarely happens the way people think it will: It isn’t possible to keep track of all the factors or anticipate how they will combine. This is true of natural disasters, deliberately generated threats, such as cyber attacks, and even geopolitical crises, including wars.
Threat ecosystems and
Call them black swan events, surprises, blind spots, or asymmetric threats. The challenge for organisations is to find a strategic way to mitigate these often lethal, always unpredictable risks without ‘boiling the ocean’ with multiple analyses, wasting their money trying to prevent a wide variety of potential crises, or having multiple departments develop separate crisis-prevention functions.
Even though the precise time, place, form, and effects of these events can’t be foreseen, such events can be better prepared for. This requires a fundamental mind shift from a focus on battling specific threats to a threat-agnostic approach.
When you take this approach, you focus on what might be called meta-readiness: preparing your own innate ability to handle any type of crisis that emerges, you build up your capabilities to manage the chaos that follows any large-scale upheaval.
There are at least four broad classes of asymmetric threats. Each of these threat ecosystems has its own way of surprising people.
1. Unprotected infrastructure.
A natural disaster, a terrorist attack, or simply a prolonged deterioration can diminish the continued operation and efficiency of embedded large-scale infrastructure — including public systems for transportation and power, or private systems such as commercial ports and financial exchanges. Also vulnerable are many of the legal measures and regulations put in place to protect these infrastructures. These systems, upon which society depends, have been shown to be vulnerable to such a complex combination of factors that organisations and governments struggle to identify them. Given limited resources, businesses prepare and governments regulate for the risks that they can see. But those are often not the right ones to focus on.
Consider the artery of a nation: the power grid — a highly complex, highly decentralised enterprise that is vulnerable to attack. A structural breakdown or a coordinated attack could cause power losses from hours to weeks. But beyond the substantial direct economic costs of a large-scale failure, the damage could cascade to other critical nodes of a region’s infrastructure. Without easy access to electric power, nearly everything would sooner or later be disrupted: banking, the Internet, the stock market, the water supply, the food supply, sewage, roads, hospitals, military operations, fuel, and air traffic control
2. Vulnerable technology.
Society’s dependence on the Internet (and, increasingly, on connected devices in the Internet of Things) makes it exceedingly vulnerable to asymmetric threats. Paradoxically, the Internet itself evolved out of an attempt to forestall an asymmetric threat in an effort to make critical control of communications technology invulnerable to nuclear attack.
As companies surrender more and more of their operations (and even agency) to automated systems, they tend to expect that the technology will always work as designed. This expectation becomes an Achilles’ heel — a vulnerability that will continue to be exploited by individual hackers and, increasingly, by sophisticated nation-states. The corrosive effect of repeated cyber theft and identity theft leaches down to the consumer level as well; it becomes a constant, unwelcome fact of life.
Other technologies are also vulnerable. Breakdowns in autonomous vehicles, in dams and water management systems, and in health-related technologies are far more manageable when they are expected to fail. When technological failure is seen as unacceptable or impossible, this threat becomes more serious.
3. Underestimated disasters.
Sometimes the worst-case scenario actually happens. And, typically, human beings are biased against foreseeing and preventing it, because of economic concerns, liability issues, a lack of long-term memory, or simply denial or rationalisation.
The most common case in this category is a potential threat that leaders are aware of — for example, a natural disaster such as a hurricane, flood, drought, earthquake, tsunami, or wildfire — whose damage is easy to underestimate. At the same time, leaders may overestimate their capacity to handle it. This perception, rather than the threat itself, poses the greatest risk. This category, however, does offer a great opportunity for learning, preparedness, and future mitigation, on the part of both the public and private sectors.
When compounded by the first two asymmetric threats — unprotected infrastructure and vulnerable technology — underestimated disasters can expand to inconceivable magnitude.
In March 2011, when the earthquake and tsunami struck near Fukushima, Japan, it was seen at first as manageable. But there were other factors at play, including: litigation fears; cultural barriers; insufficient safety guidelines and response preparations; and technological systems, including the backup cooling system, that failed to operate. These factors contributed to a crisis of epic proportions.
4. Innovative geopolitical attacks.
In discussing cyber-attacks, it is important to distinguish between two variants. The first is cyber theft: crimes, including the taking of identity information and intellectual property (IP), that are intended to achieve economic gain or competitive advantage. The other kind is even more pernicious: cyber sabotage, generally committed in order to destroy the electronic infrastructure on which digital society depends.
Either variant can be committed by independent hackers, terrorist groups, or governments, taking advantage of the shaky reliability of digital technology. The asymmetric nature of these threats reflects the continuous technical R&D that goes into them, as well as the unpredictable nature of their impact and the response to them.
Like other forms of espionage, state-based cyber-attacks are intended to grow a country’s overall capacity to influence events in other countries. An attack against a country’s power grid, for instance, can distract the attention of its government and degrade or delay its response.
Similarly, industrial espionage today is often conducted by state actors with the power to penetrate firewalls undetected, and steal IP. If they do so, they enable their countries’ own enterprises to skip one or several generations of R&D. By the time the original organisation realises what has been lost, it is often too late. Businesses that are counting on a technological edge may need to think about it disappearing faster than expected.
Adopting a meta-readiness
Nobody has the resources to prepare for every eventuality. But that doesn’t mean you are helpless. It’s less important to develop the precise response to every particular threat than it is to establish your own broad categories of threat response. Adopting a threat-agnostic approach, in fact, is key.
Some guidelines to follow:
- Acknowledge that one day you are likely to encounter an existential threat that you didn’t expect, and set up an ethic of continuous crisis-response improvement.
- Look at the universe of risk through the lens of the four broad threat categories. Create a plan for each.
- For each larger threat category, assess your current crisis-response capability. Fill in any gaps, adding whatever tools or technologies are best suited.
- Build up your business intelligence capability. Business intel can not only serve as an early warning radar, it can also help you optimise your existing resources to meet the threat head-on.
- Look at the way your own internal practices contribute to (or create) asymmetric threats.
- Build your ongoing capability for managing asymmetric crises. Test again and again until the muscle memory for how to handle an unexpected crisis has been acquired by your full management team.
Planning for the
The reputation with which you emerge from a crisis will depend more on how seriously you anticipated the possibility of a disaster and how well you responded than it will on how well you predicted the precise threat. And even if it feels as though you are living in constant uncertainty, unable to predict your future, there is one certainty you can hold on to: Adopting the right stance and set of processes can almost guarantee you a better outcome. All things considered, those are good odds.
This is a condensed version of an article originally published in strategy+business.