IT Risk Management as Seen by the Man with the Black Swan

[vc_row][vc_column][vc_column_text]The man in question is Nassim N. Taleb. He coined the term “black swan” in risk management to describe events that are unforeseeable, even highly unlikely, yet that happen and in doing so change the course of history.[/vc_column_text][vc_single_image image=”4845″ img_size=”full” alignment=”center” image_hovers=”false” lazy_loading=”true”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]World War One was such a Black Swan; so was the arrival of the Internet. Now, Nassim Taleb may not have looked at the specific case of IT risk management, but observations he made with his colleagues Daniel Goldstein and Mark Spitznagel carry over well from the general to the particular.

  • IT risk management isn’t a matter of predicting extreme events. It’s simple. We’re no good at making such predictions. But we can take reasonable precautions against disasters by planning for disaster recovery in different situations, even if we don’t know if a disaster will strike or not.
  • Looking at the past won’t help (much) with risk management in IT. Taleb quotes a statistic in business that less than 0.1% of risky events will cause at least half the losses of an organisation.
  • Much good advice in IT risk management is about what not to do. Organisations that simply use IT to focus on preventing losses can survive when risk-taking rivals (who go for gain, but forget about losses) go bust.
  • Risk and standard deviation don’t get along. Conventional models say almost no event should lie outside seven standard deviations, whereas movements in real life can exceed as many as 30 standard deviations (to get standard deviation, square all your measures, add those squares up, then take the square root of the total).
  • Beware of personal slants on probabilitie Does an IT strategy that has a 90% probability of success sound better or worse than an IT strategy that has a 10% probability of failure? Sometimes the same piece of information sounds quite different when expressed in two different ways.
  • Redundancy isn’t inefficient, it’s mandatory. Critical business IT systems need to be duplicated, or offer the possibility of speedy duplication at any moment. Sometimes cost reduction programmes can simply go too far.