Does Strategic Scenario Planning Still Make Sense in the Face of Black Swan Events? Transcript

Ross Martin:

Agreed. So our next topic is, does strategic scenario planning still make sense in the face of black swan events? We were reading an article in the HBR around when scenario planning fails. And this was a situation where they described a number of companies in the Nordic countries who were dealing with the pandemic, like we all did, And at the same time, the Russian invasion of Ukraine created yet another Black Swan event, and they were having to deal with two at the same time, and how they dealt with it, and the different reactions of the different types of companies. just to make sure everyone understands the definition of a black swan event is based on the history. There was a saying that this thing is as likely as seeing a black swan because in Europe they had never, they didn't exist. And they assumed they didn't exist. But the fact is they did exist down in Australia. So now what it really means is it was a completely unforeseen event that you can't plan for. But then in hindsight, It could have been foreseen, but was not. So that's the idea around here, is how do these different companies dealt with being hit twice by things that they could not have planned for. Right, right.

Idris Manley:

So it's interesting. So the last company I worked at, I was a VP of PMO. They are actually a leader in AI risk management. So I had a lot of experience and familiarity with risk management. Particularly like real-time analysis of risk management, etc. But to the question, I think it's yes and no. Certainly, there are risks that, in terms of probability, are more likely to occur. And I think it's important for companies to have playbooks. for those risks that they can anticipate and expect, um, within a reasonable probability. But as you said, there are risks that you cannot anticipate and expect. And in those instances, it's important to at least have a playbook for how you will, you know, sort of a meta playbook, uh, you know, playbook for how you will establish a playbook, uh, to, to, uh, you know, to address risks that were unforeseen and that you weren't prepared for.

Ross Martin:

Yeah, and what's interesting is that one of the companies that actually did very well in in Scandinavia with all of this, like all the rest, they didn't foresee these things happening. But what they did is they had a group within their company who dealt with unforeseen events and who was like a tiger team that could drop in and help solve complicated problems. And the reason they had that in their company wasn't because they anticipated these things happening, but because of the nature of that particular industry and their business, they needed to They kept getting surprised by things. So they created a group to handle surprises. When these surprises happened, that group took these on as well. And then they jumped at it. So again, you can't plan for exactly what it is, but you can plan to, you can be better at adapting to the unplanned.

Idris Manley:

Yeah, yeah, absolutely. And I think this is such an important conversation because I think, you know, prior to the Internet, you know, when you thought about risk, a lot of risk was physical risk, right? It was security, physical security. People would be able to get into different, different physical areas and, you know, for nefarious reasons. But now digital risk seems to really, well, it's where most of the risk lies, or at least where the attention and the budgets are going to try and combat and address internet related sort of network risk. And so in that instance, you really don't know where it's coming from, when it's gonna happen, how it's gonna happen, you just know that there's a lot of risk out there and it's really important for companies to be able to think through this from a scenario planning perspective and to make sure that they're budgeting sufficiently and they're staffed and resourced sufficiently to be able to deal with these potential risks that may occur.

Ross Martin:

One of the things that happened during the pandemic that we all remember were the supply chain disruptions were pretty severe. And that impacted a lot of companies as well. And one of the companies in this study actually had all of its key suppliers were in Russia. So when the Ukraine invasion happened, that caused some serious problems. The reality is, no, you can't foresee that, but they could have foreseen that they were hyper-focused on getting, they didn't have a diverse set of suppliers across different geographies and then across different types of countries, and that was a risk. So you can really start to look more carefully at, you know, where you are vulnerable and create some strategies and change things to be less vulnerable, even if you don't know specifically what might come.

Idris Manley:

Yeah, yeah, no, no, agreed. I think I think another interesting question is, how do you incorporate risk planning into your strategic planning, sort of annual strategic planning exercises as well? Because I think oftentimes for companies, you know, that's handled by the CISO, you know, and they're sort of operating and managing sort of those planning efforts sort of independent of the annual planning exercises, but I think it's important for all of the key executives to have a view and an understanding of where the risks exist and to make sure that your leader in risk and risks is also at that table and can provide context around some of the business goals that are being planned for the year, being able to sort of understand them within the context of potential risks and being able to contribute to the conversation that way.

Ross Martin:

I find it interesting, though, Idris, one of the things you were mentioning when you were talking about risk management leadership was the CISO, right? The Chief Information Security Officer. And yet, in a way, that's just one part, right? That's the risk to the organization through, you know, through hacks and breaches and that sort of thing. It's your digital risk controls and management. I think it would be interesting to consider whether risk management in general needs to have a broader view around all possible risks. And maybe at some point, there will be such a thing as a chief risk officer at, you know, key enterprises.

Idris Manley:

Well, I think that's actually happening. I think you're right now you're seeing in the in the risk space, there's a consolidation between the individual is responsible for physical security risk. The individual is responsible for information, sort of security risk. And you're seeing these roles being consolidated, merged, and you're finding that one leader has oversight and visibility and responsibility for all risks, whether they are physical or digital. And there's also sort of hybrid. There's also digital risks that can have impacts on physical assets. Right. You just mentioned like the oil or the pipelines where, you know, you enter into a computer system and then it affects your nuclear, you know, your nuclear systems or your pipelines. And so there's a lot of crossover now as well because there's so much integration between digital and physical. And so it's it's certainly critical that that there's one person that can oversee all of that.