First published in Harvard Business Review, this article explores disasters that most always come as a surprise to companies but should have been predicted – predictable surprises. All companies are vulnerable to predictable surprises.

But the good news is that companies’ inability to prepare for them shares a common DNA that prevents them from preparing for predictable surprises: psychological, organizational, and political barriers. Although companies will not be able to eliminate these barriers, they can take practical steps to lower them.

Summary:

  • Some disasters are truly unpredictable, but others are predictable surprises: disasters you should have seen coming. But how can you tell the difference between them?
  • Anticipating and avoiding predictable surprises requires three steps: Recognising a threat, making it a priority in the organization, and mobilising the resources required to stop it.

 

 

  • Failure at any of these stages leaves a company vulnerable to predictable surprises.
  • But why are we vulnerable to these predictable surprises? Because of psychological, political and organizational vulnerabilities:
    • Psychological vulnerabilities are flaws in human thinking; psychologists call them cognitive biases that lead us to ignore or underestimate looming disasters. These biases lead us to believe that things are better than they really are or make us focus too heavily on the present rather than the future.
    • Organisational vulnerabilities relate to the structure of organizations. They emerge because of divisional silos that fragment and scatter information. Various people have various pieces of the puzzle, but no one has them all.
    • Political vulnerabilities are systemic flaws in decision-making that stem imbalances of power and plays of politics. This may lead to executives over-evaluating one particular group whilst under-evaluating others equally important groups.

 

Why does this matter for businesses?

  • Cyber attacks are predictable surprises. People rarely come to work expecting a cyber attack, so it feels random and unpredictable when it happens. But in fact, cyber-attacks are predictable surprises that exploit weaknesses in organizational designs and technical architectures.
  • Many companies that suffered from serious cyber-attacks acknowledged that slight tremors heralded the attack – weak signals that indicated something was wrong that were ignored.
  • Viewing cyber attacks as predictable surprises acknowledges the inevitability of attacks and shifts focus away from prevention to preparing to respond, from security to resilience.

 

Read the full article