Back to Spotlight

Published at Harvard Business Review, this article explores disasters that most always come as a surprise to companies, but should have been predicted – predictable surprises. All companies are vulnerable to predictable surprises.


But the good news is that companies’ inabilities to prepare from them share common DNA that prevent them from preparing for predictable surprises: psychological, organizational, and political barriers. Although companies will not be able to eliminate these barriers, they can take practical steps to lower them.


  • Some disasters are truly unpredictable, but others are predictable surprises: disaster you should have seen coming. But how can you tell the difference between them?
  • Anticipating and avoiding predictable surprises requires three steps: Recognising a threat, making it a priority in the organization, and mobilising the resources required to stop it.



  • Failure at any of these stages leaves a company vulnerable to predictable surprises.
  • But why are we vulnerable to these predictable surprises? Because of psychological, political and organizational vulnerabilities:
    • Psychological vulnerabilities are flaws in human thinking; psychologists call them cognitive biases that lead us to ignore or underestimate looming disasters. These biases lead us to believe that things are better than they really are, or make us focus too heavily on the present rather than the future.
    • Organisational vulnerabilities relate to the structure of organizations. They emerge because of divisional silos that fragment and scatter information. Various people have various pieces of the puzzle, but no one has them all.
    • Political vulnerabilities are systemic flaws in decision making that stem imbalances of power and plays of politics. This may lead to executives over-evaluating one particular group whilst under-evaluating others, equally important groups.


Why does this matter for businesses?

  • Cyber attacks are predictable surprises. People rarely come to work expecting a cyber attack, so when it happens, it feels random and unpredictable. But in fact, cyber attacks are predictable surprises that exploit weaknesses in organizational designs and technical architectures.
  • Many companies that suffered from serious cyber attacks acknowledged that slight tremors heralded the attack – weak signals that indicated something was wrong that were ignored
  • Viewing cyber attacks as predictable surprises acknowledges the inevitability of attacks and shifts focus away from prevention to preparing to respond, from security to resilience.


Access the full article here