job Blogg

Coronavirus and taming grey rhinos

A quick google search of “Black Swan” “Corona” reveals numerous articles have already been written equating the effects of the Coronavirus with a Black Swan. Is this a fair comparison? A “Black Swan” is an event which is both random and unpredictable. A key definition is that the event was unthought of, unimaginable beforehand. Was it? Most definitely not. It was a “Grey Rhino.”

The term “Grey Rhino” was first coined by Michele Wucker. According to her a Grey Rhino ‘is a is a highly probable, high impact yet neglected threat: kin to both the elephant in the room and the improbable and unforeseeable black swan. Grey rhinos are not random surprises but occur after a series of warnings and visible evidence.”

Where were the warnings?

Here are some notable examples;

In his TED-talk ‘The next Outbreak? We’re not ready’ from 2015, Bill Gates stated as follows: ‘If anything kills over 10 million people in the next few decades, it is most likely to be a highly infectious virus, rather than a war.” Gates’ main point was that whilst countries had invested heavily in nuclear deterrence, very little had been done to develop a system to stop an epidemic. Ebola was the wake-up call the world required.

The World Health Organisation (WHO) has also waved red flags over the years and defined the risk as acute in 2019.

A world at risk
The world is at acute risk for devastating regional or global disease epidemics or pandemics that not only cause loss of life but upend economies and create social chaos.

GPMB 2019 annual report

The above statement is from a report published by the Global Preparedness Monitoring Board (GPMB) in September 2019. It was issued under the auspices of the WHO.

The report gave rise to the following headline on CNN in September 2019; “The risk of a global pandemic is growing — and the world isn’t ready, experts say”.

So yes. There have been warnings. Experts have urged the world and country leaders to act.

Global pandemic: Top ten risks for business?

In connection with the gathering of the good and great in politics and business in Davos an annual Global Risk Report has been published for the past 14 year. The report is based on a Global Risk Survey carried out the year before. Risks are analysed according to probability and impact on a scale of 1 to 5 where 5 is highest.

Was a potential pandemic on the risk radar?

“Spread of infectious diseases” was listed in the 2019 Global Risk Report. It scored at just over 3 for likelihood and over 3.5 for impact. OK, it was not one of the top 5 risks and admittedly the real impact of the pandemic both in terms of lost lives and global financial depression is a 5 not a 3.5 – but it was there in the 2019 report and in the following year’s report. For 2020 the impact was slightly toned down to a 3.0.

In the Executive Summary in the 2020 report there is a paragraph on health systems, where it was stated that

“Progress against pandemics is also being undermined by vaccine hesitancy and drug resistance, making it increasingly difficult to land the final blow against some of humanity’s biggest killers. As existing health risks resurge and new ones emerge, humanity’s past successes in overcoming health challenges are no guarantee of future results.”

So no. The Corona pandemic was not a Black Swan. We have been warned. It was an obvious threat facing us, waiting to charge but giving us time to act. A Grey Rhino. Ebola was a warning. So was the SARS epidemic and bird flu scares for countries in Eastern Asia. Arguably first-hand experience of the reality of virus risk has meant that countries like Singapore, South Korea and Taiwan were much better prepared for the coronavirus when it came as indeed their response has been swift and effective.

What can we learn as internal auditors and risk professionals?

Sitting at the home office in April 2020 it is hard to see that these recommendations were taken to heart. As internal auditors it reminds us of the experience when a loss hits the organisation out of the blue. There is the hue and cry of “where was the auditor?” And then you can point to a report informing of the risk and the steps that should be taken to mitigate it, which management did not follow through on.

As risk and internal auditor professionals there are two key issues we can address:

Communicating the urgency of addressing risks of low probability

The timing of infectious diseases or a global pandemic is uncertain. We need to create the urgency to address risks of uncertain timing also. It is a Grey Rhino waiting to charge at us. It will happen, we just do not know when.

For those who prefer an analytical and mathematical approach to risk, this brings to mind the comment of a senior bank employee on a stress test performed before the last financial crisis.

“We actually got an external advisor to [assess how frequently a particular event might happen] and they came out with one in 100,000 years and we said “no”, and I think we submitted one in 10,000 years. But that was a year and a half before it happened. It doesn’t mean to say it was wrong; it was just unfortunate that the 10,000th year was so near”.

Changing banking for good report, Report of the Parliamentary Commission on Banking Standards (UK, 2013).

We need to be proactive in addressing these risks and expand our horizons when considering potential risks.

A sound risk reporting should ensure that grey rhinos are communicated to decision making bodies. These risks are an important element in providing a complete picture of the risk landscape. Risks that are on the horizon but not actually taken place will sometimes overlap with a list of emerging risks.

How to address these risks?

How can we attempt to “tame” Grey Rhinos? Once we know they are there we should ask ourselves the question “what if..?”

Think different scenarios.

Avoid groupthink and consensus. Be the devil’s advocate and think worse case. In a scenario analysis we attempt to provide a story around what would happen to our organisation if such an event were to take place. Based on this analysis one can think through the necessary course of action which should be undertaken. This should inform a re-examination of disaster preparedness.

Finally, we note that there is a change in terminology away from “business continuity and disaster recovery” to “business resilience”. This is for example an issue promoted by the financial supervisor in the UK in the consultation paper “Operational resilience: Impact tolerances for important business services” from December 2019 .

The idea of building operational resilience is more constructive and proactive than focussing on disaster recovery. The Bank of England, as supervising authority, sees the following elements as important building blocks to achieving resilience:

  1. Priorities based on a risk based approach
  2. Setting clear standards in respect of disruption and time to remediate
  3. The need to invest now to build the required resilience.

In these times we place our hopes on a vaccine being promptly available to be able to cure our societies of the effects of this pandemic.  We must consider how we can build the necessary ongoing resilience to meet not just the effects of another pandemic but also of those resulting from the other grey rhinos following behind that have us in their sights.  

The obvious one being climate change.