Article author: Miky Weinberg – Owner of the Tarantula Technologies Ltd and Octagon Security Ltd Companies.
Every day of remembrance for those who perished in an extreme event, such as those who perished in the attack on the Twin Towers in New York, and every contemporary event such as the cyber-attack on Hillel Yaffe Hospital, should remind every organization’s manager how dangerous a routine is and reinvigorate with him their duty to engage in risk management including supervision and control over their level of readiness and that of everyone under them. And yet, anyone with their head in place and their feet on the ground knows that no event can be predicted and that even an organization prepared for extreme events can encounter a “black swan.”
What is an extreme event?
It is an unusual event whose chances of occurrence are estimated to be very low, but once it has occurred, its impact on the organization/system is far-reaching – a small chance of occurrence and a large impact. This is not another event. The consequences of an extreme event are usually in a negative context and are defined as a “disruptive” event – undermining the existing order. The trigger for an extreme event can be external (political, economic, natural forces) and can be internal (employee). In the light of the attacker’s viewpoint, the organization must be prepared for the wrath of the business opponent, the wrath of nature, the wrath of the political opponent, and the wrath of the opponent from within.
What is a “black swan”?
An event that is happening for the first time, on a global level, highlights the uncertainty and our inability as humans, to assess in advance the likelihood of its occurrence and the extent of its impact. The attack on the Twin Towers was defined as a “black swan” even though the FBI’s report had early information on some of the threats that did not become a real threat.
While it is not possible to guarantee a solution to every risk, it is possible to prepare an organization better for changing situations and extreme emergencies.
An extreme event occurs for certain reasons and therefore strict adherence to a permanent risk management process will increase the chance of predicting and reducing the damage.
A professional field that every manager must engage in to examine in depth all the risks relevant to the organization as part of a long-term managerial concept and to enable the organization to meet goals and objectives without interruption. Managers can decide to carry out the risk management by themselves or entrust the task to a professional official inside or outside the organization. Risk management produces a snapshot based on factual data, past events, and an assessment whose outcome determines the likelihood of the risk being realized and the extent of its damage to the organization.
What is defined as a routine event and what is defined as an extreme event / “black swan”?
In 2001, no one seemed to know or could not believe that a terrorist organization would use civilian planes in ramming attacks as with the Twin Towers in the New York United States, so at the time it was a “black swan” – since it can no longer be defined as such, so now it must be discussed as a risk that could occur again.
In 2021, a cyber-attack, as it occurred at Hillel Yaffe Hospital this week, is defined and is already considered a routine event that can take place in any organization that works with and depends on computer systems. Factually and without knowing how the hackers managed to break into the hospital’s computer systems, it is clear that in the defensive rings used there was an identifiable weakness through which the hackers attacked – in providing explanations, it could not be argued that this was an extreme incident or a “black swan”.
In 2021, an injury to a public official as occurred yesterday, Friday 15 October, against a British MP during his participation in an event at the church, is not considered an extreme event and certainly not a “black swan” and is therefore defined as a routine event taken into account as part of the state’s risk management. They will re-analyze the risk to determine whether the extent of the damage to the country requires a change in the close protection policy.
Is the use of drones against ships in 2021 considered an extreme event / “black swan”?
The answer lies in World War II where the Japanese sent pilots who exploded on enemy ships (kamikazes) – in the eyes of the attacker, this is not a surprise and therefore this risk must be discussed in the risk management process.
Why should organizational managers be concerned in protect themselves from risks?
Every organization manager must carry out a professional and orderly risk management process with the help of which he or she will make decisions for implementation – based on cooperation with security organizations, examination of past events in Israel and around the world, and more. As part of the process, the manager will determine the organization’s protective objectives, and goals such as critical infrastructure, assets, information, etc., the violation of which will interrupt the continuity of the organization’s functioning and/or threaten its continued existence.
This is done through the following:
Establishment of control and monitoring mechanisms for the implementation of decisions – drawing lessons and implementing them as part of the organizational culture.
Establishment of a professional mechanism that will regularly examine whether there are recognizable indicators that indicate that an extreme event is approaching.
Appointment of managers who are known for not being able to immediately agree to any decision or action and are brave enough to express an opinion that is contrary to the majority opinion and certainly to the opinion of the organization’s manager.
Activating a factor is defined as an “external eye” for the organization that will perform objective control, including activating a professional “red team” that will examine the organization’s readiness for all relevant risks.
The role of the security manager in the risk management process:
The security manager in the organization is a partner in formulating the security concept, which also includes a risk management process, and is responsible for implementing the security plan. A smart manager will integrate the organization’s UAV into the full risk management process in the organization and use his or her professional knowledge, experience, and ability – which requires the security manager to take care of meeting the professional expectations from him or her in the field of risk management.
Factually, most of the events that can pose a risk to an organization can be predicted and effective actions can be taken to prevent them or minimize the damage that results from them. Risk management requires consistency and perseverance over time in constructing scenarios. The organization must appoint an entity that will challenge patterns and assumptions and work to define circumstances that will cause significant systemic failure.