Rethinking Risk
Black Swans, Tsunamis and
Planning for the Unbelievable
Bill Sewall, JD & CISSP
(510) 275-4735
www.bsewall.com
Bill Sewall, JD & CISSP
• Consultant
• Specialties - Information security,
compliance, training and operational risk
• Experience
•
•
•
•
•
Teacher
Attorney & General Counsel
CIO & COO
Information Security Officer
Operational Risk Officer
• 25 years with CitiGroup
2
Agenda
• What is a Black Swan event?
• How our emotions, instincts and
personal experience cloud our
perception of risk
• Golden Boy Syndrome
• An alternate proposal for looking at
risk
• Black Swans and some suggested
ways to approach them
3
4
5
1. It lies outside the realm of
regular expectations
2. It carries an extreme impact
3. Human nature makes us
concoct explanations for its
occurrence after the fact,
making it explainable and
predictable.
“The Black Swan” by Nassim Nicholas Taleb
6
"There's not a doubt in my mind that you will see a spate
of municipal bond defaults," Whitney predicted.
Asked how many is a "spate," Whitney said, "You could see
50 sizeable defaults. Fifty to 100 sizeable defaults. More.
This will amount to hundreds of billions of dollars' worth
of defaults."
7
8
Annual Loss Expectancy = Single Loss
Expectancy  Annualized Rate of Occurrence
Risk = Impact  Probability
Probability = Vulnerability  Threat
9
10
Risk management should be
a rational process.
Instead, most of our daily
risk decisions are based on
emotion, our unique personal
experiences and instinct.
11
12
What Parents Fear Most*
1. Kidnapping
2. School snipers
3. Terrorists
4. Dangerous strangers
5. Drugs
13
*NPR: http://www.npr.org/blogs/health/2010/08/30/129531631/5-worries-parents-should-drop-and-5-they-should?sc=fb&cc=fp
What Parents Should Fear
What Parents Fear
What Parents Should
Fear
1. Kidnapping
1. Car accidents
2. School snipers
2. Homicide by friends or
relatives
3. Terrorists
3. Abuse
4. Dangerous strangers
4. Suicide
5. Drugs
5. Drowning
14
15
“Golden Boy Syndrome”
We continually seek out leaders and
role models.
And we are willing to support our
heroes, give them our money and let
them guide us, even when there is
clear evidence that they are dead
wrong.
16
“When the music stops, in terms of liquidity,
things will be complicated. But as long as the
music is playing, you've got to get up and
dance. We're still dancing.”
17
18
19
Alan Greenspan is “no longer the
Man Who Knows; he’s the man who
… refused to do anything about
subprime, insisted that derivatives
made the financial system more
stable, denied not only that there
was a national housing bubble but
that such a bubble was even
possible.”
– Paul Krugman, Nobel economist.
20
“There are known knowns; there are things we know we know.
We also know there are known unknowns; that is to say we know there
are some things we do not know.
But there are also unknown unknowns – the ones we don't know we
don't know.” Donald Rumsfeld
21
1. People exaggerate spectacular but rare risks and
downplay common risks.
2. People have trouble estimating risks for
anything not exactly like their normal situation.
3. Personified risks are perceived to be greater
than anonymous risks.
4. People underestimate risks they willingly take
and overestimate risks in situations they can't
control.
5. Last, people overestimate risks that are being
talked about and remain an object of public
scrutiny.
* “Beyond Fear”, Bruce Schneier
http://www.schneier.com/essay-155.html
22
• Most of our risk decisions are based on
instinct, emotions and our unique
experiences, not on a rational, objective
methodology.
• In information security we are further
hampered by the lack of:
• Consistent historical data that would
support an actuarial risk assessment
process; and
• A commonly agreed risk assessment
methodology
23
You can’t calculate
information security risk
down to the decimal point.
24
Risk = Impact  Probability
25
Risk = Impact  (Vulnerability  Threat)
26
27
28
Type, Frequency, Duration & Loss
29
30
31
32
33
34
35
Impact
Risk
Probability
36
Impact
Risk
Probability
37
Long Tail & Black Swans
20%
18%
16%
Probability
14%
12%
10%
8%
6%
4%
2%
0%
$0
$10
$20
$30
$40
$50
$60
$70
$80
$90
$100
Losses in Millions
38
How can we prepare for
the unknown?
39
Rule #1. Risk is in the details.
• Take care of the little things and
the big things become far less
likely.
40
41
Rule #2. Pay special attention to those
Black Swans that you can control.
• Don’t waste your time on the
uncontrollable unknowns.
Controllable
“Great Recession”
Deepwater Horizon
9/11
Uncontrollable
Japan Tsunami?
Meteor Strike
Magnitude 10 Earthquake
Alien Invasion
42
Rule #3. Pay special attention to those
risks that are easily scalable.
• How much would have to go wrong
before a $1,000 event becomes a
$1 million event?
43
44
Rule #4. When dealing with Black Swan
possibilities, make your assessment of
the risk very carefully.
• Then throw it away and start again,
because you likely made the
decision based on emotions, gut
instinct or personal experience.
45
46
Rule #5. When considering risks related
to fraud, think like a criminal
• The problem is that we invest too
much of our experiences and
emotions into risk assessment
• Suggestion – Role play. Remove
yourself from the process and think
like the criminal.
47
Rule #6. Black Swans are becoming more
prevalent.
• A highly industrialized,
technologically advanced and
interdependent global economy is
more prone to catastrophic
disruptions than a world dominated
by a handful of independent
industrialized countries.
48
49
Rule #7. There are no “Unknown
Unknowns.”
• We know all the risks, it is just that
we choose to ignore most Black
Swans.
• They are often just too painful to
deal with.
• Denial
50
“There are known knowns; there are things we know
we know.
We also know there are known unknowns; that is to say we
know there are some things we do not know.
But there are also unknown unknowns – the ones we don't
know we don't know.” Donald Rumsfeld
51