Tag Archives: david patrishkoff

Quest for Reliable Cyber Security

As we still struggle to improve physical security in the brick and mortar world, we are also greatly challenged by security issues in the cyber world. The layers of cyber protections are melting away quickly (Figure 1) as evidenced by an exponential growth in cyber crime. We are all racing rapidly away from the shores of the brick and mortar world, chasing after irresistible and addictive internet-based technology.

The Cyber War Statistics and Projections

Figure 2 shows the Lloyd’s of London estimated worldwide cyber damages in U.S. dollars for 2013 (100 Billion) and 2015 (400 Billion). The Jupiter Research projection for 2019 is $2 trillion. Cybersecurity Ventures projects $6 trillion of damage for 2021. If these projections become reality, that represents a 60-fold increase in cyber damages for the eight-year period between 2013 and 2021.

An independent Ponemon Institute study sponsored by Hewlett Packard said that, in 2016, the average U.S. firm reported cybercrime damages of $17 million. The average cyber damages were much less in non-U.S. countries, but the growth in such crimes is also increasing exponentially. The U.S. National Small Business Association study said that, on average, small businesses that had their bank accounts hacked lost an average of $32,000.

See also: 10 Cyber Security Predictions for 2017  

The Cyber War Defender Sentiment

Various IT expert surveys tell us that the majority of defenders feel that we are losing this cyber war. Here are some key disturbing sentiments:

  • An iSense Solutions survey of 250 IT professionals was conducted for Bitdefender among companies that were breached. Those that suffered cyber breaches in the last year convey the disturbing news that 74% of those that were breached don’t know how the breach happened.
  • A survey by the Ponemon Institute revealed that it took between 98 and 197 days to detect the fact that a security breach has happened.
  • An AT&T (Cybersecurity Insights) report surveyed 5,000 companies worldwide that were launching Internet of Things (IoT) devices. Only 10% of IoT developers felt that they could secure those devices against hackers. It is estimated that 10 billion devices were connected to the internet in early 2016 and that the number will grow to 30 billion devices by 2020.
  • Another Ponemon Institute survey in 2016 consisting of 643 IT experts revealed that only one-third of the IT experts surveyed consider the cloud safe from cyber attacks.
  • Cyberventures estimates that $1 trillion will be spent on cyber security products and services between 2017 and 2021.
  • Cyber experts tell us that just meeting compliance is the beginning of cyber security and not the end.
  • The World Economic Forum (WEF) stated that a “significant” amount of cybercrime and espionage still goes undetected.
  • Hacker tools are cheap, fast and becoming easier to use, providing disturbing attacker advantages.

The Cyber War Executive Summary

Let’s summarize this gloomy situation. We are in an exponential growth period of cybercrime. Anywhere from 67% to 90% of experts surveyed can relate to these comments:

  • They distrust the cloud.
  • Most do not know how or when they were hacked, if they were hacked.
  • Most do not know how to fully protect the old and new flood of internet connected devices from future hacks.
  • Just meeting compliance is insufficient against hacks and cyber attacks.
  • When hacks are noticed, they are noticed three to six months-plus after the fact.

This raises the question of how IT and security professionals will spend their security budget if they have been so unsuccessful in the past and present. This is clearly a high-risk environment and getting worse.

See also: How to Stir Dialogue on Cyber Security  

Can Cyber Strategies Rescue Us?

Classic and logical-sounding cyber strategies have been and are being rendered useless by hackers and cyber-sharks. Figure 3 depicts the sad state of worldwide cyber security. Why are most cyber strategies not working? Maybe because they focus too much on the technical and do not engage all of the enterprise resources and its culture as an additional layer of defense.

Figure 4 reminds us of the words of MIT Professor Bill Aulet, derived from the original quote by the famous management consultant Peter Drucker: “Culture eats strategy for breakfast, operational excellence for lunch and everything else for dinner.”  If our cyber strategy does not harness and engage the enterprise culture as a partner in this cyber war, we should expect only limited successes.

Can Artificial Intelligence (AI) Rescue Us?

Some are touting AI and machine learning as the “last hope” for cyber security, but some experts are also quick to confess that not all AI strategies are effective and that the cyber protection industry is only at the beginning of this journey to apply AI to cyber security. This confidence in AI also assumes that the “bad guys” will not use AI to become better hackers.

Can High-Reliability Organizational (HRO) Techniques Rescue Us?

Decades ago, high-risk organizations like nuclear submarines, aircraft carriers and nuclear power plants developed a highly successful culture-based management system that was later designated as high-reliability organizations (HRO). HROs have achieved zero-incident safety records even though they are considered high-risk. Now that every organization is thrust into the high-risk cyber world, it’s time to consider the HRO playbook and assess our cultures against custom HRO cyber criteria. Airlines, railroads, power plants, hospitals and other organizations are starting to customize HRO principles to meet their stretch goals for employee, customer and patient safety.

See also: Paradigm Shift on Cyber Security  

Figure 5 shows one of the first basic enterprise system and cultural assessments required to lay the foundation for HRO cyber thinking across all layers of the organization. Such assessments will require anonymous inputs from all stakeholders and levels to ensure that all skeletons in the closet and the taboo talk rules that limit cyber successes are exposed.

The pursuit of becoming a high-reliability cyber organization is not for the faint of heart, and it is not a quick fix. It is a set of highly disciplined principles that affect the behaviors, attitudes, decision making and accountability for every level of the enterprise cascade as summarized in Figure 6. If any of the cyber security elements in the cascade has a weak link, cyber security will be at risk. The last line of defense against cyber attacks needs to be organizational and cultural and not just technical or centered on compliance.

As the world moves toward the shocking new reality of annual multitrillion-dollar cyber damages, organizations will need to combine technical and non-technical best practices for reliability to counter cyber threats. Unfortunately, it might take one or more big business failures or a major worldwide cyber calamity before more organizations start to see the value of a combined high-performance culture and technical strategy. Great successes of HRO organizations should teach us that a combined culture and technical strategy is the best way to defend ourselves in this expanding cyber world war.

How ‘Cascades’ Can Build Work Culture

Most of us have heard the phrase: “Culture eats strategy for breakfast.” It could be restated as, “Your actions speak louder than your words.” This means that management can dream up any strategy they want, but their behaviors and actions are what create the culture of an organization.

Culture drives how efficient an organization’s processes are. Culture drives the success or failure of an organization. Culture is the product of leadership decisions or the lack of decisions.

The best-articulated corporate vision and strategy are of no value if they cannot engage the hearts, minds and work habits of employees at all levels and convey a purpose beyond just profit.

A vision states where an organization wants to go; a strategy defines the path to get there; and the work culture describes how business processes are actually executed along the path toward the vision. The health of a work culture can range from a contagiously high-performance work culture to mediocre or all the way down to a disruptive, confrontational culture that can’t get much done on time or done right the first time. A disruptive culture can trump the best vision and strategies every time. On the other hand, if a work culture is nurtured and groomed to align with a carefully crafted vision and strategy, the positive momentum could be unstoppable.

Figure 1 shows possible scenarios of vision, strategy, culture and performance alignment and misalignment. Business process performance (small white arrows) is more correlated with the work culture (small red arrows) than with the vision or strategy (big blue arrow) of an organization. Work culture — not vision or strategy — culture drives business performance. The challenge presented by this dilemma is that the work culture is an invisible force that is hard to measure. It shows its good side when you watch it and only displays its bad sides when you look away. The work culture is the product of complex cascade effects inside an organization and is as much affected by leadership actions as it is by the lack of appropriate actions. If left unattended, it will create its own random world of hidden agendas, which will probably not be aligned with the priorities of the organization.

Untitled
Figure 1
– 3 Possible scenarios of vision, strategy, culture and performance alignment

Corporate visions and strategies are usually rolled out in formal three- to five-year plans. Work culture management and monitoring is too often not in sync with that plan and referred as an “HR thing,” even though it is the gate-keeper of business performance. If you do not understand and actively manage the work culture, it will manage you.

Measuring Cascade Effects Risks

It would be wonderful if we could just plug a measurement device into an organization to check its health and the risks of cascade effects (Figure 2). The work culture defines how employees work with each other through communication, coordination and cooperation. It generates multiple slow-motion and rapid chain reactions, ripple effects and cascade effects that greatly affect the mood and attitude of the organization. It predestines an organization for success or failure.

Untitled
Figure 2
– The challenge of measuring work culture health and risks

How can we measure the health of invisible cultural chain reactions that can drive the success, mediocrity or failure of an entire corporation? I suggest a series of management and employee surveys and brainstorming assessments to test for the presence of 56 different elements of risk that can be present at any level in an organization. (See Figure 3 for a partial view of the survey.) The culture assessment tool shown in Figure 3 should be used for at least three different levels of management in an organization. These three levels of perception will offer triangulation data points, which will show how common or diverse the perceptions are that describe the organizational culture.

Untitled

Figure 3 – Partial view of a gamified organizational health survey

The Organizational Force-Fields That Drive Success or Failure

Chain reactions, domino effects, ripple effects and snowball effects are similar in that they are defined by the single acts that created them. Once triggered, they will play out their effects depending on the amount of resistance the system presents against them. Cascade effects are different. They are fueled by a hierarchy of multiple interacting triggers at different levels in the system.  Time delays between cause and effect are common, making the direct correlations between cause and effect more difficult to identify. Each element of the cascade effect can create dramatic outputs involving as many as three degrees of separation, rippling through an organization. There are three types of organizational cascade effects:

  • Destructive tsunamis of non-cooperation and negativity
  • Expanding groups of  status quo herd followers
  • Constructive waves of cooperation, empowerment, motivation and positivity

If all of the cascade effects are present in an organization at the same time, the result will be conflict, employee frustration and lack of momentum in the right direction.  A random mix containing equal parts of motivated, frustrated, positive and cynical employees co-located for 40 hours a week is not a formula for success; it is a recipe for mediocrity or even disaster.

Positive Organizational Cascades

These are acts of positivity that multiply and can also spread from person to person. In 2010, researchers from the University of California, San Diego and Harvard published the results from their experiments in an article titled: “Cooperative behavior cascades in human social networks.” They showed that cooperative behavior can be just as contagious as bad behavior. They showed that positivity can spread from person to person to person by displaying random acts of cooperation, generosity and other positive behaviors. This creates a cascade of cooperation that influences dozens of people who were not involved in the initial trigger event.

Mediocrity and Consensus Cascades

These cascades are the result of contagious personal decisions to blend in with the crowd and not make any waves (also known as “group think”). Many researchers, including those from the computer science department at Carnegie Mellon University, have confirmed this phenomenon. Forces in organizations and society like peer pressure, blending in, the herd mentality and the band-wagon effect can cause an individual to follow the herd, even if that violates personal preferences and value systems of what is right and what is wrong. This is often done to save one’s reputation in a group and gain acceptance. Efforts to achieve team consensus can create the same phenomena, resulting in conclusions that might not always be the best ones. Teams can assign a “devil’s advocate” role to a participant to deliberately challenge “herd decisions” to counter this cascade effect.

In 2013, Forbes wrote an article titled: “Brainstorming is Dead…,” which summarized recent criticism by many about how creative people can get suppressed by other personalities during brainstorming events when the main priority is to get consensus on all brainstorming conclusions. Forcing consensus is as useful as it is dangerous. To avoid ineffective and dangerous group-think cascade effects, group decisions should build on each other’s ideas, when possible, to create innovative hybrid solutions and not pick one idea and totally discount another idea that might have a flicker of genius.

Negative Organizational Cascades

These are acts of negativity that multiply and spread from person to person in an organization. Risky, combative and uncooperative behaviors all have the unfortunate ability to multiply and spread to three degrees of separation from the original act. This can have a negative impact on dozens and even hundreds of downstream people not involved in the initial negative triggering acts. Negative human interactions can break the bonds of humanity and teamwork. These cascades can destroy the work culture, effectiveness and performance of an entire organization.

The Broad Influence of Cascades

Behavioral researchers have demonstrated with team experiments that positive, mediocrity and negative cascades can all have affect three degrees of separation (friends of friends of friends). Other researchers and computer models have determined that only three to four degrees of separation is what separates everyone in the USA, and only six degrees of separation separate everyone in the world. Exceptions to this rule are the secluded tribes in the Amazon jungle and other remote places. Yes, the world is smaller than we think, and actions really do speak much louder than words. Actions and behaviors can reach beyond the horizon and into different time zones.

The Organizational Forces Survey

The Organizational Forces Survey tests the health of the individual organizational forces that drive chain reactions, cascades and other behavior propagation phenomena. This survey asks participants to assess the presence of positive and negative organizational forces shown in Figure 4 by identifying the forces they believe to be present. This survey is given to all levels of employees and management.

Untitled
Figure 4
– The Organizational Forces Survey used to assess the health of the work culture.

Figure 5 shows an example of survey responses, using the form in Figure 4, that were attained from the survey for three different levels in an organization: top leadership, middle management and non-management. One sign of healthy communications between management and employees is when organizational risk assessments are similar between different levels in the organization. However, that is not the case here.

In this survey response example, top leadership rated the health of the work culture as overwhelmingly positive (green). They perceived their environment to be a Grand Organization in the making. Unfortunately, non-management employee responses to this survey were at the opposite end of the scale (red). They rated the forces in the organization as overwhelmingly negative, filled with high risk and knocking on the door of a Grand Disaster. Middle management rated the work culture as mediocre (yellow), with some responses slightly positive and others slightly negative. This group of employees was apparently influenced by perceptions of top leadership and non-management.

Untitled
Figure 5
– The range of survey responses from various levels in this organization shows major discrepancies in their perception of the health for the organizational work culture.

Conclusion

Grand investigations are often done after a loss of life disaster occurs, such as a NASA space shuttle disaster, a passenger airplane crash or an accidental employee death on the job. However, it is hard to find this level of effort and analysis applied to prevent such disasters. Deep and thorough disaster investigations often find flawed undisciplined leadership practices and organizational cultures at the root of the problems. It is also common to discover a zealous ambition to grow the business without really ensuring that a healthy work culture foundation is put in place to safely support such expansion.

Huge opportunities for organizational productivity improvements still exist today by cultivating a high-performance work culture. Breakthroughs can be made when organizations appreciate the fact that  “culture eats strategy for breakfast,” a phrase coined by Peter Drucker, a famous management consultant, educator and author. True organizational greatness can be achieved when organizations look beyond trying to just manage the bottom line and learn how to manage, analyze and monitor the cultural forces and cascade effects that drive success or failure.

A grand vision and strategy can only revolutionize a company when the work culture is healthy, engaged and aligned with those concepts. Taboos on talk must be broken. Open, frequent and candid communications must exist between all levels in the organization. Employee issues and concerns must be addressed in a timely manner as proof that a functioning communication and countermeasure system are in place. Only then can an organization really have a chance to break its barriers to greatness.

A SWOT Analysis of SWOT Analysis

A classic SWOT (strengths, weaknesses, opportunities and threats analysis) is usually considered as a good start for strategic planning efforts and further analysis. A disruptive and cascading SWOT can re-position the whole strategic plan to seriously pursue disruptive innovation. A great strategic plan should not just be about beating the competition at their game, but about redefining the game as no one has done before you.

The hyper-connected and cascading behavior of global risks

The World Economic Forum (WEF) has published a global risk report since 2006. The WEF pleads the case that the more connected our world becomes via a globalized economy, social media, the Internet, etc, the more vulnerable the whole world is to any weak links in the system. The reports include constant references to the connected risks that can cause global system breakdowns. The descriptions of the potential threats include combinations of slow-building and creeping risks that are hyper-connected, capable of linking to create unforeseen and high-energy cascade effects that can create tipping points into a perfect storms with high local and even global fallout.

The hyper-connected and cascading behavior of internal risks

My independent research into the causes of historical disasters, which started in 2004, has identified certain cascading principles and mechanisms of how the combined effects of underestimated internal risks can wreak havoc and self-destruction even without the help of external forces. If your SWOT ignores the cascading and hyper-connected nature of internal and external risks, your efforts could be futile. Too often, risks are assumed to approach from over the horizon from the outside. This mindset ignores the fact that most organizational failures stem from internal risks and a dysfunctional work culture. The triggers of such havoc can emanate from the top of the organization and quietly ripple through the organizational cascades to create undesirable events.

A SWOT analysis on the SWOT analysis

A SWOT analysis is a mini-risk assessment and mitigation brainstorm tool.  However, its strengths will become weaknesses if the assessments are superficial. If the SWOT is reconfigured to meet the realities of a hyper-connected and cascading world, this tool can be very insightful.

What follows is a short SWOT analysis on the SWOT analysis tool to assess its capabilities to pursue true disruptive innovation. This exercise can be viewed as a self-diagnostic of a SWOT:

Strengths:

  • Simple and easy to understand
  • Helps you identify and understand challenges and opportunities
  • Can be used to develop a robust action plan
  • Concentrates on the most important factors

Weaknesses:

  • Its simplicity will not always prompt its users to go deep enough to make its analysis meaningful
  • It does not prompt its users to investigate hyper-connected risks that can cascade and ripple through an organization in a destructive manner
  • It does not prompt its users to investigate slow-burn/slow failures (aka creeping risks) that can build up over time and create tipping points that produce a perfect storm of unintended consequences
  • It does not prompt its users to solicit true and candid cultural perceptions and threats for all employee levels
  • It will not lead to disruptive innovation in its basic form

Opportunities:

  • Invigorate the classic SWOT into a cascading SWOT to match the way in which the world and modern organizations actually operate
  • Identify hidden threats and uncomfortable and unspoken talk rules
  • Include assessment of internal leadership gaps
  • Include factual assessments of cultural health of the organization
  • Include assessments of internal process inefficiencies and risks in key business processes
  • Assess the quality of your business metrics
  • Assess the organization’s responses to critical situations
  • Assess how your organization learns from its mistakes and makes the necessary changes
  • Assess the internal and external customer satisfaction levels
  • Include a “points of pain” assessment as perceived for various levels of employees

Threats:

  • The assumption that SWOT-KISS (keep it simple, stupid) is the right approach may not fit well in the complex and cascading world in which we live
  • It can misdiagnose luck as skill; the organization will be ill-prepared for adverse events
  • It assumes that, if you ask fellow employees for inputs, they will tell you the whole truth, without fear of punishment

Summary of the SWOT analysis on the SWOT analysis

A good SWOT should be provocative and assess the sensibility on your own strategies, track your efforts to solicit and address internal taboo talk rules, monitor employee frustration levels and assess your internal culture’s momentum toward success or failure. Most importantly, do not forget to gather multiple perceptions on the above opinions from leadership, mid-management and non-management employees. If the perceptions are vastly different, determine why the same people under the same roof are describing the same company in very different manners.

Transforming the SWOT into the foundation for disruptive innovation

It must be stressed that an energized SWOT is only the foundation of a good strategic plan. It is not the final analysis or strategic planning tool. The annual corporate strategic planning cycle is usually time-consuming and interactive and must get off to a good start with the right tone if anything of value is to be expected.

SWOT expansion to include internal cascading risks

The biggest opportunities to achieving strategic objectives lie in the ability of leadership to identify, assess and manage the internal cascading connections and cause-and-effect relationships that exist. The main areas of internal, hyper-connected top-to-bottom cascading elements and loops include:

  • Leadership strategies, attitudes and behaviors
  • Cultural behavior
  • Process efficiency
  • Performance outcomes
  • Responses to shortfalls in performance metrics
  • Feedback loops to leadership that either incorporate lessons learned or ignore such lessons, offering the next cycle of adverse events the opportunity to sink the ship

Each of the above mentioned elements of internal cascades should be SWOT-ed separately with candid and honest inputs from all levels of employees (See graphic below). Embracing such logic allows leaders to create a cascading strategic plan that can energize the organization instead of just addressing the symptoms of issues with sugar-coated Power Point slides or adding a fresh coat of paint to the Titanic while it is sinking.

Untitled

Figure 1. Each element of internal cascades should be SWOT-ed separately with candid and honest inputs from all levels of employees

SWOT expansion to include external cascading risk assessments

External risks need to be listed, rated for connectedness and assessed for their impact and likelihood of affecting the business. This offers a good start for subsequent strategic risk management efforts. The World Economic Forum’s annual Global Risk Report offers a good reference to use as a starting point for possible risks to consider. Separate SWOT analysis should be carried out for the six main areas of global risks:

  • Economic
  • Environmental
  • Geopolitical
  • Societal
  • Technological
  • Real-time feedback loops to leadership on the status and changes in global risks

Conclusion

Organizations and the world are hyper-connected communities that are exposed to threatening invisible cascade, ripple and domino effects. Today’s risks can easily leap past national borders, firewalls and other security safeguards and trigger very unexpected circumstances that can threaten the reputation and existence of the business. Modern applications of the SWOT analysis should consider this complex and cascading nature in which the world now operates. A thorough SWOT analysis can be a good start for any level of strategic planning, including the ultimate wish of any organization, which is to create disruptive innovation and value that will ignite the passions of its employees and customers.

10 Shortcomings of SWOT Analysis

If you think that the analysis you use to identify the strengths, weaknesses, opportunities and threats (SWOT) in your business is adequate, beware. It is intended to provide a 360-degree view of your risks and opportunities but often fails to fill that requirement because of superficial applications and failure to look at risks from connected systems.

If your risk and opportunity analysis techniques are lacking, you could be very unprepared for the next recession, disruptive technology or game-changing way of thinking that could soon affect you. Too often, the last domino that struck in the last crisis is the main focus of all future risk-mitigation efforts. The whole string of triggers and threatening signals that led up to that last publicized tipping point and bursting bubble are ignored.

Here are the 10 most common shortcomings for SWOT analysis:

  1. Underestimating the role that vertical and lateral cascading human factors can play and having fragile back-up plans
  2. Absence of war gaming, stress testing and disruptive failure mode analysis testing of your leadership mindset, strategy, work culture, processes, products and services
  3. Lack of focus on disruptive innovations; you respond to them but do not create them with proven innovation-on-demand techniques
  4. Assumptions that cyber security and patents are safe, so they aren’t stress tested with advanced cyber-circumvention and patent-busting techniques
  5. “Taboo talk rules”; uncomfortable discussion topics are avoided or not identified with focused and anonymously solicited inputs from employees
  6. Ignoring “Trojan horse” risks that are secretly lurking in the hearts and minds of your employees or piggy-backing on purchased technology, software, products or services
  7. Lack of use of “gamification” techniques to address the most sensitive threats in a disciplined, humane, engaging and effective manner
  8. Failure to include effective strategies to attract and retain key human talent
  9. Failure to identify low-profile threats that create unstoppable cascading risks — from leadership to culture to processes to bad performance to weak responses to critical situations
  10. Lack of use of external perspectives to challenge group-think assumptions of perceived safety and robustness

Simple SWOT analysis and risk-management techniques will not offer the protection required to survive the next economic crisis or disruptive technology. KISS concepts (keep it simple, stupid) have lost their ability to identify and protect against complex cascading risks. The world is a fragile, hyper-connected and cascading system full of surprises that will punish casual optimists and reward those who hope for the best but seriously plan for worst-case scenarios.

The World Economic Forum’s 2014 World Risk Report describes the global risks that can quietly cascade across borders and affect organizations in unsuspecting and surprising ways from a variety of threatening and linked factors. The complex dynamics that exist between developed, developing and emerging world markets is further complicated by the fact that many organizations know very little about the cascading system dynamics within their own four walls.

Classic methods that attempt to describe the risk and opportunity landscape for individuals and organizations have not kept pace with the rising complexity and interactions between highly networked workplaces, global economies and internal and external threats. We have now entered a new era where we need new ways to describe and understand the complex world we have created, which has outgrown the simple tools we like to describe it with.

What Really Sank the Titanic?

ISO 31000 (Risk Management) and its supporting publications encompass an impressive to-do list of risk management guidelines for organizations. However, if an organization selectively pursues some of the ISO guidelines and ignores others, highly undesirable events — even tragedies — can occur. This is what happened with the Titanic.

ISO 31000, section 4.2, suggests we align risk-management efforts to our objectives. White Star Lines, the Titanic’s builders, fulfilled this requirement. The objectives were to create a luxury liner at the lowest costs, in the least amount of time, and maybe even break the speed record for an Atlantic crossing. These were admirable goals. The Titanic also followed ISO 31000, Section 5.5.1.b., by “taking or increasing the risk in order to pursue an opportunity.” The builders did so because they believed their risks were not extraordinary and could be controlled. This is a common judgment error.

THE PURSUIT OF OPPORTUNITIES, NOT AN ICEBERG, SANK THE TITANIC

The individual risk opportunities that Titanic pursued were not terribly unusual, but collectively they created a perfect storm fueled by three main, linked, cascading risks:

  1. Ship design shortcomings influenced by cost-cutting efforts
  2. Flaws in rivets
  3. Mistakes in the operation and evacuation of the vessel

ISO 31000, Section 5.4.2, warns us that “Risk identification should include examination of the knock-on effects of particular consequences, including cascade and cumulative effects.” The World Economic Forum, in its 2014 Annual Global Risk Report, highlights cascading and connected risks many times as a serious threat. The report also stated the need for better efforts to deal with such threats by supplementing traditional risk management tools with new concepts, methods and tools.

What are cascading risks?

Cascades can be beneficial, neutral or destructive. We define cascading risks as a series of interacting risks that emanate from leadership (aces) through the work culture (kings) and work processes (queens) that create bad performances (jacks) and negative feedback loops (jokers) back to leadership. Leaders then either apply learnings in creative ways or ignore the cascade signals, which can lead to disasters. Detailed cascading risk analysis can aid in minimizing such risks.

Cascade #1 That Threatened the Titanic – Inadequate Design

The Titanic’s design was not unsinkable, as was widely publicized at the time. It had many “watertight compartments,” but they were open at the top, like an ice cube tray. It had far too few lifeboats, a result of cost-cutting efforts during the design phase. It had a double bottom, but that did not extend up to the waterline, where the iceberg sideswiped the ship. This design flaw was quickly corrected on the Titanic’s sister-ship, Britannic, which was still under construction at the time of the Titanic’s sinking.

The Titanic’s builders claimed that it was constructed considerably in excess of the Lloyds registry safety requirements. Therefore, they never saw the need to seek Lloyd’s registry approval. However, Lloyds disputed that claim publicly after the Titanic sank.

Cascade #2 That Threatened the Titanic – Bad Rivets

The Titanic required 3 million rivets to hold her together. Archives tell us that, at that time, there was a shortage of riveters and the necessary materials to create high-quality wrought iron rivets. White Star’s competitors converted to 100% steel rivets, which were much stronger.

The Titanic used steel rivets in the straight section of the hull but not in the front, where the iceberg hit — wrought iron rivets were easier to rivet by hand than steel rivets in those sections. The recovery of the Titanic’s wreck from the sea floor confirmed the low quality and brittleness of the rivets in the impact areas. Higher-quality rivets would have kept Titanic afloat longer and saved more passengers.

Cascade #3 That Sank the Titanic – Operation and Evacuation Errors

The Titanic was cruising near top speed, which was very risky on a moonless night through an area with active iceberg warnings. Just hours before the disaster, the captain canceled a lifeboat drill for no apparent reason. It was suspected that the captain was attempting to break a cross-Atlantic speed record. That recklessness and the collision with an iceberg sealed the Titanic’s fate. Her brittle rivets in the impact area popped off and allowed water to rush into the hull. The Titanic sank in less than three hours. 1,502 people perished after a disorganized evacuation filled the far-too-few lifeboats to just 61% of capacity.

Conclusion

Although ISO 31000 attempts to protect us from ourselves and the outside world, we cannot be selective in what we implement. We need to follow all of the guidelines and even test areas that we believe are safe. We must also heed ISO’s challenge to examine cascading and cumulative effects. Effective risk-based thinking must include cascade effect thinking.