A friend of mine asked me if the cyber-risk threat was a bit of flimflam designed to sell more insurance policies. He compared cyber-risk to the Red Scare of the 1950s, when families scrambled to build bomb shelters to protect them from a war that never came. The only ones who got rich back then were the contractors, he concluded.
I found his question incredible. But I realized that he didn’t work in the commerce stream, per se, which quelled my impulse to slap him around.
I shared with him some statistics that sobered him up quickly. I explained that cyber-crime costs the global economy more than $400 billion per year, according to estimates by the Center for Strategic and International Studies. Each year, more than 3,000 companies in the U.S. have their systems compromised by criminals. IBM reports more than 91 million security events per year. Worse yet, the Global Risks 2015 report, published in January by the World Economic Forum (WEF), included this rather stark warning: “90% of companies worldwide recognize they are insufficiently prepared to protect themselves against cyber-attacks.”
Cyber protection is not just about deploying advanced cyber threat technology to manage risk; you also have to educate your employees to not fall victim to unassuming scams like “phishing,” which is stealing private information via e-mail or text messages. It remains the most popular con as far as stealing company data because it’s so painfully simple. Just pretend to be someone else and hope a few people fall for it.
While most people understand the threat to data privacy for retailers, hospitals and banks and other financial institutions, few realize that manufacturers are also vulnerable in terms of property damage and downtime. In 2014, a steel manufacturing facility in Germany lost control of its blast furnace, causing massive damage to the plant. The cause of the loss was not employee error, but rather a cyber-attack. While property damage resulting from a cyber-attack is rare, the event was a wake-up call for manufacturers worldwide.
According to The Manufacturer newsletter, “the rise of digital manufacturing means many control systems use open or standardized technologies to reduce costs and improve performance, employing direct communications between control and business systems.” This exposes vulnerabilities previously thought to affect only office computers. In essence, according to The Manufacturer, cyber attacks can now come from both inside and outside of the industrial control system network.
Manufacturers also need to be concerned about cyber attacks that would: a) interrupt their physical supply chain or, b) allow access to their system via the third-party vendor. Manufacturers must then take steps to mitigate those risks. When Target and Home Depot were hacked several years ago, it wasn’t a direct attack on them but an attack on one of their third-party vendors. By breaching the vendors’ weak cyber security, the criminals were able to access the larger prize.
To circle back to my friend’s weird fallout-shelter theory, it’s certainly a good idea to have a backup plan in case one is hit by a proverbial “cyber-bomb.” But rather than hunker down and wait for the attack to occur, it’s critical to educate employees, vet vendors’ cyber-security and adopt — and continuously optimize — a formal cybersecurity program.
A classic SWOT (strengths, weaknesses, opportunities and threats analysis) is usually considered as a good start for strategic planning efforts and further analysis. A disruptive and cascading SWOT can re-position the whole strategic plan to seriously pursue disruptive innovation. A great strategic plan should not just be about beating the competition at their game, but about redefining the game as no one has done before you.
The hyper-connected and cascading behavior of global risks
The World Economic Forum (WEF) has published a global risk report since 2006. The WEF pleads the case that the more connected our world becomes via a globalized economy, social media, the Internet, etc, the more vulnerable the whole world is to any weak links in the system. The reports include constant references to the connected risks that can cause global system breakdowns. The descriptions of the potential threats include combinations of slow-building and creeping risks that are hyper-connected, capable of linking to create unforeseen and high-energy cascade effects that can create tipping points into a perfect storms with high local and even global fallout.
The hyper-connected and cascading behavior of internal risks
My independent research into the causes of historical disasters, which started in 2004, has identified certain cascading principles and mechanisms of how the combined effects of underestimated internal risks can wreak havoc and self-destruction even without the help of external forces. If your SWOT ignores the cascading and hyper-connected nature of internal and external risks, your efforts could be futile. Too often, risks are assumed to approach from over the horizon from the outside. This mindset ignores the fact that most organizational failures stem from internal risks and a dysfunctional work culture. The triggers of such havoc can emanate from the top of the organization and quietly ripple through the organizational cascades to create undesirable events.
A SWOT analysis on the SWOT analysis
A SWOT analysis is a mini-risk assessment and mitigation brainstorm tool. However, its strengths will become weaknesses if the assessments are superficial. If the SWOT is reconfigured to meet the realities of a hyper-connected and cascading world, this tool can be very insightful.
What follows is a short SWOT analysis on the SWOT analysis tool to assess its capabilities to pursue true disruptive innovation. This exercise can be viewed as a self-diagnostic of a SWOT:
Simple and easy to understand
Helps you identify and understand challenges and opportunities
Can be used to develop a robust action plan
Concentrates on the most important factors
Its simplicity will not always prompt its users to go deep enough to make its analysis meaningful
It does not prompt its users to investigate hyper-connected risks that can cascade and ripple through an organization in a destructive manner
It does not prompt its users to investigate slow-burn/slow failures (aka creeping risks) that can build up over time and create tipping points that produce a perfect storm of unintended consequences
It does not prompt its users to solicit true and candid cultural perceptions and threats for all employee levels
It will not lead to disruptive innovation in its basic form
Invigorate the classic SWOT into a cascading SWOT to match the way in which the world and modern organizations actually operate
Identify hidden threats and uncomfortable and unspoken talk rules
Include assessment of internal leadership gaps
Include factual assessments of cultural health of the organization
Include assessments of internal process inefficiencies and risks in key business processes
Assess the quality of your business metrics
Assess the organization’s responses to critical situations
Assess how your organization learns from its mistakes and makes the necessary changes
Assess the internal and external customer satisfaction levels
Include a “points of pain” assessment as perceived for various levels of employees
The assumption that SWOT-KISS (keep it simple, stupid) is the right approach may not fit well in the complex and cascading world in which we live
It can misdiagnose luck as skill; the organization will be ill-prepared for adverse events
It assumes that, if you ask fellow employees for inputs, they will tell you the whole truth, without fear of punishment
Summary of the SWOT analysis on the SWOT analysis
A good SWOT should be provocative and assess the sensibility on your own strategies, track your efforts to solicit and address internal taboo talk rules, monitor employee frustration levels and assess your internal culture’s momentum toward success or failure. Most importantly, do not forget to gather multiple perceptions on the above opinions from leadership, mid-management and non-management employees. If the perceptions are vastly different, determine why the same people under the same roof are describing the same company in very different manners.
Transforming the SWOT into the foundation for disruptive innovation
It must be stressed that an energized SWOT is only the foundation of a good strategic plan. It is not the final analysis or strategic planning tool. The annual corporate strategic planning cycle is usually time-consuming and interactive and must get off to a good start with the right tone if anything of value is to be expected.
SWOT expansion to include internal cascading risks
The biggest opportunities to achieving strategic objectives lie in the ability of leadership to identify, assess and manage the internal cascading connections and cause-and-effect relationships that exist. The main areas of internal, hyper-connected top-to-bottom cascading elements and loops include:
Leadership strategies, attitudes and behaviors
Responses to shortfalls in performance metrics
Feedback loops to leadership that either incorporate lessons learned or ignore such lessons, offering the next cycle of adverse events the opportunity to sink the ship
Each of the above mentioned elements of internal cascades should be SWOT-ed separately with candid and honest inputs from all levels of employees (See graphic below). Embracing such logic allows leaders to create a cascading strategic plan that can energize the organization instead of just addressing the symptoms of issues with sugar-coated Power Point slides or adding a fresh coat of paint to the Titanic while it is sinking.
Figure 1. Each element of internal cascades should be SWOT-ed separately with candid and honest inputs from all levels of employees
SWOT expansion to include external cascading risk assessments
External risks need to be listed, rated for connectedness and assessed for their impact and likelihood of affecting the business. This offers a good start for subsequent strategic risk management efforts. The World Economic Forum’s annual Global Risk Report offers a good reference to use as a starting point for possible risks to consider. Separate SWOT analysis should be carried out for the six main areas of global risks:
Real-time feedback loops to leadership on the status and changes in global risks
Organizations and the world are hyper-connected communities that are exposed to threatening invisible cascade, ripple and domino effects. Today’s risks can easily leap past national borders, firewalls and other security safeguards and trigger very unexpected circumstances that can threaten the reputation and existence of the business. Modern applications of the SWOT analysis should consider this complex and cascading nature in which the world now operates. A thorough SWOT analysis can be a good start for any level of strategic planning, including the ultimate wish of any organization, which is to create disruptive innovation and value that will ignite the passions of its employees and customers.