• Free Trial Risk Management Studio
Previous Next

GAP Analysis Video

Free Trial



The Trial is a completely functional version of RM Studio with the ISO 27002 - Information Security Controls (abbreviated characters) and sample data included with the database.

Risk Assessment Video

ISO27001:2013 Available Now

RM Studio now includes the ISO/IEC 27001:2013 standard fully embedded and the management controls from ISO/IEC 27002 completely mapped to the Threat Library included.

PCI DSS 2.0 is completely embedded with the controls mapped to the Threat Library and coming soon the PCI DSS 3.0 embedded and mapped.

A black swan is a highly improbable event that diverges beyond what is normally expected and is extremely difficult to predict with a massive impact. The global economic crisis brought this term into the lime light, and in 2007 Nassim Taleb wrote popular book, The Black Swan: The Impact of the Highly Improbable, where he describes the futility of attempting to predict random events. As a result risk management efforts have been honed on addressing black swans in addition to traditional threats. In this article, we examine two common mistakes made by executives and managers in addressing Black Swans.

Risk Management is a Cost

Benjamin Franklin said, "A penny saved is a penny earned." In football (soccer for our readers from the States), when our favorite team beats a league rival, we call it a "six-pointer." This outlook should be applied to risk management efforts within the organization. Often times, risk management efforts are viewed strictly as a cost, and in some cases avoided as a result. Organizations that focus on profitability in the traditional since, and fail to implement risk management principles to protect the revenue, often fall the furthest following a black swan event.

This idea suggests a paradigm shift for most organizations that risk management efforts should be viewed as profit-generating activities. In conversations, we have heard of the difficulties risk managers have in convincing executives for more resources. This is followed nine times out of ten with the statement, "If they only realized how much it is going to cost without a risk management program."

Attempting to Predict Black Swans

Black swans by definition are extremely difficult to predict. In predicting black swans executives and managers take the focus away from more frequent, less damaging threats. By focusing on predicting black swans and implementing controls that are meant to prevent the occurrence (albeit a predicted occurrence), organizations are exposing themselves and as a result become more vulnerable to common events and threats. Black swans diverge from the norm and are unexpected. As such, statistical analysis and past events cannot serve as predictors for the occurrence of a black swan, which are unprecedented events.

It serves an organization better to focus on the results and consequences of a back swan and develop a business continuity and recovery plan (BCP), as opposed to attempting to predict its occurrence. By understanding the potential impact and vulnerabilities of the organization to a black swan and utilizing this information to develop a BCP, an organization is better equipped to address a black swan if it occurs.

The concept of black swans and risk management go far beyond this article. Our hope is that this article is a starting point in examining your organization's approach to risk management and assess if it falls prey to these two common mistakes.

Article by Matthew Arnold

Why RM Studio?

RM Studio is proven to:

  • Streamline the Risk Management Process
  • Reduce Complexity and Cost
  • Assist in the Certification Process
  • Ensure Traceability
  • Be Simple to Deploy and Use
  • Read more about RM Studio