and more people were telling me, “Look, it’s time for a
new book because the threats are becoming more serious
and more frequent, but we’re also becoming a lot better
at a number of new activities and processes, and (business
continuity planning) has been taken to a higher level in
corporations.” So I put together a team and starting working on the new book.
QYou write in the preface that we shouldn’t look at this book as a sequel or a new edition of the original, that
it really is something different. Tell me how.
AIt looks at a whole new set of threats that I didn’t cover very much in the first book. For example, think
about cybersecurity problems. Ten years ago, we were
just starting to hear about cybersecurity problems. Today,
“cyber” is a weapon. Many physical systems are being run
by digital means and can be attacked.
It also became very important to talk about social
and environmental responsibility: (the factory fires) in
Bangladesh; the conflict mineral issues, which forced
Intel and Apple to go to this very deep level— 10 to 12
tiers deep—in the supply chain to find out where their
minerals were coming from. This became a real corporate
reputational risk. And, of course, there have been things
like the Japanese earthquake and tsunami that changed a
lot of companies’ views on risk and their own vulnerability to disruption.
In the new book, I also emphasize a point that I did not
make and should have made last time that people always
look at the top right corner [in a quadrant chart of possible disruptions and estimations of their likelihood and
impact] where the probability (of an event) is high and
the consequences are high, but that is the wrong place to
look. Companies prepare for these events, and as a result,
although the impacts could be severe, they are not that
high because companies are ready for them. I point out
the really worrisome quadrant is the high-consequence/
very-low-probability corner because this is the “black
swan.” This is the 2008 financial meltdown. This is 9/11.
This is Chernobyl. These are the things that nobody
expected and nobody knew how to deal with. And the
question is, how do you prepare for things that you can-
not even imagine, things that you don’t even know that
you don’t know? A lot of the issues in the book have to
do with general preparation or general resilience for what
you can’t even imagine because it never happened to you,
to your competitors, or to other people in the industry.
Another change that is introduced to this framework is
what I call “detectability”—the time from when you know
something is going to happen to the first impact. Think
of the classic example, a hurricane. You know three days
before we see the storm.
But you (also) have to prepare for something that you
only find out about after the fact. Think about some sabotage, some people stealing trade secrets, some cyberbug
in your system.
There are a lot of new software applications that didn’t
exist 10 years ago that are designed to alert you as soon
as something happens and tell you what the implications
are, what the value risk is, which customers and products
