“If anything kills over 10 million people in the next few decades, it’s most likely to be a highly infectious virus, rather than a war. Not missiles, but microbes.” That’s from Bill Gates’ 2015 TED Talk, in the midst of the Western African Ebola outbreak. Gates added “W]e’re not ready for the next epidemic…. With Ebola, the problem was not that we had a system that didn’t work well enough. The problem was that we didn’t have a system at all.”
Let’s fast-forward to a couple years ago, the 100th anniversary of the 1918 flu pandemic. What should have been understood in 2018 as the risk, in the near-term, of an epidemic or pandemic with major impact in the United States?
Understanding risk is how we address uncertainty. Whether you prefer the common definition of risk (the possibility of loss or injury) or the more technical concept under ISO 31000 or COSO’s ERM Integrated Framework (the effect of uncertainty on objectives), understanding risk requires us to evaluate the likelihood and severity of potential outcomes. Understanding risk also requires us to evaluate our current readiness to mitigate or control the risk, in light of our risk tolerance.
So, in 2018, what did we know about the likelihood and potential severity in the United States of epidemics and pandemics, and what did we know about our readiness to respond?
- The likelihood of an infectious disease outbreak was clear. Bill Gates’ 2015 message wasn’t a novel observation. The United States has a long history of epidemics and pandemics that continued after the notorious 1918 flu pandemic, which killed over 675,000 Americans (and over 50 million globally). Since 1918, in addition to diptheria, polio, measles, and HIV, the United States has faced a series of influenza outbreaks, including the 1957-58 Avian Flu, the 1968 flu epidemic, and the 2009 Swine Flu. And there were near-misses for coronaviruses in the United States, such as the 2003 SARS epidemic and the 2014 MERS outbreak, among others. As Dr. Anthony Fauci noted in his January 2017 presentation at a Georgetown University forum on pandemic preparedness:
[I]f there’s one message that I want to leave with you today based on my experience … [it] is that there is no question that there will be a challenge to the coming administration in the arena of infectious diseases …. [T]here will be a surprise outbreak, and I hope by the end my relatively short presentation you will understand why history … will tell the next administration that there’s no doubt in anyone’s mind that they will be faced with the challenges that their predecessors were faced with.
- The potential severity of a pandemic was clear. For over a decade the World Bank had warned of massive human and economic impacts, estimating in 2008 that a severe influenza pandemic could kill 71 million, trigger a global recession, and reduce global gross domestic product by nearly five percent.
- And our lack of preparedness was clear. Ron Klain, the former White House Ebola response coordinator, summed things up in an October 2018 article, bluntly titled A pandemic killing tens of millions of people is a real possibility — and we are not prepared for it.
Thus, in 2018, the risk of an unprepared-for epidemic or pandemic was not that of a black swan event – it was a grey rhino.
Three additional factors exacerbated our pandemic risk, lulling us into inaction:
Population Growth & Mobility: World population quadrupled and the United States population trebled in the century leading to 2018, with rapid growth in urban density. And the rise of affordable global travel made the United States dramatically more connected to the world.
Short-term Focus: Economic and political forces caused us to neglect or postpone crucial investment in systems needed for pandemic preparedness.
Exceptionalism: While there is much that is truly exceptional about the United States, there is a strain of us-versus-them thinking that a country so prosperous and so “advanced” must somehow simply be immune to risks facing the rest of the world.
The Lesson for Information Governance?
Organizations today are fundamentally in the information business, and so understanding our data-related risks is essential. Some such risks are gray rhinos – well-known, likely, and severe. For example:
- Companies that have not asserted control over data retention and disposal risk massive ediscovery costs in future litigation, as well as multiplied data security exposures.
- Companies that have failed to establish reasonable data security controls risk disruptive and destabilizing security breaches.
- Companies that do not control their information’s integrity and reliability risk missed business opportunities and bad business decisions.
- Companies that implement new technologies without first considering information requirements and repercussions, adopting “tools without rules,” risk a wide range of bad results.
- And companies that continue with a siloed approach to decisions involving information-related risks invite unexpected and damaging outcomes.
And just as with pandemic risk, three additional factors exacerbate information-related risks, lulling us into inaction:
Data Growth & Mobility: Data volumes continue to grow explosively, and rapid increases in data mobility and systems interoperability have literally connected the world.
Short-term Focus: Competitive forces and financial strains have caused many organizations to neglect or postpone crucial investment in systems needed for controlling information risks.
Exceptionalism: In many organizations there is a strain of thinking that all has gone well so far, so we must somehow simply be immune to data risks facing other organizations.
So, our first pandemic response lesson for Information Governance is this: it’s a fact that novel viruses can proliferate, and it’s a certainty that data proliferates. At any given moment the risks may seem remote, but the risks nevertheless are there, and the repercussions of ignoring those risks can be devastating.