Not if. When. How do you prepare for the unexpected?

A slew of recent events has raised the question about the best ways for organizations to prepare for unexpected but inevitable events. Human nature – and therefore corporate nature, pushes us to rely heavily on the comfort of the absolutes that live in the rearview mirror. Even with the influence of sophisticated predictive analytics, planning for the future too often begins with a backward look and ends with the current state. Events throughout history remind us of the precariousness of such a shortsighted approach.


Especially in the security and resilience world, we often lament that we are planning for the last disaster. It’s not that basing strategies on past experiences isn’t helpful. It just won’t prepare you from getting t-boned by the unexpected. The fact is this – you can’t prevent the inevitable (like natural disasters). What you can do is mitigate the consequences. And you can put measures in place to prepare how your organization will respond with agility and appropriateness so you can minimize the disruption or impact of unforeseen events.


And yet, the events of the last several months prove that most corporations are not as prepared for the unexpected as they could and should be. Part of the reason for that shortage of capability and vision is a simple lack of awareness about ways to combine known (history, the current state) and possible (future) details to establish a structure, risk approach, and culture that can enable your organization to absorb the unexpected. We can’t overestimate the importance of this exercise. If only because ubiquitous devices and social apps have allowed anyone (strangers, employees, friends) to record, share, and influence the communication and storyline for every event. For virtually everything that happens today – expected or unexpected – there is evidence.


An Unexpected Flood of Cases

Let’s take a moment to run down a short list of recent events that have impacted the trajectories of c-suites, boards, and organizations. Ask whether you think any of these were expected. Causes ranged from the misbehavior of strategic partners, threat actors, natural events, and customers. The unifying consideration is how efficiently and sufficiently leadership was able to respond to the respective events.


United Airlines:  Do you think United Airlines ever ran through a scenario in which a metropolitan police department (strategic partner) would drag a passenger off the plane while hundreds of fellow passengers recorded the event on their mobile phones? Do you think they considered what to do when the story went viral within moments? The relatively slow, evolving responses to the crisis between the Sunday incident and the week that followed suggests they had not.[i] The stock price took a hit but has rebounded as the dust apparently settled. As experts predicted, customers prioritize price, convenience, and habit ahead of outrage and their planes remain full. What is hard to quantify yet is the lasting impact the event surely will have on the United brand.


Equifax:  One of the world’s largest consumer credit reporting agencies responsible for the private financial information of 800 million customers suffered a data breach following a massive hack. The event exposed the personally identifiable information of more than 145.5 million consumers. Their response was a textbook case study of how not to perform fiduciary duties, prevent a cyber attack, handle a breach, or conduct crisis communications. In fact, their unpreparedness on every level created such justifiable fear and anger that it impacted the entire sector. The company’s competitors, TransUnion and Experian also took a hit from the media, stock market, and public.[ii]


California Wildfires:  Hundreds of cannabis growers have had their livelihoods devastated by the fires in Sonoma, Napa, and Mendocino. The state-mandated industry is fully permitted but not entirely legal. Growers have spent tens if not hundreds of thousands of dollars becoming compliant with California regulations, but because it is still considered a federal criminal enterprise, most of these farms are cash-based. Most do not have fire insurance or access to loans and mortgages. More than a few had stored cash in their homes and farms to reinvest in things like greenhouses. That means the fires not only wiped out their cash crops; it burned their cash as well. [iii] Restrained by federal laws, how could these independent growers have anticipated a response to something as unpredictable as a virtually uncontrollable natural disaster?


Peer-to-Peer:  Trust drives the sharing economy. Even with companies like EvIDent building technology to verify and secure identities in P2P transactions, industry behemoths like Airbnb and Uber don’t personally vet every provider or consumer.[iv] That means that even if the deal is secure, the brand experience is very much at risk because these individual providers are not just representing themselves in the relationship, they are an extension of the brand that is empowering their gig. And without cultural controls, there’s as much trust driving the company/provider relationship, as there is the provider/consumer relationship. Indeed, we’ve seen numerous news stories about P2P companies taking brand hits – some with stunning repercussions like leadership oustings. More than any other industry, P2P may be most susceptible to social media driven consequences, meaning that it may be even more critical for these companies to be prepared to respond to a crisis with swiftness, honesty, and accountability.


Preparedness and Accountability

We’ve ascertained that it’s impossible to plan for every scenario, and even the situations you anticipate often don’t play out as intended. Consequences are exacerbated by dependencies that cause cascading impacts. Hyperconnectivity allows every moment of evidence (and misinformation) for everything happening to spread in real time in a modern version of telephone. Our environment has raised the preparedness imperative.


Organizations must have a framework, culture, and resources to support their ability to be accountable, honest, responsible, swift, and confident in any situation. It matters less whether caused by internal events (like insider threat) that should have been prevented or unexpected externalities (like a natural disaster demolishing a poorly structured nascent industry). What matters is that the fact of the crisis has been anticipated. It matters that a framework is in place to unite and guide stakeholders and team members at every level and in every disparate function across the organization.


Consistency is almost as important as corporate responsibility and transparency. Equip the organization and key people (spokespeople, especially) to deal with the public facing side of the situation. Prepare to speak to your core values, to stay on message, to remain clear and honest, and to be action-oriented.


How to Prepare for the Unexpected

Former U.S. intelligence and counterterrorism official Richard A. Clarke, and former White House National Security Council Director and U.S. and UN senior diplomat RP Eddy recently published a book called Warnings: Finding Cassandras to Stop Catastrophes.[v] In it, they introduce the “Cassandra Coefficient,” to help decision-makers determine which warnings deserve focus and which do not.


They write that the warning of experts could have saved millions of lives that have been lost to catastrophes, and ponder why those warnings were not heeded. They note that the 9/11 Commission talked about our failure of imagination. It’s probably true that it’s much easier to look in the rearview mirror and plan for what you know with what you know. It’s much harder to imagine a situation like Puerto Rico, which went without power for five weeks and mobile communications for two. Try to picture that. It happened and for those of us who didn’t experience it, imagining the experience is incredibly challenging. How could we have imagined 9/11?


What would happen if Maria-like consequences plagued the mainland, leaving American citizens with no reliable access to power and water after five weeks? There are several probable scenarios, many caused by the vagaries of Mother Nature, which foreshadow similar consequences in American communities. Has your industry or organization planned for a lack of access to power or communications for weeks on end, regardless of the cause?


Toffler Associates has always employed methodologies designed to help organizations build resilience through a structured process of understanding, planning, and adapting. We show organizations how to stand in the future to determine what steps they need to take in the present to secure their entity and work to future-proof their structure, culture, and opportunities. Fundamentally, we engage orthogonal thinking, which brings together multiple viewpoints and industries to examine actual cases and real possibilities. ALTERNATE FUTURES® is a structured practice that enables leaders to explore multitudes of internal and external possibilities in a safe environment to improve preparedness and inform a culture of agility and trust.


In an era where so much is known, we are often stunned by unexpected events. As the adage says, ‘expect the unexpected.’ For leaders, that statement is easier said than done. Expectation means taking intentional steps to imagine what might be, to put the framework in place to absorb the unexpected and to convince your stakeholders and team members to imagine and pledge to act with you. Preparedness begins with your culture. And that begins with asking what could be and why you should respond.


It’s time to stand in the future and consider how you and your customers can absorb and bounce back from unexpected shocks.








About the Authors

Caitlin Durkovich

A recognized expert in critical infrastructure security and resilience, including cybersecurity, Caitlin helps clients navigate the complex operational challenges posed by an increasingly interconnected and interdependent global economy. As a leader in the Department of Homeland Security under the Obama administration, she led the development of public-private partnerships to influence policy and best practices related to managing security and the operational risks of a continually evolving threat environment. Caitlin holds a B.A. in public policy studies from the Terry Sanford Institute of Public Policy at Duke University and a certificate in business strategy from The Aspen Institute. In January 2021, Caitlin left her position as director at Toffler Associates to accept a role as the Senior Director for Resilience and Response on the White House's National Security Council under President Biden.

Related Topics


The Future of Federal Cybersecurity: Balancing Security with Flexibility

In the wake of COVID, remote work has become a key retention strategy for many employers, with employees increasingly expecting flexibility. This is especially crucial...

The Value of Scenario Planning for DHS SAFETY Act Certification and Organizational Success

As humans, we run through options and branches in every moment of our thinking – whether for risks or opportunities: What if it rains during...
On Demand

ABCs of Future-Focused Risk Metrics