CoverStory
Sink or swim
Businesses can be hit by unforeseen ‘black swan’ events at any time. But accountants can take steps to keep their firms safe. Here's how
Words Christian Koch Illustrations Andrew Nye
Given that Christmas has just passed, here’s a tale about a turkey. Let’s call him Terrance.
All his life, Terrance has been led to believe humans are great. Every day, a person visits to feed him corn; sometimes he even has toys to play with. From the moment Terrance wakes up to when he rests his wattled neck on homegrown straw at night, he has little to worry about.
Then, one day in December, a human visits the barn holding an electric stunner. Seconds later, Terrance’s gobbling days are gone.
For Terrance, his death at the hands of his farmer ‘friend’ was something he could never have anticipated. There is a theory about the fate that’s just befallen our soon-to-be-plucked pal. But it doesn’t involve turkeys, it’s black swans instead.
What is a black swan?
A black swan is a random and unexpected event. It was coined by influential thinker Nassim Nicholas Taleb in 2001 and comes from an old European observation that all swans were white – an assumption that was shattered when explorers discovered mutant black swans in Australia in the 18th century.
According to Taleb, a black swan event has three characteristics:
· It is rare and unexpected.
· It has an extreme impact.
· Although the event was largely unforeseeable, with the benefit of hindsight perhaps there were some warning signs.
In recent years, accountants and other finance professionals must have felt as if they have been bombarded by one black swan after another: Covid-19, supply chain woes, rising inflation, the cost-of-living crisis, the uncertainty of AI.
These seismic shocks have seen accountants tear up forecasts, pivot to new business models, give counsel to concerned C-suites and stare at balance sheets wondering: “Could I have done something about this all along?”
Accountants should think about the risks: Where’s your weakest link? Is it the person who has admin access to your network?
Why are these events becoming more frequent?
Put simply, technology. In July 2024, the CrowdStrike crisis was the biggest IT outage in history. When an update to the US cyber-security firm’s software malfunctioned, it triggered a chain reaction of similar failures in computers around the world, grounding flights, crashing payment systems and bringing everything from hospitals to governments to a standstill.
Cyber incidents such as this are the top global risk to businesses today, according to the annual Allianz Risk Barometer. In fact, they are becoming so commonplace that it’s probably best to think of them as grey swans because “they are an absolute inevitability,” according to Vijay Rathour, partner and head of cyber and digital investigations at Grant Thornton.
So who is most at risk? “Anybody who uses a computer,” says Rathour. “If you’re working from an airport Wi-Fi connection, then your Wi-Fi might be an attack surface [where hackers can access a system or network]. If you’re a large company using temporary contractors [from overseas] you’ve potentially widened your attack surface too. Computer systems that you can’t control potentially widen your risk.”
The rise of generative AI is also making cyber criminals’ jobs easier. Scammers can now impersonate a CEO’s voice using a few snippets of their YouTube TED talk or use ChatGPT to craft a convincing email from the ‘boss’ asking an employee to reset their email. For accountants and finance professionals, the scariest thing is that they are the ones increasingly being preyed upon: according to Deloitte, the number of deepfake incidents in the finance sector soared by 700% in 2023.
Why are CFOs and accountants being targeted?
“Accountants and CFOs are a prime candidate for targeting purely because they are the gatekeepers to the keys of funding,” says Tim Foster-Key, technology risk services director at Grant Thornton. “It’s a natural consequence of their role.” (See Responsible Business feature.)
This was illustrated starkly in 2024 when a Hong Kong-based finance clerk at engineering multinational Arup was tricked into sending HK$200m (£20m) of the company’s cash to fraudsters after they posed as the firm’s CFO and other senior employees in a video call by using AI-cloned versions of voices taken from videos.
“When attackers are looking for low-hanging fruit, CFOs are ideal candidates,” says Rathour.
Image: Andrew Nye
Is cyber crime the only black swan we need to be worried about?
Outsourcing services to your supply chain may also prove problematic if a black swan strikes. “Post-Covid, we saw many organisations outsource their services, bringing other organisations into the supply chain,” says Foster-Key. “Accountants should think about the risks: Where’s your weakest link? Is it the person who has admin access to your network? Or an organisation that delivers the product, meaning if they don’t have the widget, you’ll only have two days’ worth of inventory?”
As Rathour puts it: “Every problem you’ve got, your supply chain probably has it as bad, or probably many times worse. Third-party due diligence is critical to modern businesses, because their failure is your failure. Just look at the NHS and the contaminated blood scandal or [hotel group] Marriott, who were fined £18.4m for a data breach. If mistakes happen in your supply chain such as this, you might think it’s not your fault, but it is.”
>What are the biggest black swan risks to businesses?
UK's top five risks for businesses:
1. Cyber incidents.
2. Business interruption (such as supply chain issues).
3. Natural catastrophes (storms, floods and extreme weather events).
4. Shortage of skilled workforce.
5. Climate change.
Source: Allianz Risk Barometer 2024
Be prepared
Black swans, by their nature, are fiendishly hard to predict, making them difficult to prepare for. But there are things organisations can do to make themselves more earthquake-ready.
Wargames: Rathour says: “One of the best ways to decrease the impact of a cyber event is a cyber wargame, where a risk consultant business such as Grant Thornton will potentially hack into your organisation, show you what happens when we steal data, plus help you stress-test an incident response plan. The more you sweat in training, the less blood you’ll lose in battle.”
Have a back-up: The corporate world’s dependence on cloud-computing infrastructure such as Microsoft Windows (which every large organisation in the world, and most small businesses, runs on) could leave them more vulnerable the next time a CrowdStrike-style cyber-incident happens. It’s worth having parallel infrastructure – for example, ‘System A’ and ‘System B’ – which run on different technologies, says Rathour. “That way, if System A gets hacked and goes down, you can immediately switch over to System B and still operate.”
How can finance teams prevent black swan events?
“Traditionally, the person who best understands risk within an organisation is somebody in a finance role,” says Foster-Key. “I’d suggest these people share and encourage risk dialogue with the rest of their organisation, whether it’s HR or operations.”
Indeed, while a black swan might catch the C-suite unawares, accountants may have spotted the warning signs first. Finance professionals such as bookkeepers or management accountants are often described as the “eyes and ears of an organisation”, and their frontline familiarity with balance sheets means they know exactly where businesses could be haemorrhaging cash. Their data detective work can also spot risks that could threaten a company’s financial health, such as unexplained spikes in income or even fraud.
“We’ve worked with businesses where the CFO knew the organisation was having a cyber attack before their cyber team did,” says Rathour. “When the CFO saw the business had dropped profitability out of the norm, he knew this was an issue to be investigated. Lo and behold, money was going down and computers were being impacted. CFOs are massively attuned to this stuff.”
Foster-Key says: “We now live in a world where [businesses] can use indicators, markers on real-time data, data analytics support, plus analysis around outliers might give you an indication something’s not right. You don’t need to be a large organisation to deploy this tech – these are things you can build in as a small company too.”
He adds: “We’ve seen pandemics, wars, changes in politics. These things are going to happen. Why not account for them and mitigate their risk?”
Hidden opportunities
Although cataclysmic at the time, a black swan crisis can be reframed as an opportunity – shaking businesses out of their complacency or potentially future-proofing them by forcing them to invest in the latest technology. The pandemic hastened digital transformation for many companies, with 20% of firms questioned in PwC’s 2021 Global Crisis Survey reporting that Covid had a positive effect on their business. Other events such as 9/11 saw developments in airport security; captains of transatlantic liners were probably more vigilant about icebergs following the sinking of the Titanic in 1912; and it’s believed the science behind Covid-19 vaccines could be used to fight cancer.
It's also an opportunity to demonstrate good leadership – but only if you’re prepared first.
“[During a crisis] the world will be looking at you,” says Rathour. “You can increase the value of your business after a cyber incident because people will see you were on top of your comms and being proactive. Many organisations come out stronger.”
Sink or swim
Businesses can be hit by unforeseen ‘black swan’ events at any time. But accountants can take steps to keep their firms safe. Here's how
Words Christian Koch Illustrations Andrew Nye
