Rethink Risk Through The Lens of Antifragility
In a hyper-connected, highly uncertain world, risk management is failing us.
We live in risky times – or more specifically, times of increasing volatility and uncertainty. In the last decade, we have seen the 2008 credit crunch, the 2010 Deepwater Horizon oil spill, and the Arab Spring in 2011-12. In 2016, we experienced the vote for Brexit, the election of President Trump and the start of a populist movement that could bring trade wars, geopolitical conflicts and civil disorder. We are also seeing more and more ingenious and prevalent cyber attacks on corporate, national and international infrastructures.
The volatility and impact of all these risks are massively amplified because we live in a hyperconnected world where everything – from nuclear power plants, factories, vehicles, fridges and hospital equipment to wearable and invasive devices – is increasingly hyper-connected, inspectable and controllable. Businesses can be remarkably adaptive, but it does not help that we often design fragility into our systems and processes, particularly through efficiency and cost-cutting initiatives.
Are we ready for such heady and unpredictable levels of risk?
We at Leading Edge Forum contend that our businesses and government agencies have sleepwalked into the 21st century with organizations that are not fit for purpose. We need to evolve many aspects of our organizations, including how we think about, sense, manage, monitor and more generally address risk. We argue that the traditional approach to risk management in business has several significant flaws.
First, there is the sense that with risk management we are, to some extent, managing risks that we have already seen or can already imagine – that could be labelled ‘known unknowns’. This could be cruelly labelled as ‘managing risk through the rear-view mirror’, and does not address unexpected risks. (You may well ask how it is possible to manage those, and you will see our response later in this document.)
Specifically, the current approach to risk management fools us that we have risk under control, because we understand and have mitigation plans for expected risks. However, as author Nassim Nicholas Taleb points out, many historical events have been caused by ‘black swans’: large, unexpected risks (which we later post-rationalize as if they were expected). The Fukashima nuclear incident was a negative black swan; Google’s creation of gmail arguably a positive black swan.
Another issue is that many aspects of risk management continue to require human intervention, which is sometimes impractical in a hyper-connected, high-speed world. Just for example, in 2016 we saw successful military tests of self-organizing, self-managing drone swarms. Many of the processes and policies for launching a single military aircraft require human intervention and paperwork, with lots of lags in the system; launching and re-launching drones and drone swarms will demand higher speeds and less human intervention. Similarly, in a fast-moving, hyper-connected world, the implementation of much risk management will need to be automated, based on machine intelligence.
But the most troublesome aspect of risk management is its separation from value creation and growth. Although security and risk managers are keen to talk about the value of risk management, that is not the issue we are raising. The issue is that the places and mechanisms that we use to discuss and decide on risk management are not the same as the places and mechanisms that we use to discuss business value and business growth; they are separate domains.
Figure 01 – 20th Century Organizations separate risk management and value creation
We may label this way of thinking as an ‘engineering’ view of risk: all risk is bad and must be eliminated, and risk has nothing to do with value creation.
This view of risk leads to several problems, including:
- Wrapping companies up in legislation that is largely built around risks that have already happened, often giving a false sense of security that because they have ‘ticked all the boxes’ they are safe. (There are several studies observing this effect – e.g. after Sarbanes-Oxley was introduced.)
- Missing the considerable upside of taking intelligent risks.
- Living with unresolvable tensions between feeling the need to address every potential risk, yet having limited budget for risk management, and the imperative to make a profit and be agile.
Despite these tensions, our way of thinking of and dealing with risk in companies is deeply ingrained, but must be changed if we are to survive and thrive in the 21st century.
Antifragility is an exciting alternative that fuses value and risk, and CIOs and IT executives are well positioned to help
If instead of the ‘engineering’ view of risk, we think of risk as an inherent, and not always bad, feature of all business, all processes and all value flows, then we approach what we might label a ‘financial’ view of risk. In this view, companies choose activities that have attractive risk/return profiles or ‘yield curves’, and try to bend those yield curves to be even more attractive.
Figure 02 – 21st Century Organizations fuse value and risk in their decision making
A powerful way to approach this view of risk is the relatively newly named concept of antifragility. Coined by Nassim Nicholas Taleb, who himself comes from a financial trading background, antifragility refers to a property of any thing or system (company, country, business, species, etc.) that causes it to gain from shocks, stressors and risks. Antifragility in business is real: Toyota has been hit by shocks and recovered to be stronger. The firm was severely damaged in 2009 and 2010 with the largest car recall in history followed by a massive tsunami that wreaked damage in its international supply chains. Yet Toyota’s fiscal 2013 profits were more than four times its 2010 earnings, and three times 2012’s. The company has arguably reclaimed its place as the world’s most successful car maker.
Another great example of antifragility was shown to us by data privacy startup Integris Software during our April 2017 Silicon Valley and Seattle study tour. Integris provides services that help companies comply with increasingly stringent data protection regulation, notably the European Union’s GDPR regulatory framework. The stringency of its requirements, severity of penalties up to 4 percent of global group revenues) and timing (need to comply by 25 May 2018) represent a considerable shock to many companies. Integris’s software helps companies more easily understand what data they have. We were told of Integris clients getting stronger through the use of such services, and being able to use their data more effectively to create business value with customers. Another GDPR startup, Trust-hub, told us a similar story.
We tend to think of being robust or resilient as the opposite of being fragile, but in fact, they are just waystations en route to the true opposite of fragility: antifragility. The figure below shows the response of systems when risks/shocks/stressors occur. A fragile system quickly deteriorates – like a paper house in a storm. A robust system holds out longer – like a brick house in a storm – but ultimately breaks too. A resilient system bends but doesn’t break, and ultimately comes back to normal – like a supple tree in a storm. An antifragile system adjusts and ultimately comes back stronger, like the human race after an epidemic. LEF’s Lewis Richards is researching how to strengthen antifragility in the 21st Century Human; we can become stronger as we seek out things that stress our abilities.
Figure 03 –The opposite of fragility is not robustness or resilience, but antifragility