Adaptive, antifragile, resilient, or just trying to be compliant?

Published: Wednesday, 19 June 2019 08:16

In a wide-ranging article, Geary W. Sikich enters the debate about the future of the risk assessment and the business impact analysis and pulls various threads together to conclude that targeted flexibility is the basis of the art of being prepared.

Some interesting points about how organizations apply current standards such as business impact analysis / assessment (BIA), risk assessment methodologies, compliance and planning has been written about lately.  Each author presents good arguments for their particular methodology.

Antifragile: Nassim Taleb created the concept of ‘antifragile’ because he did not feel that ‘resilience’ adequately described the need for organizations to be ready to absorb the impact of an event and bounce back quickly. According to McKinsey & Co., “Resilient executives will likely display a more comfortable relationship with uncertainty that allows them to spot opportunities and threats and rise to the occasion with equanimity.” 

Adaptive BC: Adaptive Business Continuity, according to its manifesto, is an approach for continuously improving an organization’s recovery capabilities, with a focus on the continued delivery of services following an unexpected unavailability of people, locations, and/or resources.

There seems to be a lot of controversy about some of the tenets of these various approaches.

In the Prologue to his book, ‘Antifragile: Things That Gain From Disorder’, Nassim Taleb states: “Some things benefit from shocks; they thrive and grow when exposed to volatility, randomness, disorder, and stressors and love adventure, risk and uncertainty.  Antifragility is beyond resilience and robustness.”

Taleb also wrote:

To have ‘skin in the game’ is to have incurred risk (monetary or otherwise) by being involved in achieving a goal. In the phrase, ‘skin’ is a synecdoche for the person involved, andgameis the metaphor for actions on the field of play under discussion.

Of course, this has been one of my observations for a long time - organizations do not do an in-depth assessment of risk or business impacts. They choose to limit their focus in these areas. We tend to see only that which we choose to see, hence the limitations of the BIA, risk management practices, and planning practices (take your choice regarding planning approaches).  When it comes to these practices, we preach ‘best practices’ to adherents; yet few know the origins of the concept of best practices. Compliance guidance is also flawed in that most of it is reactionary to an event that has occurred; such as, Bhopal, India; Exxon Valdez, BP Deepwater Horizon; Three Mile Island, etc.

Test yourself

Here are twelve questions from Hans Rosling’s book ‘Factfulness’. I have omitted one question from the original list as it requires a series of maps in order to be answered. Take a piece of paper and answer each question. The correct answers are found in the Reference section below. Now, no cheating – so don’t go look at the answers before you complete your answers. Rosling also points out that, you may not be able to beat a chimpanzee when it comes to the test. It seems that we may be systematically misinterpreting a lot of the things we are supposed to be expert about. Are we susceptible to the over dramatic risks that we face (i.e., the asteroid or meteor that could potentially destroy our data center / centre)?

In all low-income countries around the world today; how many girls finish primary school?

A: 20 percent
B: 40 percent
C: 60 percent

Where does the majority of the world population live?

A: Low-income countries
B: Middle-income countries
C: High-income countries

In the last 20 years, the proportion of the world population living in extreme poverty has:

A: almost doubled
B: remained more or less the same
C: almost halved

What is the life expectancy of the world today?

A: 50 years
B: 60 years
C: 70 years

There are 2 billion children in the world today, aged 0 to 15 years old.  How many children will there be in the year 2100 according to the United Nations?

A: 4 billion
B: 3 billion
C: 2 billion

The UN predicts that by 2100 the world population will have increased by another 4 billion people.  What is the main reason?

A: There will be more children (age below 15)
B: There will be more adults (age 15 – 74)
C: There will be more very old people (age 75 and older)

How did the number of deaths per year from natural disasters change over the last hundred years?

A: More than doubled
B: Remained about the same
C: Decreased to less than half

How many of the world’s 1-year-old children today have been vaccinated against some disease?

A: 20 percent
B: 50 percent
C: 80 percent

Worldwide 30-year old men have spent 10 years in school, on average how many years have women of the same age spent in school?

A: 9 years
B: 6 years
C: 3 years

In 1996 tigers, giant pandas and black rhinos were all listed as endangered.  How many of these three species are more critically endangered today?

A: Two of them
B: One of them
C None of them

How many people in the world have some access to electricity?

A: 20 percent
B: 50 percent
C: 80 percent

Global climate experts believe that, over the next 100 years, the average temperature will:

A: Get warmer
B: Remain the same
C: Get colder

How did you do? According to Rosling’s experience in administering this and other tests, probably not too well. Why?  Could it be that we give too much credence to what we think we know instead of investigating and getting more fact-based about our activities?  Realize that while the asteroid and meteor pose real threats to data centers, etc., the reality is that we are dealing daily with data disruptions on a small scale. These interruptions are cumulative in terms of time, money and the human resources required to fix them.

In my article, ‘Are We Missing the Point of Risk Management Activities’ (2016), I offered three definitions or categories of risk. I present them briefly below. The complete article is available here.

Strategic risk:  A possible source of loss that might arise from the pursuit of an unsuccessful business plan.  For example, strategic risk might arise from making poor business decisions, from the substandard execution of decisions, from inadequate resource allocation, or from a failure to respond well to changes in the business environment.  Read more: http://www.businessdictionary.com/definition/strategic-risk.html. According to the post on Simplicable entitled, ‘22 Strategic Risks’, posted by Anna Mar, February 02, 2013 (http://business.simplicable.com/business/new/22-strategic-risks).

Operational risk: The Basel II Committee defines operational risk as: "The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events."  According to Simplicable, Operational risk is the chance of a loss due to the day-to-day operations of an organization.  Every endeavor entails some risk, even processes that are highly optimized will generate risks. Operational risk can also result from a breakdown of processes or the management of exceptions that aren't handled by standard processes.  It should be noted that some definitions of operational risk suggest that it's the result of insufficient or failed processes. However, risk can also result from processes that are deemed sufficient and successful. In a practical sense, organizations choose to take on a certain amount of risk with every process they establish. 

Tactical risk: tactical risk is the chance of loss due to changes in business conditions on a real time basis.  Tactics differ from strategy in that they handle real time conditions.  In other words, a strategy is a plan for the future while a tactic is a plan to handle real world conditions as they unfold.  As such, tactical risk is associated with present threats rather than long term conditions.  Tactics and strategy are both military terms.  Military organizations primarily view tactical risk as the conditions on a battlefield. An army may identify strategic risks before a battle but tactical risks can only be identified as they unfold. 

Please refer to the article for more details and examples of each of the risk categories.

Misconceptions – risks, threats, hazards, vulnerabilities (RTHV) underlying planning or lack thereof

To assess or not to assess?  Standard accepted practices in risk management and business continuity planning have always stressed the need for risk assessment and for the BIA as a fundamental step in the planning process.  Experience has shown that these  often take too long to complete (time) and in the end are actually quite incomplete.  In addition, the three levels that I have mentioned – strategic, operational and tactical - have changing goals and objectives based on business results, operations and management focus.

The Adaptive approach to business continuity lists ten principles:

Where one controversy starts is with the principle of omitting risk assessments  and business impact analysis.  It is prudent to conduct a BIA and to constantly assess the risk landscape to be able to link apparently non-related issues, events, etc., to create a mosaic of risk complexity that can be addressed at multiple levels.  In probability theory and mathematical physics, a random matrix (sometimes stochastic matrix) is a matrix-valued random variable—that is, a matrix some or all of whose elements are random variables.

The power of infinite random matrix theory comes from being able to systematically identify and work with non-crossing partitions (as depicted on the left of the above diagram). The figure on the right depicts a crossing partition which becomes important when trying to understand the higher order terms which infinite random matrix theory cannot predict. (Figure by Prof. Alan Edleman.)

It would be wise to begin to consider random matrix theory with respect to risk identification and assessment.  The complexity we face today with a globalized society is that risks are shared more and more, even though we have less and less awareness of the manner in which risks are shared.  A good example of this is the international supply chain system.  While organizations have their own supply chain; the combination of all organizational supply chains creates an entirely different risk exposure.  Just think in terms of movement in the supply chain.  Shippers (air, rail, ship, overland, etc.) are all trying to maximize their resources from an efficiency perspective.  This has led the shipping industry to build mega-container ships, which require different portage and logistics capabilities.  Shippers are handling multiple organization’s supply chains, moving products to a wide audience of customers.  While efficiency is increased, risk is also greater due to the potential for a ‘single point of failure’ resulting in the loss of the ship and cargoes.

All that said, the traditional BIA and RA need to be rethought so that the process does not get bogged down in the details that really have little impact on the business.  By this I do not mean that the results of how many workstations, computers, printers, copy machines and other output should be discarded.  However, if you have a purchasing/logistics department this information should be readily available from their records.

Effective business continuity and risk management programs cannot be designed to satisfy everyone.  Instead, they need to clearly identify how the implementation will support the achievement of the organization’s goals and objectives (strategic).  Once planners and risk managers understand what is needed to sustain business operations during a disruption they can begin to identify risks and potential business impacts more readily and rapidly.  This is where the recent McKinsey & Co., article ‘Bridging the gap between a company’s strategy and operating model’ brings some relevance into play.  Here is a quote from the article:

“Once a company understands where it creates the most value, it must identify the specific institutional competencies it needs.  This usually means getting specific about what it needs to be able to do to deliver on the most important parts of the value chain.”

If you really think about that statement, it is the essence of the focus of business continuity planning and risk management.  Understand where we create the most value – now assess the risks and potential business impacts to a disruption of the ability to create value; build plans that are flexible and adaptable to the situation and the resources available, constantly monitor and assess risks (think like a commodities trader) to create risk parity.

Risk parity is a balancing of resources to a risk. You identify a risk and then balance the resources you allocate to buffer against the risk being realized (that is occurring).  This is done for all risks that you identify and is a constant process of allocation of resources to buffer the risk based on the expectation of risk occurring and the velocity, impact and ability to sustain resilience against the risk realization.  You would apply this and then constantly assess to determine what resources need to be shifted to address the risk.  This can be a short term or long-term effort.  The main point is that achieving risk parity is a balancing of resources based on assessment of risk realization.

Risk parity is not static, as risk is not static.  When I say risk is not static, I mean that when you identify a risk and take action to mitigate that risk, the risk changes with regard to your action.  The risk may increase or decrease, but it changes due to the action taken.  You essentially create a new form of risk that you have to assess with regard to your action to mitigate the original risk.  This can become quite complex as others also will be altering the state of the risk by taking actions to buffer the risk.  The network that your organization operates in reacts to actions taken to address risk (i.e., Value chain - customers, suppliers, etc.) all are reacting, and this results in a non-static risk.

Resources today - and where?

I will quote again from McKinsey & Co. in the May 2019 article, ‘Bubbles pop, downturns stop’:

“Your business context is and will remain uncertain.  But if you get moving now, you can ride the waves of uncertainty instead of being overpowered by them.”

Here again is the essence of what risk management and business continuity planning should focus on.  It is uncertainty that will drive much of the reactive response to a disruptive event.  Here, again, the Adaptive BC approach has two principles that start to address this uncertainty.  One of the principles states: ‘obtain incremental direction from leadership’.  Leadership needs to be involved more than incrementally when responding to disruption that threatens the organization’s ability to execute on its goals and objectives.  This does not mean micro-managing the response.  It means that leadership is informed and can provide a higher level of direction based on a broader understanding of the impacts to business operations.  The other principle states: ‘prepare for effects, not causes’.  Effects are often times immediate, generally are short term (once the fire is out and damage assessed, the recovery phase starts, right?).  Consequences may not be immediately apparent (i.e., asbestos exposure, agent orange exposure, etc.) and can lead to long-term crisis operations.

Here is where the potential value of business continuity and risk management can be leveraged.  The organization needs to have a readily available pool of resources (human, financial, equipment, etc.) to continue the business operation.  While being insured (Business Interruption, Contingent Business Interruption insurance, etc.) is important, having the ability to reconstitute the business operation is critical.  Insurance is not a guarantee of immediate payment of claims.

Part of the planning and risk management process should be to answer what the distinctive institutional capabilities are and where they are located.  Questions posited in the McKinsey article (cited above) include answering:

“Which functions and capabilities should reside within the corporate center versus within the business units?  Who should be empowered to make key decisions and manage the budget or allocation of resources?  What are the most critical roles within the organization, and do we have the best people assigned to those roles?”

According to the McKinsey article ‘Bubbles pop, downturns stop’, a resilience nerve center aims to do three things well:

Getting past the limitations of traditional performance approaches oriented around head count and cost will require fresh thinking about boosting productivity.

“Disruption happens, we cannot really control its occurrence; however, the way that we respond is something we can control.  The consequences to disruption can, in many ways, be minimized by foresight and astute analysis of those things not readily connected.”

Concluding thoughts

Being in compliance does not negate risk.  I think that we have to overcome the compliance mentality and to understand the nature of risk better.  I will conclude by offering the following seven points:

We are faced with a new risk paradigm: efficient or effective?  Efficiency is making us rigid in our thinking; we mistake being efficient for being effective.  Efficiency can lead to action for the sake of accomplishment with no visible end in mind.  We often respond very efficiently to the symptoms rather than the overriding issues that result in our next crisis.  Uncertainty in a certainty-seeking world offers surprises to many people and, to a very select few, confirmation of the need for optionality.

It’s all about targeted flexibility, the art of being prepared, rather than preparing for specific events.  Being able to respond rather than being able to forecast, facilitates early warning and proactive response.

I think that Jeffrey Cooper offers some perspective: "The problem of the Wrong Puzzle.  You rarely find what you are not looking for, and you usually do find what you are looking for."  In many cases the result is irrelevant information.

Horst Rittel and Melvin Webber would define this as a systemic operational design (SOD) problem - a ‘wicked problem’ that is a social problem that is difficult and confusing, versus a ‘tame problem’ not trivial, but sufficiently understood that it lends itself to established methods and solutions.  I think that we have a wicked problem.

As Milo Jones and Philippe Silberzahn in their book ‘Constructing Cassandra: Reframing Intelligence Failure at the CIA, 1947–2001’ write, “Gresham's Law of Advice comes to mind: "Bad advice drives out good advice precisely because it offers certainty where reality holds none"” (page 249).

The questions that must be asked should form a hypothesis that can direct efforts at analysis.  We currently have a threat, but it is a very ill-defined threat that leads to potentially flawed threat assessment; leading to the expending of effort (manpower), money and equipment resources that might be better employed elsewhere.  It is a complicated problem that requires a lot of knowledge to solve and it also requires a social change regarding acceptability.

Experience is a great teacher it is said.  However, experience may date you to the point of insignificance.  Experience is static.  You need to ask the question, “What is the relevance of the experience to your situation now?”

Take a look at the exhibit below from McKinsey (‘Bubbles pop, downturns stop’) and then take a hard look at your current risk management and business continuity programs.  Now, ask yourself, “Do we address any of this in our current business continuity planning/risk management programs?”


About the author

Geary Sikich is a Principal with Logical Management Systems, Corp., a consulting and executive education firm with a focus on enterprise risk management and issues analysis.

Geary is also engaged in the development and financing of private placement offerings in the alternative energy sector (biofuels, etc.), multi-media entertainment and advertising technology and food products. 

Geary is a frequent speaker on high profile continuity issues, having developed and validated over 4,000 plans and conducted over 450 seminars and workshops worldwide for over 100 clients. Geary consults on a regular basis with companies worldwide on risk management, business continuity and crisis management issues.

References