Antifragility, Adaptability, and Enterprise Risk Management
Hydra, springing from whose single body were fashioned a hundred necks, each bearing the head of a serpent. And when one head was cut off, the place where it was severed put forth two others; for this reason it was considered to be invincible, and with good reason, since the part of it which was subdued sent forth a two-fold assistance in its place.
-Diodorus Siculus, Library of History 4. 11. 5 (trans. Oldfather) (Greek historian C1st B.C.)
What made Antaeus nearly impossible to kill was that he could draw strength from the earth, making him stronger every time he was knocked down. Any damage opponents inflicted on him, therefore, made Antaeus even harder to defeat.
Hercules had to hold Antaeus completely off the ground to finally strangle him.
Fast forward five hundred fifty years and Nassim Taleb coins the term “antifragile” to describe those systems that didn’t just resist volatility but were positively improved by it. In his book Antifragile: Things That Gain from Disorder, he wrote:
Like Taleb’s examples, successful, enduring businesses capture value from exposure to the stressors of the marketplace. The best businesses, like organisms, get stronger as they overcome hardships and engage in competition.
Few businesses, however, are antifragile.
Businesses fall into bankruptcy all the time, even time-tested icons like JC Penney and Sears. In fact, the entire retail industry, with its traditionally thin margins, turned out to be extremely fragile to a socially disruptive stressor like the COVID-19 pandemic. The industry’s fragility wound up concentrating power into the hands of a few behemoths, like Amazon and Walmart, that have the operations and positioning to demonstrate antifragility.
What implications does this concept of antifragility have for other organizations, emerging from a global pandemic and on a continuing quest of resilience? Is there a way to build risk and compliance programs that not only allow organizations to weather extreme events, but directly and systematically strengthen from them?
Taleb’s analysis proposes several dynamics that can increase antifragility in complex systems. Here are three such dynamics — and how Bowman’s ERM program demonstrates these principles.
Antifragile systems take advantage of systematic trial and error. In nature, natural selection weeds out those unable to adapt, conferring strength by allowing successful survivors to reproduce.
In business, good risk and compliance departments have leadership with vision, of course. Great risk and compliance departments also resist falling into the trap of dictating from the top rather than adapting from the bottom. They can see adverse events as something not only to be weathered, but as something from which they can learn.
One of the most important functions of an ERM system, Bowman notes, is to memorialize the dynamics of risk events after they’re over, capturing business impacts, control responses, procedural adaptations, and any other relevant data that might make future responses more effective. Channeling experiential feedback into the program is a way to fix insufficient controls and mitigations, thereby tuning the system for the next time.
Antifragile organizations put mechanisms in place to mimic the trial and error of natural selection. They consistently capture learnings from adverse events, aggregate them, analyze them for significance, and allow significant findings to inform their roadmaps and strategies.
Bowman speaks in depth about the enormous amount of pre-planning and analysis of the risk landscape to inform his ERM program.
However, no matter how much foresight you put into your risk registry, there will always be risk events that manifest differently from how you anticipated. Your preparation can give guidance as to business impacts, velocity, etc., but you must also adapt to those aspects of the event that manifest differently than how you planned.
The COVID-19 pandemic is a good example. Bowman notes, “We recognized very quickly that this risk event may actually exceed reasonable planning, or reasonable mitigation efforts, and that the response may be more broad or have greater depth than originally anticipated.”
Many companies have pandemics registered within their ERM systems, but few – if any – imagined the scale of disruption caused by COVID-19. An agile risk manager recognizes that COVID-19 resembles different aspects of several risks. The pandemic, for example, may partially resemble a natural-disaster risk in its capacity to shut down physical offices and force work-from-home. It may also resemble risks related to economic downturns, in its effect on third-party vendors.
We can better understand a novel or surprising risk event by analyzing other risks that have similar qualities, pulling a little from this and a little from that to complete the picture.
Here’s a common risk management math problem. Say you have three potential risk events: 1) a successful cyber penetration with a 2% likelihood of occurring within the year; 2) an economic downturn with a 5% likelihood; and 3) a large employee lawsuit with a 3% likelihood. What is the chance that all three events would happen at the same time?
If you assume that all three of these events are unrelated, you would multiple 2% by 5% by 3%, arriving at a .003% chance that all three events might happen at once.
In the real world, however, events are seldom truly unrelated. They can be correlated in surprising ways.
Let’s say that in the next year you experience one of the events above, an economic downturn. You may feel very safe from the other two risks because you did the math, and the simultaneous odds are quite small. However, the economic downturn causes you to have to lay off staff in several departments, including your IT department. The resulting understaffed, overstressed IT department starts delaying certain crucial security patches, resulting in a cyber penetration. Meanwhile, the IT employee you only laid off because of said downturn feels they were targeted unfairly and sues for wrongful termination.
One risk event made the other two more likely to happen. That’s more how life works.
The opposite can also be true. Under certain conditions the presence of certain risk events can make other events less likely to happen. Taleb uses airplane malfunctions as an example. If an airplane has an emergency, the results are so high-profile and the investigation protocols so strict that flights are immediately grounded, and fixes are quickly propagated, which makes the whole system safer.
The value of Enterprise Risk Management is understanding business impacts of risks so thoroughly, that you can make your controls and mitigations maximally effective. Bowman talks about going beyond the simple assessment scores of a certain risk and developing an entire profile of associations, including policies, procedures, business objectives, indicators, controls, and affected third parties:
Bowman uses the Riskonnect Risk Correlation Engine as the core of this 360-degree profile for understanding risks. With his detailed knowledge of a risk’s impact throughout his business, he can focus on implementing controls and responses that decouple a risk event from potential cascading events that it might set off. Information about the primary risk event is directly used to decrease the likelihood of connected events.
Beyond Resiliency: Incremental Strength from Stress
Discussing a post-COVID world, risk and compliance professionals are starting to talk more about operational resiliency. Resiliency is crucial – but the conversation must go beyond how fast and effectively an organization can return to status quo ante. The discussion must extend to how the organization can be built – like Antaeus – to acquire strength beyond its initial state whenever it is knocked down.
The core of any antifragile enterprise risk program is a procedural discipline and a commitment to agility, analysis, and learning. ERM programs don’t exist to be a static catalog of Things That Could Happen; they exist to make organizations ever better at surviving and flourishing.