I reviewed Nassim Nicholas Taleb’s book Antifragility with the promise to look separately at what the lessons might be for organisational risk management. The answer is quite a bit, and this article will just be an initial high level view. The thinking is developed pretty uncritically from the book. There will be plenty of scope to refine further and consider what’s needed to make it work. I’m thinking it will also be worth doing something more specific on project and construction risk management.
I haven’t yet fully explored on this site what’s wrong with risk management as espoused by the standards and a wealth of derivative ‘best practice’ guides. Many of the problems you can identify with this lead to fragility. The principal on is the belief in predictability: not as in ‘I know what’s going to happen’, but as in ‘I can list the things that might happen, take action to prevent most of them and be prepared for the rest.’ Whilst the second is greatly preferable to the first, our ability to do it well is clearly short of what we would like.
If we want to be antifragile we need to recognise that this kind of upfront analysis will not work, or at least be the full story, and think about what else we need to do.
Avoiding fragility
As well as being aware of the limitations of prediction, we need to identify the specific areas we are vulnerable to and aim to be resilient to those things we can identify. For example management fads like JIT or lean are inherently risky (as is reliance on management fads generally, especially unquestioning or uncomprehending reliance). Instead you need to create redundancy, that is, have enough of everything to cover your potential needs, and not just your needs on the basis that you will manage away all the risk.
More generally you need to identify your turkey situations: those which have big downsides without a corresponding upside. Taleb would have you look out for concave curves of outcome, but I find this unhelpful mainly because it is not very memorable (is it concave up or concave down?). He asserts this is easy to spot, but personally I need a little more practice to get attuned.
Finally you should not be worrying about your reputation. It’s Taleb’s observation that those individuals or organisations that don’t obsess over reputation are the ones that actually enjoy the best. I have been amazed that for quite a time now, ever since Tony Blair thought it would be a good idea for the British public sector to engage in a little ‘best practice’ risk management, that local authorities and civil servants talk endlessly and seek advice about reputational risk. This not only constitutes a misuse of public money – it’s not what they’re paid for – but is also palpably ineffective. More on the fragility of the public sector shortly.
Creating options
Second, your organisation needs to have a mindset in which it creates options for itself. For example redundancy creates options: if you don’t use the additional resources you can exploit them some other way when the opportunity arises. You need to do things which are not strictly necessary: potter away at your bricolage, engage in practically-motivated R&D, fix things which ain’t broke, try stuff which sounds interesting, network widely on matters of only tangential interest.
(Fixing what ain’t broke is a personal gloss on antifragility. Taleb actually refers to this only once that I remember, as a description of the ultra-interventionism of an oversized French Government. But I see it as a kind of tinkering which might also be called continuous improvement, one management fad I do approve of. It’s important to recognise that you have to look out for the opportunities which come out of kicking things around.)
Investing in antifragility
It’s becoming obvious that there is a cost to being antifragile. It’s the antithesis of the kind of over-budgetted, cost-stripped, outsourced, centrally-controlled outfit that dominates much of Britain these days, the Harvard-Soviet model as Taleb would call it.
Returning to the British public sector, we can know that these techniques have been enthusiastically applied in most areas in the last couple of decades. This has included the almost universally applied contracting out of core services. It seems this is an inappropriate response to high labour costs and there is very little opposition from any political front, apart from public sector unions of course. The result is highly fragile service delivery and a widespread perception that the public sector is pretty useless at doing anything much apart from feeding the profits of a raft of really scummy outsourcing companies. It’s a scandal no-one wants to do anything about.
As a counterexample which reflects some antifragile strictures, think about the Olympics. First, the opening ceremony was commissioned on essentially a personal basis with Danny Boyle. Not bad for a £27m job, but it reflects Taleb’s reminder that you’d trust a mafia boss before a civil servant because the civil servant is slave to a large and amoral organisation. The best business is person-to-person. I’ve written elsewhere about the Olympics capital programme. It’s generally accepted that this was pretty expensive: it had large contingencies – ‘redundant’ money. But the money came in useful though when the financial crisis meant no-one wanted to build the Olympic village, and again when the commercially-run organising committee ran into trouble. And to close the circle, the redundancy of (surprisingly) available armed forces personnel was useful to implement a contingency plan when one of the outsourcing profiteers blew up. Central control was a compete illusion for G4S and its hapless Chief Executive.
This raises a question as to whether your desire to be antifragile is related to your choice of industry, the business you are in. Can you be an antifragile high-street retailer or a fraudulent workfare organiser? I don’t know.
The business most praised by Taleb for its antifragility is Apple, as established on the principles espoused by the blessed St Steve. It was interesting to see the shortlived career of a Dixons retail boss at Apple. It would be equally interesting to see how long an Apple shop executive lasted at Dixons, a Harvard-Soviet model company which seems to do OK. I can only say that the ‘genius’ of the Apple tech geeks I have had the misfortune to trip across is completely fake, but then I’m not an Apple fan even if I can understand the antifragility. Plus I’m not sure control freakery is really antifragile.
Staying agile
There’s no point creating options if you don’t decide to exercise them. This means the antifragile organisation has to be constantly making timely decisions and acting on them. Timely means not too early as well as not too late. There is a clear advantage in delaying decisions – to collect more information, see which way the tide is turning – as well as being decisive when necessary. Indeed the whole redundancy idea means you need to keep alternatives running instead of committing too early, if at all, to one.
This is clearly difficult for the big organisation. The response is perhaps to delegate and to do this effectively you need to have the small downside culture: farm-betting decisions have to be outlawed as a matter of company culture.
Of course some time it may be necessary to turn the tanker on a sixpence. In this case it’s clearly best to decide early and implement effectively. It’s always been of interest to me that the accepted wisdom of project management is that you map out a plan before starting and then plod ahead through the plan, noting variances and the like. Process seems to run out when the project runs into trouble and needs to be recovered. It’s probably here that process is most needed: all too often recovery is so complex that it too fails creating a worse failure. I’m clear that antifragile projects should have a much better recovery capacity than is generally the case, and this should be planned in. We’ll return to this in the construction context.
Finally agility is increasingly of interest to the business continuity community as a complement to resilience. We shall also be following up on this idea.
Organising
This brings us to the organisational and cultural issues which need to be addressed. As ever these are key to having an approach which is natural and not just an additional bit of process.
First of all there is no such thing as antifragile risk management; fragility is risk, just another name really, and if you are going to have someone dealing with it, they should be the Fragility Manager.
From the cultural viewpoint the organisation has to be risk and option aware. It has to be agile and it has to be innovating, tinkering, creating volatility. This suggests that it has to be devolved with delegated decisions. In short it should be modelling itself on life, making changes and rejecting what doesn’t work. One of the clear properties of antifragility that I’ve not mentioned so far is the so-called via negativa – focussing on what not to do so as to achieve simplicity. I’m still unclear on how this fits with the large organisation. I suppose the answer is obvious: it doesn’t and the organisation needs to keep splitting to as to promote self-managing sections and fractal-style growth.
How do you create these values in throughout the organisation? They need to be inculcated by the everyday conversations that people have. Managers need to be asking about risks and controls, concavity and convexity. What else can we not do? What else can we tinker with? What do we need to decide now? What can we decide later?
From the process viewpoint, it is still necessary to think about risks and what to do to stop them happening and what to do if they do. You also need to do fragility (or convexity) analyses. You need to think about resilience and redundancy. You need to do all of this in ways which are more usable than the standard risk register approach. And, sadly, you can probably dispense with a lot of the probabilistic analysis unless there is no way of avoiding large downsides after all. That’s where this approach started. All in all there is quite a raft of new tools which could be developed.
To conclude, I often argue that the main characteristics that modern risk management brings to an ancient and natural process are an aspiration to comprehensiveness and visibility. Most of the rest of the principles stuff in the risk standards is motherhood, apple pie or just plain incomprehensible voodoo. Coming back to the principles of comprehensiveness and visibility, what can we now see? The idea that we can create a complete risk register is futile; you cannot predict the black swans that will turn up. But you still need to construct the possible outcomes for the fragility analysis and you will need to understand how the downside ones are limited by the measure you plan to put in place. The aspiration to completeness is still vital, I think. These issues do still need to be visible throughout those parts of the organisation which need to know them. There is plenty of scope to create smart tools which will support this.