For some time it’s been a theme in meetings between risk management people and business continuity people that the world’s ills can be solved by being resilient. Specifically, you don’t need to worry about that boring old risk profile when resilience means you can deal with anything that’s thrown at you, up to and including black swans. As time has gone on, other words have been thrown into the mix like robustness, agility and adaptability, and no doubt we’ll see antifragility before long.
This was put at its starkest by Michael Power in his risk management of nothing essay, where he said we must look to the business continuity community to fix the mistakes of risk managers and ERM (for more details see the review on this site). More recently the World Economic Forum report on global risk adopted the risk ‘taxonomy’ of Kaplan and Mikes to identify resilience as the solution for big global risks which are external to you, even if you are a nation state. (Actually it doesn’t, see my review.)
I recently organised a meeting on global risks (scroll down a bit) and I have already reviewed the WEF report from a viewpoint that was not discussed at the meeting – risk analysis. We also failed to get a proper debate going on the relationship between resilience and risk management and this is what I want to return to here.
Let’s start with what resilience is. According to the WEF report (referring to Martin-Breen and Anderies) resilience is
- for an object, the capacity for bouncing back faster after stress, enduring greater stresses and being disturbed less by a given amount of stress (an interestingly comparative definition which raises the question ‘compared with what?’)
- for a system, maintaining system function in the event of disturbance.
Thus for adaptive systems – like nations, but, by extension, any organisation – resilience is the capability to (1) adapt to changing contexts, (2) withstand sudden shocks and (3) recover to a desired equilibrium … while preserving the continuity of its operations. The WEF is initiating an assessment exercise for national resilience which is to based on 5Rs which they derive from this: robustness, redundancy, resourcefulness, response and recovery.
This suggests resilience is about dealing with the consequences of things happening rather than stopping them happening. This something of a piece of received wisdom about the difference between business continuity and risk management. However I think this is rather artificial, not least because the future is not neatly partitioned into events with causes (whose probabilities are to be reduced) and effects (to be minimised). Possible futures are sequences, or rather complex networks, of cause and effect.
For example we could aim to be resilient against climate change. As part of that we might do a risk analysis of Thames Estuary flooding and decide on some criteria for when we will need to strengthen the Thames barrier. As a result we’ll reduce the probability of flooding. Or we might aim to be resilient against flooding and build on high ground or buy sandbags.
The WEF definitions, with their references to ‘stress’, ‘disturbance’ and ‘context’, are vague about what the risks are which are materialising and it seems to me this is another characteristic of resilience (again as opposed to risk management with its risk identification/analysis drivers), that resilience can be achieved independently of what the threat is. This is an attractive idea and worth exploring further.
Staying with the WEF report, it contains a follow up by PwC on the resilience actions which have been taken to address the three major cases – or issues – from last year. The three narratives are
- seeds of dystopia – pressures on society created by a growing and ageing population exacerbated by high unemployment (more of an issue than a risk, in the common risk management parlance; dystopia is the risk I guess)
- how safe are our safeguards – the failure of institutions to deal with the global risks (which could be regarded as the failure of risk control rather than a risk itself)
- dark side of connectivity – cyber-risks.
The PwC report identifies four generic actions which are being taken to deal with each of these and provides specific examples of each. The actions can be seen in the chart (which enlarges if you click it). What can we make of them?
First, and most obviously, the actions are specific to the risk issues. This is not too surprising as the account takes a risk-centred approach. More subtly you can expect that resilience actions might cover several well-defined mini-risks, but only a general risk area. As I’ve just argued the uncertain future is expressed as a complex network of cause and effect which exists at multiple scales. As you zoom out the structure takes on the characteristics of ‘uncertainty’ rather than individual ‘risks’, and the same applies to the controls.
However, Action 4 to counter cyber-risk is designing resilient electronic devices and online systems. While this could be quite risk-specific, the examples developed are in fact encryption and the use of TPM chips to identify hardware items, ie we don’t just identify users, we identify the devices they use. I can’t judge the efficacy of these ideas, but they do seem to be quite risk-independent at the specific risk level.
However, while the failure of international safeguarding institutions is fairly risk-unspecific, it’s worth noting that PwC have developed the discussion by focussing on climate change and pandemics.
Secondly the some of the actions have the generic, vague characteristics of the control in many risk registers. ‘Seek holistic insights and involve a range of stakeholders,’ is that a world-saving resilient response or a platitudinous good thing that we can all fill a bit of space with in the absence of anything more concrete. That depends on the detail I guess, and the example here is an Indian solar panel company that facilitates loans so people can buy its products and create the economic benefits of solar panels. PwC argue that the holistic understanding of the socio-economic context (customers get benefits from the products suppliers sell) and the multi-stakeholder collaboration (supplier, funders, borrowers) mean that no-one is disadvantaged.
It’s also interesting that the basic response to seeds of dystopia is promoting good old-fashioned economic growth. As another example, Action 3 is about how Canada has created growth through welcoming immigrants. Nice for Canada, nice for the immigrants, but is this really international collaboration, or is it just an inequality-increasing, competitiveness-centred, fragile action at the global scale?
However one action which dystopia and safeguards have in common is monitoring what’s going on and questioning assumptions. They sound obvious, but are often little done in conventional risk management implementations. They are key principles in resilience engineering which I plan to return to in Part 2.
A common action between safeguards and cyber-risk is international co-operation and collaboration. Again this is a bit motherhood, but I just mentioned how the response to potential dystopia is thought to be founded in atomised, nation-based competition. By contrast, enhancing our ability to build institutions to monitor, share, co-ordinate, find solutions to and achieve agreement on global issues in an adaptive way is clearly a resilient response. Scoring this against the 5Rs would be a useful complement to assessing nations. EU and Cyprus, anyone?
I’ll finish for now by mentioning the message put forward by Nicola Ranger in her lecture to our meeting: “Being ‘statically’ robust and resilient isn’t good enough. Planning and risk management must become more forward-looking, flexible and progressive.”
Nicola calls this a new paradigm for risk management. This suggests that maybe the pendulum has swung away from resilience and back to risk management again (as long as we stop being backward-looking, inflexible and regressive!) But in her talk Nicola is focussed on our ability to be adaptive as well as robust, in our risk analysis as well as our actions.
From my point of view, this discussion is conclusive: we should see resilient, adaptive, antifragile-even thinking as part of risk management; it doesn’t replace it. But I would say this wouldn’t I? And we knew this didn’t we? The main question is how we can do it better and we’ll return to this in Part 2.
[…] the previous article I explored resilience in the way it is described in the WEF global risk report. It was hard to […]