“Our greatest glory is not in never falling, but in rising every time we fall.”

― Confucius

“That which does not kill us makes us stronger.”

― Friedrich Nietzsche

“Things do not change; we change.”

— Henry David Thoreau

“Resilience is all about being able to overcome the unexpected. Sustainability is about survival. The goal of resilience is to thrive.”

— Jamais Cascio

“Resiliency is the ability to spring back from and successfully adapt to adversity.”

— Nan Henderson

“Resilience or hardiness is the ability to adapt to new circumstances when life presents the unpredictable.”

— Salvatore R. Maddi

“To succeed, planning alone is insufficient. One must improvise as well.”

— Isaac Asimov

The unforeseeable rules in today’s chaotic world. Hugely important and devastating events and situations come upon us without warning. They are mostly unpredictable in nature, magnitude, and timing.

COVID and its consequences are the poster-child for this new world. But it is beginning to look as if COVID is only a passing catastrophe among an underlying flow of catastrophic surprises. The last post looked at this from the point of view of Strauss & Howe’s Fourth Turning (Crisis).

How can you possibly manage a business or other organization in a seriously-misbehaving world such as this?

Risk management no longer works

In the good old days before 2020, the appropriate tool in many situations was risk management. Risk management is the process of identifying, assessing, and controlling threats to an organization’s capital and earnings.

The story here lies in the definition: identifying, assessing, controlling – threats. Good luck with this approach when many threats have become unforeseeable in nature, timing, and impact magnitude.

We can’t foresee threats that are inherently unforeseeable.

This means that we can no longer deal with such threats – causes – directly but only with whatever mischief they might cause in our local worlds. The potential causes will include those that are almost completely improbable and will – objectively-viewed – never, ever, occur. Like COVID. Your pre-2020 risk management efforts certainly picked that one up, right?

Resilience focuses on impacts, not causes

This is a crucial distinction. If you can’t identify and quantify causes (risks), then all you can tackle in practice are impacts and their damage potential. This in turn defines a largely internal boundary for resilience analysis and strengthening.

A major drop in sales, for example, can arise from many causes, including a bunch that can never ever happen – but do. Risk management in its traditional sense deals mainly with identifiable and risk-quantifiable happenings. It is not designed to deal with unknown, completely improbable events and situations.

Of course, there will still be a good number of traditional risk management targets remaining that must be addressed.  Resilience strengthening targets mainly happenings that fall outside of the risk management scope.

Expanding risk management in some manner to deal with the unknowable and completely improbable may be possible but doing so will almost certainly be weak or ineffective. The problems are too different for this approach to succeed.

Grey swan events and situations further complicate things

As you might have guessed, risk managers have already begun poking into the unforeseeable and improbable. Grey swans have entered the scene. Risk Management magazine (September 2021) attempts to set the stage in this manner: “Preparing for Grey Swan Events”:

“The risk management profession measures success by the extent to which it can best help forecast, evaluate and protect organizations against financial and reputational risk. Grey swan events—long-tail risks, known but believed to be highly unlikely—complicate this mission.”

“Often, organizations are convinced that these events are unlikely to happen, so they avoid allocating resources toward their prevention. The Aon and Pentland Analytics reputational risk report Respecting the Grey Swan highlights the indelible impact grey swan crises have on reputation and shareholder value. The report analyzes 300 corporate reputational crises, representing all major industry sectors. In over 10% of the crises analyzed over four decades, more than 50% of shareholder value is destroyed within one year of a grey swan event.”

Cultivating Resilience. Organizations’ resources are finite and risk managers need to strike a balance between protecting against grey swans while still preparing for the more likely risks. However, as the report demonstrates, ignoring grey swan events can significantly threaten a company’s reputation and financial wellness.”

“Organizations with a culture of resilience are less likely to be derailed by sudden shocks, and risk professionals who treat resilience as a continuous effort rather than a one-off exercise are more likely to successfully manage risk [emphasis added]. Building a resilient workforce is also a key area firms are addressing as the world becomes more interconnected and risks become more severe.”

“The best way to build resilience is to have a strong commitment to loss prevention and mitigation. Organizations need to have contingency plans in place so that, when grey swan events occur, they are prepared to respond, and leaders know how to effectively manage the crisis. For some organizations, this means developing a strong response plan that serves as the go-to when a specific type of crisis occurs. For others, it could be holding simulation trainings to help build muscle memory so organizational leaders know how to respond. Depending on the organization, the industry and the type of crisis we are preparing for, it takes a wide variety of different actions to adequately prepare.”

Doing nothing may well become a popular option. But …

Fatalism probably won’t work any better

Just letting whatever-happens do its thing and then try to muddle through the damage as best you can does not sound to me like a practical management practice either. It seems more like a default position. Since we can’t foresee what might happen, we can’t do much of anything about it upfront. Just get the brooms and shovels ready to clean up the debris.

So, the way things stand right now is that you can’t see whatever might be coming, improbability of these aside, so you can’t do much of anything to prevent the unforeseeable. This doesn’t seem to allow a lot of wiggle-room.

The answer here, as you almost certainly will have figured out, is to prepare instead for impacts – damage – from whatever does occur. However improbable.

There are only a relatively few points in any organization where external events and situations can generate a significant impact. These are points of vulnerability. Almost regardless of impact cause, the effects on the organization are not hard to predict, model, and mitigate.

Moving away from causal analyses and toward impact and damage minimization analyses – resilience strengthening – seems more productive at this point.

Okay, so just how do we go about this “resilience” thing?

Improving your resilience is the key to survival + success

Consultant McKinsey & Company states the situation briefly and directly: “The resilience imperative: Succeeding in uncertain times”:

“Strengthening institutional resilience has never been more important. 2020 was a wake-up call. To thrive in the coming decade, companies must develop resilience—the ability to withstand unpredictable threat or change and then to emerge stronger. ‘Develop resilience’ is easy to say but hard to define, and yet harder to do.”

Couldn’t agree more – especially with the last sentence: “… hard to define, harder to do”.

Just to be sure we have a clear starting point: Resilience in a business or organizational context is the ability to sustain a serious impact event or situation, to survive the impact, and ultimately to recover largely or fully (success). But emerging stronger? Maybe just emerging without serious long-term damage is a more realistic expectation. Stronger is good – if you can manage it.

Impacts from whatever cause can generate significant damage at various places in the organization, depending on the particular “whatever’s” involved. These are what I call ‘points of vulnerability’. No significant damage potential, no vulnerability.

Damage becomes visible and quantifiable in the end in financial terms. The grey swan example above dealt with reputational damage as a point of vulnerability, but its damage magnitude and recovery costs are ultimately financial.  

If you can arrange to have no serious points of vulnerability, along with effective ways to minimize and recover from any residual impact damage, then you are truly resilient. Or as resilient as it is possible to get.

Getting resilient ahead of the need for it

Recovering from a major hit as McKinsey suggests is good but getting ahead of the game is much better. Getting resilient, fortunately, is something that you can do today – ahead of whatever-is-coming. You don’t have to know the nature, timing, or magnitude of the “whatever” but only the places where you have clear vulnerability. Financial vulnerability.

If nothing comes along, then you will have wasted some time, money, and effort. What are the chances these days of nothing much coming along? 0%, at best. The odds of something nasty hitting you during the next few turbulent years is at least 100%. The most important thing is to get your resilience strengthening done ahead of impact.

Improving “resilience” actually has two parts:

  1. Identify and strengthen major vulnerabilities
  2. Develop options for recovery after getting hit

The second part assumes that you aren’t going to catch every vulnerable point or that some of the “strengthening” moves won’t be as effective as hoped. It means that you are likely to suffer a few significant hits in places or in ways that you haven’t (yet) addressed.

Identifying and strengthening major points of vulnerability

What exactly are “points of vulnerability”?

Suppose that the governor decides to impose a quite harsh lockdown because of reasons and science. Could never happen in reality, but just for instance. Your business can’t do anything except comply as best it can. Sales drop 75% in days and remain roughly this low for 180 days. Sales for most businesses is a point of major potential vulnerability. Many businesses have recently experienced this particular point of vulnerability. Many did not survive.

Why “sales”? Because it is easily measured in great detail. You can model it in most cases without difficulty. This means that you can – ahead of the next sales impact – figure out what might happen internally and what actions you might take to minimize the damage. In advance. Most organizations, of course, have many more points of vulnerability to address.

Waiting until after an impact to “emerge stronger” seems to me to be a non-starter despite McKinsey’s counsel. You need to get more resilient ahead of need and the only way I know of for doing this is to model and test. This exercise might even extend to actual impact simulation training exercises.

Your financial statements list your points of vulnerability

So many different happenings can impact major line items like sales or production costs. Even happenings that can never, ever, happen – like COVID and its kids.

Financial statements are in effect models of your business or organization. They connect a whole bunch of components via quantifiable, routinely-measured, understandable numbers. Big revenue hit? It is straightforward in most cases to trace through the financial detail how a revenue impact (drop) may affect almost every aspect of your organization.

Today, we all have greatly-detailed financial figures readily at hand. These are nearly all well-understood so that impacts can be readily traced and quantified. Huge factor in strengthening resilience in practice. Ahead of actual impact.

The mechanics for all of this are available to all but the smallest businesses.

Business simulations are tools that can be built and used in spreadsheet formats like Excel. If you do not have such a critter up and running in your business or organization today, you are missing a hugely important part of your management processes and practices.

Most organizations do have the spreadsheets or equivalent but how many are using them routinely and explicitly to strengthen resilience. Very few, so far as I am aware.

So, when the next COVID or a whatever grey or black swan comes along, you will have to focus on control and recovery from damage that should not have occurred in the first place.

Business simulations are the key here

While you won’t actually know how your business will respond to the next hit from out there somewhere, you can make some pretty accurate guesses based on available organizational and business knowledge. Better yet, you can tap that knowledge and expertise to develop responses to each particular set of impact consequences.

If you want to explore business simulation tools, I’d suggest the Forio Epicenter platform as a starting point. They offer a free account.

Example of a Business Simulation from Forio Epicenter

Profit maximization or resilience maximization?

This will surprise exactly no one but it seems that many efforts over the recent past have been driven largely by “profit maximization” agendas. Ignoring the fact that there is no such thing as “profit maximization” but only profit growth. Just-in-time supply chains are wonderful in this respect. Until they run out of time. Like today.

Hard to resist the herd when everyone else is out there maxxing-out profitability but this herd behavior has a serious downside: It requires incredibly stable conditions – forever. When conditions are unstable, these tightly-coupled systems fail. Like today. More on this in a future post.

The point here is that the world has changed so much and unpredictably that essential stability has vanished. As my previous post argued, we appear to be in the final years of a current Fourth Turning Crisis period. Instability is an important feature of such times. Profit maximization bites the dust. Resilience is what counts today and moving forward (we hope).

Bottom line:

Risk management does not reliably make your business or organization resilient. It aims at reducing the likelihood of and damage from foreseeable and probable risks. Resilience is very different. Resilience assumes that damaging impacts, foreseen and unforeseeable, will occur regardless of our risk minimization efforts. It aims at ensuring that the organization can survive almost anything that comes along, regardless of likelihood, and that it will ultimately succeed and prosper. Very different management objectives.

Related Reading

For those who are not familiar with risk management concepts and practices, Wikipedia offers a useful overview:

“Risk management is the identification, evaluation, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.”

“Risks can come from various sources including uncertainty in international markets, threats from project failures (at any phase in design, development, production, or sustaining of life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters, deliberate attack from an adversary, or events of uncertain or unpredictable root-cause. There are two types of events i.e. negative events can be classified as risks while positive events are classified as opportunities. Risk management standards have been developed by various institutions, including the Project Management Institute, the National Institute of Standards and Technology, actuarial societies, and ISO standards. Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety.”

“Strategies to manage threats (uncertainties with negative consequences) typically include avoiding the threat, reducing the negative effect or probability of the threat, transferring all or part of the threat to another party, and even retaining some or all of the potential or actual consequences of a particular threat. The opposite of these strategies can be used to respond to opportunities (uncertain future states with benefits).”

Identification. After establishing the context, the next step in the process of managing risk is to identify potential risks. Risks are about events that, when triggered, cause problems or benefits. Hence, risk identification can start with the source of problems and those of competitors (benefit), or with the problem’s consequences.”

Source analysis. Risk sources may be internal or external to the system that is the target of risk management (use mitigation instead of management since by its own definition risk deals with factors of decision-making that cannot be managed). Some examples of risk sources are: stakeholders of a project, employees of a company or the weather over an airport.”

Problem analysis. Risks are related to identified threats. For example: the threat of losing money, the threat of abuse of confidential information or the threat of human errors, accidents and casualties. The threats may exist with various entities, most important with shareholders, customers and legislative bodies such as the government.”

“When either source or problem is known, the events that a source may trigger or the events that can lead to a problem can be investigated. For example: stakeholders withdrawing during a project may endanger funding of the project; confidential information may be stolen by employees even within a closed network; lightning striking an aircraft during takeoff may make all people on board immediate casualties.”

“The chosen method of identifying risks may depend on culture, industry practice and compliance. The identification methods are formed by templates or the development of templates for identifying source, problem or event. Common risk identification methods are:”

Objectives-based risk identification. Organizations and project teams have objectives. Any event that may prevent an objective from being achieved is identified as risk.”

Scenario-based risk identification. In scenario analysis different scenarios are created. The scenarios may be the alternative ways to achieve an objective, or an analysis of the interaction of forces in, for example, a market or battle. Any event that triggers an undesired scenario alternative is identified as risk – see Futures Studies for methodology used by Futurists.”

Taxonomy-based risk identification. The taxonomy in taxonomy-based risk identification is a breakdown of possible risk sources. Based on the taxonomy and knowledge of best practices, a questionnaire is compiled. The answers to the questions reveal risks.”

Common-risk checking. In several industries, lists with known risks are available. Each risk in the list can be checked for application to a particular situation.”

Risk charting. This method combines the above approaches by listing resources at risk, threats to those resources, modifying factors which may increase or decrease the risk and consequences it is wished to avoid. Creating a matrix under these headings enables a variety of approaches. One can begin with resources and consider the threats they are exposed to and the consequences of each. Alternatively one can start with the threats and examine which resources they would affect, or one can begin with the consequences and determine which combination of threats and resources would be involved to bring them about.”

Publisher Tech Target has a more operational overview of current risk management practices: “Risk Management”:

“Risk management is the process of identifying, assessing and controlling threats to an organization’s capital and earnings. These threats, or risks, could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents and natural disasters. IT security threats and data-related risks, and the risk management strategies to alleviate them, have become a top priority for digitized companies. As a result, a risk management plan increasingly includes companies’ processes for identifying and controlling threats to its digital assets, including proprietary corporate data, a customer’s personally identifiable information (PII) and intellectual property.”

“Every business and organization faces the risk of unexpected, harmful events that can cost the company money or cause it to permanently close. Risk management allows organizations to attempt to prepare for the unexpected by minimizing risks and extra costs before they happen.”

Risk management strategies and processes. All risk management plans follow the same steps that combine to make up the overall risk management process:”

Establish context. Understand the circumstances in which the rest of the process will take place. The criteria that will be used to evaluate risk should also be established and the structure of the analysis should be defined.”

Risk identification. The company identifies and defines potential risks that may negatively influence a specific company process or project.”

Risk analysis. Once specific types of risk are identified, the company then determines the odds of them occurring, as well as their consequences. The goal of risk analysis is to further understand each specific instance of risk, and how it could influence the company’s projects and objectives.”

Risk assessment and evaluation. The risk is then further evaluated after determining the risk’s overall likelihood of occurrence combined with its overall consequence. The company can then make decisions on whether the risk is acceptable and whether the company is willing to take it on based on its risk appetite.”

Risk mitigation. During this step, companies assess their highest-ranked risks and develop a plan to alleviate them using specific risk controls. These plans include risk mitigation processes, risk prevention tactics and contingency plans in the event the risk comes to fruition.”

Risk monitoring. Part of the mitigation plan includes following up on both the risks and the overall plan to continuously monitor and track new and existing risks. The overall risk management process should also be reviewed and updated accordingly.”

Communicate and consult. Internal and external shareholders should be included in communication and consultation at each appropriate step of the risk management process and in regards to the process as a whole.”

As a counterargument to my “risk management is inadequate for the world today” position, Forbes’ Steve Culp lays out what I see as support for my take: “Why Risk Management Is More Important Than Ever”:

“No individual or organization can predict specific risks. But organizations can and need to prepare for an uncertain and volatile future that includes climate change, technological disruption, geopolitical risk, threats to the global supply chain, and issues related to cyber-crime, data protection and privacy. As we have seen during the pandemic, some modern business practices (such as globalization and just-in-time inventory management) create risks of their own. And regulatory authorities around the world continue to evolve and expand their scope, addressing matters such as data protection and privacy along with money laundering, financial crime, violations of sanctions, bribery and corruption.”

This is a focus on causes that are real but extremely hard to define and quantify in operational terms. The best that seems possible is to set them aside as stuff that happens and concentrate instead on our impacts and our actions.

Risk management is big business today, as the table below illustrates. With over 26-thousand advisory and consulting businesses out there, this is clearly a multi-billion dollar market in just the U.S. alone.

Risk Management is big business