Risk Management | Dealing with uncertainty and complexity

In a world that has been on a multi decade trajectory of ever increasing globalisation and interconnectedness, society has become addicted to efficiency. Businesses have been centralising their processes, relying on their just in time supply chains and offshoring to shared service centers to cut costs.

Redundancy, often seen as the opposite of efficiency, is perceived as a dirty word and seen as an impediment to short term profits. However, recent history showed us how fragile the systems have become that we created in our craving for efficiency and short term thinking. Cutting intensive care beds in good times because “we don’t need them”, invisibly makes you fragile to a health crisis. Shutting down nuclear power plant because “we can currently meet power demand with cheap gas”, makes you fragile to a supply shock. While chasing efficiency might improve your P&L, you are adding hidden risk and fragility. Complex systems (like organisations) need redundancy to survive and absorb shocks, hence businesses should embrace and imbed redundancy to mitigate risk and increase performance in the long-run.

The following series of articles tries to provide a different perspective on risk management by using analogies from real life which help to understand the role and importance of enterprise risk management. Also, the idea will be presented of dealing with uncertainty and randomness, propose adjustments to well-known risk management frameworks, how understanding and applying incentives is key to effective risk management, and how to use first principles when solving complex problems.

At a Glance

  • Unknown-unknowns or “black swan events” are often ignored in assessing risk.
  • Resiliency is not the end-game, how to become Anti-fragile.
  • Positioning your company through diversification and optionality to balance your risk appetite.
  • Learn to love volatility.

Dealing with uncertainty and complexity

The human mind has evolved to take shortcuts called biases or heuristics to ensure fast and efficient decision making and risk perception. When our ancestors were first faced with an aggressive and hungry lion that attacked their spouse, their knowledge and bias after that moment told them to avoid lions to prevent being eaten alive. This is a very helpful tool for survival, but we still use this inductive way of acquiring knowledge in the extremely complex world of today.

Black Swan events

Think of every white swan you see that confirms that all swans are white, until a black swan shows up which completely destroys your mental model / hypothesis. A hypothesis about the color of an animal being disproven might be harmless, in contrast think of the turkey that is being fed by its owner during his entire life, thus receiving daily confirmation that it is being loved and experiencing the greatest life. Even when the turkeys would come together and perform a risk assessment based on historical data, they will conclude no risks are present, all data confirms the luxurious lifestyle. Until the day of Thanksgiving.

All these events can be considered unknown-unknowns or “black swan events” which are not predictable but have huge impact on the status quo. In traditional risk management practices, risk assessments are performed using Likelihood and Impact to decide which potential events have the highest risk profile thus requiring mitigating measures. However, this assessment only includes events that we can think of or we have experienced before (known-unknowns), leaving a blind spot for the completely random, unpredictable events that can have a huge impact. This could potentially expose a vulnerable company to ruin without being aware of it.


Figure 1: A turkey before and after thanks giving. The history of a process over a thousand days tells you nothing about what is to happen next. This naïve projection of the future from the past can be applied to anything.[1]

In addition to assessing potential risk events, which is inherently incomplete due to neglecting unpredictable black swan events, it is important to focus on your system’s own fragility as a company to limit the blind spots. In other words, detect the areas in your organisation that are fragile or vulnerable (which you can control), instead of trying to predict future events (which you cannot control). Instead of ranking events on impact and likelihood, assess your processes, people and systems on their fragility and prioritise on making the most fragile areas more resilient

The Fragility Spectrum

We can all think of things that are fragile, like a porcelain cup that will break easily when presented to a shock event like falling off of a table. Or things that are robust, which does not break (e.g. concrete, plastic, etc.) when exposed to volatility or disorder. When you ask anyone the opposite of fragile, they will likely answer robust or resilient. However while the fragile breaks down in case of chaos or shock, the robust simply is not affected. So how about the things that gain from disorder or volatility? For this, Nassim Taleb developed the concept of Anti-Fragility in his book Antifragile.

Taleb argues that it is actually a spectrum; Fragile — Robust — Antifragile, and complex systems should be assessed on this spectrum. To re-emphasize the difference between a robust and an antifragile system, it is important to understand that when you are robust or resilient, you are simply unaffected by the volatility, while when antifragile you actually gain from the volatility and become stronger as a result.

A commonly used framework in risk management for assessing a company’s maturity is the Capability Maturity Model, which measures maturity from Initial to Optimized, where Optimized describes continuous monitoring and feedback to the business to ensure similar events won’t impact the organisation going forward. However, the model stops here. It describes robustness or resilience as being the end-state. How about taking it a step further and become an Antifragile organisation? Becoming risk and shock embracing, increasing growth and profit as a result of volatility or shocks.

Mitigating and embracing risk simultaneously may sound counterintuitive, but if applied correctly is actually the holy grail for risk managers. One of the strategies applied by investment managers is the “Barbell strategy” which is the risk management version of the 80/20 pareto principle and can be applied to many things in life like your career, your investment strategy or organisational strategy. It basically describes to be extremely safe or risk averse in 80% of your business (or portfolio or career) and be extremely risk seeking in the other 20% to minimise your downside, and maximise the upside.

Let’s take a manufacturing business as example. Applying the Barbell strategy here could mean being highly risk averse and rather conservative in your core products, while allocating 20% of your resources to more experimental business opportunities. Or consider your investment portfolio, where you put 80% in extremely safe US treasury bonds, and the other 20% in speculative investments.

The applied Science Company 3M applies this perfectly by allowing its employees to spend 20% of their time on projects of their choice, which generated their best returns through products like the Post-It Notes and Scotch Tape.

“Fail small and often” — Diversification & Optionality

Another important concept in becoming antifragile is localism, which describes aiming for local production, consumption of goods and decision making, and promotes local culture and identity. The centralised globalised economy has brought us huge efficiencies, but removed the redundancies, increasing the number of interdependencies and single-pointsof-failure, making the systems very fragile. One small disruption in the chain and the entire system collapses and you “fail big”.

Decentralizing your organisation in self-sufficient hubs can therefore actually have huge advantages from a risk perspective. If a decentral hub fails, you “fail small”, the system itself is not affected.


Figure 2: More pain than gain from a random event occurring. The implication is that you are harmed way less from an error (or volatility) than you benefit from it, hence you welcome volatility.

It presents the system the opportunity to tweak and learn to become stronger than before the triggering event. You can benefit from unexpected changes in the environment, without the need to predict the future, by positioning yourself in such a way that you have options to execute.

The most important weapon to become Antifragile, is having Optionality. The term originates from investing & trading, where a call or put option gives you the option (not the obligation) to execute. The downside or pain is relatively low (price of the option), while the upside is endless if you are exposed to the realised option. The beauty of having optionality is that you don’t have to be intelligent and accurate in your predictions about the future. You simply have to recognise events when they occur so you can react using your options.

Optionality can also be applied to a wide variety of areas in an organization. The most prominent example is storing backups of your IT systems both on and off-site to be ready if disaster hits you. On a more strategic level as a manufacturer in a low labor cost region, you can think of acquiring an additional piece of land with permits in another jurisdiction to mitigate political risk, or increase your cash position with which you can act if opportunities (or disaster) presents itself. This comes back to one of the core concepts in these articles; redundancy. Making daily off-site rotated backups or sitting on a pile of cash might feel redundant, but it creates optionality to survive in case of disaster.

Positioning yourself through optionality contradicts the very common thinking in opportunity costs. This mindset considers any missed opportunity as a loss and elevates your risk appetite and with that your risk of ruin. In contrast, applying Optionality balances your risk appetite and makes you Antifragile, as you increase your upside potential while lowering your downside risk.

So how to incorporate fragility with using the capability maturity model? Currently, the most mature state is described as extremely resilient and robust, by centralising standardised processes and continuous monitoring. According to the Fragile — Robust — Antifragile spectrum that only brings you half way. Therefore, to become Antifragile, you want to create optionality to make your organisation versatile in case of industry shocks, and diversify by de-centralising a selection of the standard centralised processes to achieve a level of localism. Your business will learn and improve continuously and becomes stronger as a result of the shocks it endures. You reduce the downside, while increasing the upside.

This is the end-game. You will welcome unpredictable events and embrace volatility as you have the tools to benefit from any of the possible outcomes (and your competitors won’t).


[1] Nassim Nicholas Taleb’s Book: The Black Swan

Even when the turkeys would come together and perform a risk assessment based on historical data, they will conclude no risks are present, all data confirms the luxurious lifestyle. Until the day of Thanksgiving.


Brent Bodenhorst
Brent is Senior Manager at the Business Performance Improvement Consulting Practice of Protiviti in the Netherlands, which provides various advisory and implementation services. His main expertise is designing and implementing Internal Control Frameworks, often through ...