In his seminal 1921 work, Risk, Uncertainty and Profit, University of Chicago economist Frank Knight distinguished measurable risk, when the probability of an outcome can be quantified, from immeasurable uncertainty, when the degree of unpredictability makes probability incalculable—what former Secretary of Defense Donald Rumsfeld would call an “unknown unknown.” Measurable risk, by and large, can be planned for if not entirely prevented. It’s simple cause-and-effect. But true uncertainty? You don’t know what you don’t know.
Though a century has passed, the Knightian concept of uncertainty remains an ongoing business challenge. Most approaches to risk management attempt to reduce uncertainty—anticipating the unknown and managing surprise through scenario planning, often focusing on hypothetical extremes. What can’t be defined or managed is shifted to a third-party insurer.
But this reductive approach has limitations. It assumes that the variables at play are fixed and that the scope of what’s unknown is finite. No matter how sophisticated our statistical modeling techniques become, the universe of uncertainty continues to expand, at a pace at which no amount of information gathering can keep up.
Underlying that uncertainty are converging and multiplying forces of change, spanning every domain from technology to geopolitics to the environment. The rate of change for each driving force is growing exponentially, as is the degree of interconnectivity and the strength of those connections, giving rise to new interdependencies and emergent trends. Digitization has erased the last physical barriers among people, places and things—setting the world on a course for increasing and irrevocable connectivity. We now live in a networked, global society, where communication happens in real time and information spreads across geographical borders faster than it can be fact-checked.
Connectivity is both a contributor to and consequence of accelerating complexity. It’s a self-fulfilling prophecy: The number of interactions between events and entities has created new feedback loops, amplified the complexity of existing feedback loops, and forged new links between previously independent risk domains, thereby increasing network density and opacity. Linear causal chains become dynamic causal loops with constantly changing system parameters, making it nearly impossible to untangle a discrete cause from effect or predict cascading effects with any degree of accuracy. At the same time, greater interconnectivity is increasing the speed at which these interactions occur: More is happening at an accelerated pace.
The result is that businesses must contend with a highly unpredictable and perpetually unstable operational environment. Trends can be observed and measured, but their interplay in specific situations and eventual trajectory are vague at best. We now live in a continuous state of persistent threat. And there is less time than ever before to react and respond.
THINK DIFFERENTLY WHEN IT COUNTS
“No problem can withstand the assault of sustained thinking.” – Voltaire
Crisis management demands timely, effective decisions based on judgment of available information—in other words, critical thinking. It’s not a process or technology or framework; it’s a cognitive capability that comes down to people. Amid accelerating change and complexity, organizations need leaders who apply problem-solving skills to any situation, under significant pressure and time constraints. Building up the critical thinking capability requires investing in education, and developing deeper and more varied expertise across the organization. Employees need to be taught methods for making sense of disruptive change, interpreting information and gaining additional insight when information is incomplete. They need to be trained to recognize their own unconscious biases and develop strategies to negate them.
Critical thinking is only one piece of the people puzzle. The right decision can be reached, but it means nothing if it isn’t implemented. Effectively responding to risk is also an exercise in change management. Like business continuity, change management is often treated as a check-the-box list of processes and rote communications. But engendering long-term behavioral change requires more direct—and convincing—engagement. To combat resistance to change, you need to understand the underlying psychology behind it. While you can’t force behavior change, you can influence it by changing the perception around the desired behavior. Think of it as behavior change marketing.
Research shows that new behaviors are easily derailed in stressful and busy situations—and a crisis would certainly qualify. Organizations need to take a page from behavioral scientists by designing behavioral interventions. That might mean changing the conditions of the operational environment rather than people directly, or it could mean introducing a system of positive reinforcement.
RUN YOUR PROGRAM LIKE A BUSINESS
“Nothing happens until someone sells something.” – Thomas Watson, IBM Founder
Imagine the risk management program as an early-stage startup. What does every startup need to get off the ground? Funding. How do you get funding? By winning clients. To win clients, you need a pitch and a good story. You need a differentiated product to sell, one that addresses the needs of the current market. In other words, flip your mental model to that of an entrepreneur: treat your share of the corporate budget like its own book of business, and your internal stakeholders like clients.
When you shift your mindset to running risk management as a business, new questions arise: What’s your five-year plan? What stage is the program currently in and how long will it take to mature? What data are you collecting and why? What products are in the development pipeline?
These are the questions you need to answer to effectively make the business case to transform your risk management program from a purely administrative function to a strategic driver of value. Transformation does not necessarily mean increased resilience investment, but a shift in how capital is allocated and investments are prioritized.
Welcome to the New Era
In short, the way most businesses manage risk doesn’t work anymore. Not only do we need to evolve our business continuity programs, we need to rewire the way we think about risk altogether. Conventional approaches continue to perpetuate a “wait-for-impact” culture, forcing businesses into a defensive posture rather than an opportunistic one, inhibiting their response and reaction time. Instead, the risk management function must contribute to a culture of resilience and agility. It’s a new era of complex local, regional and global change, fraught with uncertainty and risk—but also new possibilities. Disruption can be turned from threat to opportunity—if organizations are agile enough to seize it.
BatesCarter offers business advidory services for organizations of all sizes. Contact us for questions about your risk management program.