Swapan - Fotolia

Rethink risk through the lens of antifragility

Antifragility is an exciting alternative that fuses value and risk, and CIOs and IT executives are well positioned to help

We live in risky times – or, more specifically, times of increasing volatility and uncertainty. In the last decade, we have seen the credit crunch, the Deepwater Horizon oil spill and the Arab Spring. In 2016, we experienced the vote for Brexit, the election of President Trump and the start of a populist movement that could bring trade wars, geopolitical conflicts and civil disorder. 

We are seeing more ingenious and prevalent cyber attacks on corporate, national and international infrastructures and recently the misbehaviour of one piece of equipment effectively shut down a global airline.

The impact of these risks are amplified because we live in a networked world where everything – from nuclear power plants, factories, vehicles, fridges and hospital equipment to wearable and invasive devices – is increasingly connected, inspectable and controllable. Businesses are remarkably adaptive, but we are increasingly designing fragility into our systems and processes, particularly through efficiency and cost-cutting initiatives.

Are we ready for such unpredictable levels of risk? Businesses and government agencies have sleepwalked into the 21st century with organisations that are not fit for purpose. We need to evolve many aspects of our organisations, including how we think about, sense, manage, monitor and, more generally, address risk.

The traditional approach to risk management in business has significant flaws. First, we are, to some extent, managing risks that we have already seen or can imagine. This could be cruelly labelled as “managing risk through the rear-view mirror”, and does not address unexpected risks.

The current approach to risk management fools us into thinking we have risk under control, because we understand and have mitigation plans for expected risks. However, as author Nassim Nicholas Taleb points out, many historical events have been caused by so-called “black swans” – large, unexpected risks. The Fukushima nuclear incident was a negative black swan; Google’s creation of Gmail was, arguably, a positive black swan.

Another issue is that many aspects of risk management continue to require human intervention, which is sometimes impractical in a hyperconnected, high-speed world. This becomes particularly important around adverse events when drilling for oil or operating nuclear or chemical plants.

Intelligent risks

But the most troublesome aspect of risk management is its separation from value creation and growth. We often miss the considerable upside of taking intelligent risks because of crude approaches to risk assessment.

If we are to survive and thrive in today’s 21st century world, we must change our way of thinking and dealing with risk. Antifragility is an exciting alternative that fuses value and risk, and CIOs and IT executives are well positioned to help.

If, instead of the “engineering” view of risk, we think of risk as an inherent, and not always bad, feature of all business, all processes and all value flows, then we approach what we might call a “financial” view of risk. In this view, companies choose activities that have attractive risk/return profiles or “yield curves”, and try to bend those yield curves to be even more attractive.

The goal of antifragility is to bend luck. An antifragile approach tries to bend the downside risk portion of the yield curve upwards, through what we might call “robustification”, and amplify the positive outcomes of the upside of the yield curve. In other words, we try to create an organisation that stands to gain more in the good times than it stands to lose in the bad times. If a company can do that consistently, it will get stronger and more successful over time.

Bending luck

Figure 1: ‘Bending luck’

Why would the world’s leading internet television network, Netflix, with more than 100 million members in over 190 countries, showing more than 125 million hours of TV shows and movies each day, deliberately break parts of its delivery infrastructure, regularly, and do so on a larger scale every year?

Let’s be clear – if that infrastructure fails, its programmes don’t show. Subscribers cancel. Revenue growth slows. Executives lose jobs.

Netflix gets antifragility. It was antifragile before Nassim Taleb coined the term. Every time Netflix shocks its critical infrastructure (intelligently), the firm learns, restructures it and makes it perform better.

Read more about risk management

  • Global Risks Report 2017 – Society is not keeping pace with technological change, with artificial intelligence and robotics offering the greatest benefits but also the greatest negative effects.
  • Failing to take risks in the current climate of rapid change could act as a barrier for growth for British tech and businesses.
  • How can information security professionals help businesses to understand the cyber risks across increasingly digital businesses?

Toyota was antifragile before Netflix. Its massive 2009 car recall and the 2010 tsunami shocked its supply chains (and competitors’ supply chains). Yet Toyota’s 2013 profits were more than four times its 2010 earnings, and three times those of 2012. The firm built alternative suppliers and logistics into its supply chains and deployed crisis teams. The car maker examined its options, coped, learned, restructured and improved.

Similarly, the recent IT failure at a well-known airline could have been avoided by adopting antifragile practices, such as creating contingency and redundancy through cloud-based services and multi-cloud deployment, and adding architectural resilience by moving to “design for failure” approaches. 

Such preparation creates options. Antifragility is a new term but an old concept. Whereas the term “options” could be considered old, it has many new applications. There will be a price – call it an option price – paid for avoiding catastrophes and having options in disasters. But it is a small price to pay compared with losses in the hundreds of millions from sustained global systems outages.

Building antifragility

There are three levels of a business where antifragility can be applied: in business models; systems and processes; and components. There are specific tactics IT leaders can use to build antifragility into businesses and there is a strong digital connection to all. 

For IT/digital leaders, antifragility should become an important topic. First, because many of the aspects of antifragility are facilitated by IT-related capabilities, such as a move to the cloud, DevOps and microservices, architecting for more modular business models, and increased trading and collaboration – for example, in ecosystems and platform businesses. 

Second, because several of the new risks and stressors emanate from the IT/digital world, such as cyber risks and risks related to higher levels of automation.

We recommend that CIOs keep antifragility in mind, and run through the potential stratagems in all strategy and planning activities, continually looking to discuss antifragility at senior leadership level, and build more antifragile businesses. The best bit? You may already have it, but you don’t know it.

Read more on IT risk management