Rising up against the Gods by Warren Black

I recently re-read Peter L. Bernstein’s 1996 book, “Against the Gods, the remarkable story of risk” and although I had previously read it about a decade ago, it was still just as pleasing to follow the journey of how risk management came to be a formal management discipline. The reason I chose to re-read this book after all these years is because Bernstein offers a view into the historical evolution of risk management over the centuries and I am particularly interested in understanding the forces which drove this historical evolution in light of the more current forces we are experiencing.

I am of the view that many of our traditionally accepted risk management practices have reached their natural limit and are no longer adding demonstrable value to a working world that is significantly more complex, dynamic and unpredictable than any other era before. I believe that advanced degrees of complexity impair many of the traditional risk methods and because of this, new risk solutions need to be sought out if we are to survive a working world that is more informed, agile and disruptive than at any other time in human history.

I believe the complexity sciences (chaos theory, complex systems theory etc.) potentially offer us a platform upon which to progress the art of risk management into the next generation and with this in mind; I re-engaged Bernstein’s book…

Bernstein’s view of Risk Management

Throughout history, mankind had always viewed it’s fate as being in the hands of the Gods, especially when exposed to highly uncertain activities (battle, weather, travel, disease, gambling etc.) Risk management was thus borne from mankind’s need to improve the probability of a securing a favorable outcome in an uncertain situation. Attempting to bring certainty to uncertain situations was seen in older times as going “Against the Gods”, thus the title of Bernstein’s book.

Bernstein makes it clear throughout the book that risk management is about addressing uncertainty, where uncertainty is a lack of contextual knowledge. Therefore, by improving one’s contextual knowledge (data) in a rational, ordered and systematic approach one is is better positioned to control uncertainty and of course exposure to risk.

As much as I enjoyed Bernstein’s book he does appear to repeat the same argument over and over; good data management equals good risk management. More over, Bernstein advocates that effective risk management is a structured, rational and ordered game enabled by quality data collection and analysis techniques such as statistical analysis, financial modelling, predictive analytics, actuarial science and the like. Bernstein concludes that it is mankind’s historical need to beat the Gods which has evolved into the fundamental backbone of all modern day risk management thinking and now (in the modern era), the future is supposedly more certain due to our mastery of data and probabilistic risk analysis.

Is it?

The fly in the ointment

Bernstein has an economics background so it is not surprising that much of his book focuses on quantitative risk methods. What is surprising however is his expressed view that because of advancements in probabilistic risk modelling (ie predictive analytics) the world is now more certain. Bernstein even ends his book by quoting the father of modern day economics John Maynard Keynes, “probability is to us the guide of life.”

I find this quote to be passively ironic as Keynes also argued that “the very presence of uncertainty ensures that not all can be predicted” and herein lies the fly in the ointment of Bernstein’s message. Yes some risks are predictable, yes some risks are quantifiable – but not all risks, and the more complex and uncertain the surrounding environment becomes, the less predictable and quantifiable risks become.

What was Bernstein thinking?

Bernstein book is now 21 years old and at the time of writing (mid 90’s) computer modelling was experiencing significant momentum due to noticeable improvements in technology and the related infrastructure. At the time, the quantitative world was highly optimistic that predicative analytics was the future of uncertainty management (aka risk management). Many risk based organisations (banks, insurance firms, stock exchanges etc.) started to invest heavily in better data management and modelling.

Bernstein’s faith in quantitative analyses and predictive analytics is reflected throughout the pages of his book and he tends to over sell the premise at times. His faith however appears to be at some level misplaced, because despite the major advancements in data collection and modelling methods over the past 21 years, the world appears no more certain nor predictable for it. Consider how economists still can’t predict a global recession; traders still can’t predict a major stock crash; political analysts still can’t predict the populace vote; meteorologists still can’t predict the next earthquake, large organisations still become insolvent due to unforeseeable market shifts and mega-projects still fail to meet their estimated baselines 70% of the time.

Moving beyond Bernstein

Bernstein’s view that effective risk management is all about establishing a quantifiable structure, rationale and order to securing predictive control represents a pre-Global Financial Crises, Facebook, Google, BREXIT and Trump-for-President mindset.

Over the past 21 years our working world has evolved significantly, we are no longer living in the “Industrial Age” where repeatable, systematic, high volume processes and rational-ordered thinking ruled. We are now living in the “Information Age” whereby real time information sharing, agility and responsiveness is the order of the day.

The rapid rise of personal technology, social networking and real time information sharing has ensured that for the first time in human history we now live in a fully integrated, immediately informed and highly responsive global community. The impact of such sudden global-connectivity is undeniable; humankind is now more connected, agile and potentiality disruptive than at any other time in our history. In fact our global existence has become so integrated and agile that our society has come to reflect the same dynamic, self-correcting and highly erratic behaviors seen in those complex systems which exist in nature, biology and astrology.

In essence we now all exist within a colossal, complex adaptive system comprising of 7 billion touch points, generating an infinite number of internal signals, inter-dependent relationships and compounding interactions. For this reason we need to start paying closer attention to the teachings of Complex Systems Theory if we are to prosper.

Risk management can be no exception.

Despite the major advancements in data collection and modelling methods over the past 21 years, the world appears no more certain nor predictable for it.

The significance of Complex Systems Theory in controlling Complex Risk Situations

The study of complex systems emerged centuries ago as a theoretical pursuit amongst those scholars and philosophers who were curious to answer such simple questions as; when will it rain? why do snowflakes not replicate? why does the moon not crash into the earth? why are lions top of the food chain? and so on.

What these early scientists ultimately discovered was that in order to answer such simple questions they needed to study the causal agents, behaviors and relationships in play within a much broader complex system. The detailed study of these complex systems became known as complexity science and by the 21st century it had established itself as a deeply mathematical discipline endeavoring to understand those natural systems which exist in a highly energised and erratic state of ongoing change. Such complex systems may include; the weather, our solar system, the human immune system, a flu virus, a biological food chain, an economy, the internet, social behavior and so on.

What makes complex systems so intriguing to scientists is their extreme non-linearity and unpredictability. The notion of a body that can move from order to disorder to chaos and then back again, with no apparent pattern, logic or rationale is fascinating to a community which prides itself in defining the patterns, logic and rationale in almost everything. Complexity science thus aims to identify the order in a wildly disordered system. Specifically, complexity science attempts to understand and respond to the phenomena (signals) that can emerge from within a system by closely observing the behaviors and interactions of the system’s internal, contributing agents.

At heart, risk management and complexity science appear to have the same goal; to bring certainty to uncertainty, order to disorder and confidence to ambiguity. The fundamental difference however seems to be their approach to this achieving this goal. Traditional risk methods attempt to identify, measure and document risks in a systematic manner (predictive) whereas complexity science attempts to observe, understand and respond to the system’s emerging signals, in an agile manner (adaptive).

Since Bernstein’s book was published, complex systems theory has gained significantly more mainstream recognition, primarily due to its potential to help humankind address some of its’ most complex challenges. Many of our planet’s current macro-global threats (war, poverty, disease, famine) are behavioral outcomes of such complex macro-systems as politics, economics, trade, social trends and the like. For this reason complexity science is no longer considered to be a purely theoretical pursuit but rather a new generation management science for solving complex problems.

Well the theory sounds just great, but how do we actually apply it?

Complex systems retain very specific behaviors, they are highly integrated, dynamicand unpredictable. Thus any attempt to secure control within such systems will need to be holistic enough to deal with the high volume of interacting relationships in play; fluid enough to deal with the ongoing changes; resilient enough to deal with the inherent unpredictability and responsive enough to prevent the entire system from descending into chaos.

With this in mind, a complex systems approach to risk management might look as such;

Goal #1 – Establish Real Time Intelligence

Effective risk management within a complex system is heavily dependent on securing real time intelligence.

Complex systems are highly dynamic entities which are continually reacting and adapting to the signals they send and receive between their surrounding environment and all their internal relationships. The shear number of transitions in play at any time makes it impossible to predict the outcomes, thus real time monitoring of signals becomes critical.

The primary goal is to establish a universal intelligence network whereby all emerging data signals (trends, indicators, information) are visible, shared and assimilated to enable real time analyses and decision making. Complex systems are far too dynamic for traditionally static risk methods to succeed. Monthly to quarterly risk reviews which identify, measure and document risks so that suitable controls and audit plans can be engaged, require far too much lag time to be effective with a complex system.

Goal #2 – Establish Real Time Response

The ability to respond immediately (adapt) to emerging risk signals is critical!

Complex systems are known to sit “on the edge of chaos” whereby they can move from order to chaos and back again with no apparent logic. Consider how quickly an angry crowd (complex system) can descend into a riot (chaotic system) from the smallest of environmental changes (butterfly effect). Equally consider how a school of fish reacts to the arrival of a shark or how a stock exchange trading floor reacts to a major market announcement.

At their core, complex systems are highly volatile entities and their proximity to chaos requires constant monitoring, adjustment and response. With this in mind, the speed at which risk officers respond and adapt to emerging signals is critical in a complex system. This means that risk committee’s which meet quarterly to discuss new controls for emerging enterprise risks are almost certainly ineffective to a complex-global organisation and the same for project risk committees which meet every other month to discuss how to address emerging project threats.

Goal #3 – Mature the Control Environment

The maturity of the “whole” risk control framework, determines the effectiveness!

Macro level, material risks are highly integrated entities which are influenced by and dependent on, a broad range of influencing circumstances and relationships. More to the point, material risks are themselves a complex system of contributing causes, emerging behaviors, maturing controls and other comparable risks. All of which need to be addressed as a “whole” rather than individual entities, as the “whole” is so much more momentous and compounding than the individual sum of its parts. (aka Butterfly effect)

One of the more notable limitations of traditional risk management is the assumption that material risks exist as singularly autonomous and independent entities (eg a line item on a risk register), which in turn can then be mitigated by equally autonomous and independent controls (eg an audit check list). However as demonstrated by the World Economic Forum’s 2017 Global Risk Maps (above), material risks exist in a co-dependent network of integrated risks and controls which are highly energised and co-dependent (aka basic complex systems theory).

With this risk & control network relationship in mind, consider the futility of attempting to mitigate a complex organisation’s risk exposures by improving its’ quantitative risk analysis methods (systems), but without also maturing the organisations’ decision making (governance), nor its’ tolerance for risk taking (appetite), nor its’ accountability for risk acceptance (culture).

Merely maturing one control by itself has limited effectiveness within a complex risk system, it is only when all the risk controls are matured into an integrated “whole” framework that truly complex risk situations can then be addressed. Equally, the loss or impairment of any single control will exponentially weaken the integrated framework’s “whole” effect, thus reiterating the importance of continual situational monitoring & response.

Once you look at risk with a complex systems mind set, you will never look at risk any other way, ever again!

So what?

Our working world is now saturated with complex adaptive systems. Global economics and international politics are each a complex adaptive system in their own right; global organisations, supply chains and mega-projects are also complex adaptive systems and most of the global socio-political risks we are currently experiencing are outcomes of complex system behaviors. Our entire existence has become a colossal complex adaptive system and for this reason we can not continue to endorse nor adopt management practices designed with rational-ordered systems in mind.

Despite Bernstein’s over emphasis of the value of quantitative risk methods, his book does teach us that risk management better practice makes its greatest advancements whenever the practicing risk community acknowledge the inherent limitations of the day and rise up against the Gods of conventional risk thinking to achieve a higher level of effectiveness. Thus in essence, risk management appears to be evolutionary (Darwinist), who knew?

So with this evolutionary nature in mind; if we (the invested risk management community) are to truly learn from the complexity sciences then we need to acknowledge that risk management in the modern era should not be about getting better at predicting, measuring and documenting risks (ala rational-ordered, Bernstein thinking), but rather it should be about getting better at embedding an effective organisational risk intelligence, supported by a fully matured, resilient and integrated control capability (ala complex adaptive systems thinking).

Follow us

This submission is part of a series of thought pieces which have been developed whilst engaged in a Higher Degree in Research into “Controlling risks in complex-uncertain project environments”

Follow my research on LinkedIn whereby I will regularly post conceptual learnings and dilemmas for industry practitioners to review and hopefully comment on. Also please feel free to share this thought piece with like minded professionals who may also be interested in the topic.

This thought piece is Copyrighted (text only) to Warren Black (2017) a Higher Degree in Research Candidate at the Queensland University of Technology

https://au.linkedin.com/pub/warren-black/15/464/625