The Critical Flaw In How We Think About Risk
In risk management, there is an adage that complex systems fail in complex ways.
Yet, many risk management approaches deal with risk as if it were a discrete, time-defined event, rather than a dynamic, highly volatile process. Certain types of risk are acute in nature, but all risk lives along a continuum that is shaped by time and is compounded by action (or inaction). This wisdom is generally understood in financial markets, especially by traders whose “animal spirits” and speculative tendencies aim to exploit the ups and downs, as well as informational asymmetries in markets.
Nassim Taleb in his seminal books Black Swan and Antifragile popularized the notion that fat-tailed (or leptokurtic) shocks are not as rare as once thought, calling for new frameworks for coping with their likelihood and, critically, surviving them altogether.
To begin with, a stylized probability distribution can serve as a useful guide for how to think about risk and how it evolves by severity and likelihood. The left-hand side of the diagram highlights high probability low-impact events that are traditionally mitigated or optimized in a firm’s business model. These are acceptable attritional risks that many firms bear and have figured out over many years of observations how to mitigate and, in some cases, integrate in their pricing strategy like an automotive warranty. This is the Fragile Domain, as organizations that do not adequately absorb or mitigate these risks tend to break easily.
The next category is the Robust Domain. Herein lie unexpected losses or, to borrow from Donald Rumsfeld, the so-called “known unknowns.” The risk priority in this category is to transfer risk and remain vigilant to emerging threats and exposures. By transferring this category of risk, firms gain a fixed price on uncertainty that can help make their operations more resilient. They also gain robustness afforded by the liquidity and response of the private market (or risk pools) and by the process of diversifying away potentially crippling losses.
Using a recent example, the spread of the WannaCry ransomware attack would fall into this category. Firms that did not have a risk transfer or response plan were particularly hard hit, whereas the firms that took precautionary measures were able to restore order. Judging by the upsurge in cyber liability insurance, the market agrees that transferring these risks is generally the right approach, notwithstanding the preponderance of “Frankenstein” insurance policies that provide the placebo of safety, but little meaningful coverage. This domain often produces and amplifies systemic risk when risks are “transferred” but not actually removed from the system much as we saw during the 2008 financial crisis, where the fuse was lit by Lehman’s collapse and the tinderbox of shoddy risk-shifting and synthetic instruments was set ablaze.
A brief etymology is needed to accurately explain the powerful concept of antifragility and the last domain in this model. Nassim Taleb coined the term antifragile as he found there was no useful antonym to fragile in the English language (e.g. something that would benefit from shocks).
If fragile means easily broken and robust implies something that will remain in the same state, then antifragile implies something that by default becomes stronger with shocks. An apt classical example would imply that the Sword of Damocles is fragile, for it is held by a string. Phoenix is robust as she rises from the ashes in the same state and Hydra is antifragile for the more you attack and cut off a head, the stronger Hydra becomes. Uber would be an example of a firm that benefits from certain antifragility in its business model. The more governments and angered taxi drivers protest Uber’s arrival, the stronger demand becomes among prospective passengers. It is also difficult to “kill” a firm whose drivers and customers alike are part of a distributed on-demand business model, notwithstanding the cracks that are beginning to emerging among asset-light platforms like Uber and Airbnb.
The airline industry, despite its razor thin profit margins and the fact that many airlines are pension liabilities that fly planes, is also considered antifragile as each calamity does not cripple the entire system, but rather strengthens overall air safety. The concept of near miss management that has been codified in aviation has broad applications outside of this industry.
Even cyber risk management, for example, can benefit from this approach, if firms would only destigmatize the advent of a security breach and develop a central clearinghouse to report and record losses and near misses. The risk priority in the Antifragile Domain is survival and the general theme is that large losses, or black swans, are not nearly as rare as once thought and firms would be wise to prepare for their arrival, often in flocks.
Zooming out to the macro level, too many of the complex risks facing the world, individual nations and large interconnected enterprises fall into this last domain and are producing catastrophic losses that defy traditional risk management siloes.
For example, by the time Hurricane Harvey dumped more rain than any U.S. weather event before it on the city of Houston, FEMA had about a billion dollars in its budget. There is no resilience without a financial backstop. For this, funding catastrophic risks ad hoc, which is the prevalent model, is not only costlier overall, it often leaves the weakest links to absorb not only the first order losses, but the second and third as well. Against this confluence of unfunded complex risks, the tax-payer is at once the most vulnerable, the first to bear the brunt and the last in line.
Applying this taxonomy to a spectrum of cyber risks would show very predictable issues like poor cyber hygiene and the threats that arise between the keyboard and the chair in the Fragile Domain. One of the fastest ways to gauge employee behavior is to drop a thumb drive with the word “payroll” on it and count the minutes before it is plugged into a computer in contravention to cybersecurity norms.
In the Robust Domain, you would find certain events that are externalities and much more deleterious in nature. Ransomware would fall into this category, particularly the monetary variety that is increasingly seeking a quick trade of decryption for payment, with bitcoin being the numismatic choice at least 98% of the time. This is a scourge that has gone down market making easy prey of small to mid-sized enterprises, whose cyber hygiene and response capabilities are weak to say the least.
The final area is where the black swans roost and would include the growing specter of cold cyber warfare turning hot, systemic contagion or widespread cyberterrorism, where no monetary demand will quell a group bent on making a political point or sowing maximum chaos. Against a spectrum of complex risks that evolve according to Moore’s law, we need new frameworks for understanding them and more preparation from the war room, the boardroom and the shop floor. We would be wise to remember that risk is a process not an event.
This article originally appeared in Forbes.