By Scott Fenstermaker

“Hydra, springing from whose single body were fashioned a hundred necks, each bearing the head of a serpent. And when one head was cut off, the place where it was severed put forth two others; for this reason it was considered to be invincible, and with good reason, since the part of it which was subdued sent forth a two-fold assistance in its place.”

-Diodorus Siculus, Library of History 4. 11. 5 (trans. Oldfather) (Greek historian C1st B.C.)

If you eventually find yourself in Florence, Italy, at the storied Galleria degli Uffizi, look for a little-known masterpiece: Hercules slaying Antaeus, by Pollaiuolo, which depicts the 11th of Hercules’s 12 labors: killing with his bare hands Antaeus the Giant, son of Poseidon and the earth-goddess Gaia.

What made Antaeus nearly impossible to kill was that he could draw strength from the earth, making him stronger every time he was knocked down. Any damage opponents inflicted on him, therefore, made Antaeus even harder to defeat.

Hercules had to hold Antaeus completely off the ground to finally strangle him.

Fast forward five hundred fifty years and Nassim Taleb coins the term “antifragile” to describe those systems that didn’t just resist volatility but were positively improved by it. In his book Antifragile: Things That Gain from Disorder, he wrote:

Some things benefit from shocks; they thrive and grow when exposed to volatility, randomness, disorder, and stressors and love adventure, risk, and uncertainty. Yet, in spite of the ubiquity of the phenomenon, there is no word for the exact opposite of fragile. Let us call it antifragile. Antifragility is beyond resilience or robustness. The resilient resists shocks and stays the same; the antifragile gets better. This property is behind everything that has changed with time: evolution, culture, ideas, revolutions, political systems, technological innovation, cultural and economic success, corporate survival, good recipes (say, chicken soup or steak tartare with a drop of cognac), the rise of cities, cultures, legal systems, equatorial forests, bacterial resistance … even our own existence as a species on this planet.

Like Taleb’s examples, successful, enduring businesses capture value from exposure to the stressors of the marketplace. The best businesses, like organisms, get stronger as they overcome hardships and engage in competition.

Few businesses, however, are antifragile.

Businesses fall into bankruptcy all the time, even time-tested icons like JC Penney and Sears. In fact, the entire retail industry, with its traditionally thin margins, turned out to be extremely fragile to a socially disruptive stressor like the COVID-19 pandemic. The industry’s fragility wound up concentrating power into the hands of a few behemoths, like Amazon and Walmart, that have the operations and positioning to demonstrate antifragility.

What implications does this concept of antifragility have for other organizations, emerging from a global pandemic and on a continuing quest of resilience? Is there a way to build risk and compliance programs that not only allow organizations to weather extreme events, but directly and systematically strengthen from them?

Recently, Bob Bowman, director of risk management at The Wendy’s Company, sat down with the Riskonnect team to record a webinar on how his team used ERM technology to manage the risks associated with the COVID-19 pandemic. The recording is accessible below:

Hear more from Bob in our recent Risk@Work webinar.

Taleb’s analysis proposes several dynamics that can increase antifragility in complex systems. Here are three such dynamics — and how Bowman’s ERM program demonstrates these principles.

number oneTrial & Error vs Top-Down Planning

Antifragile systems take advantage of systematic trial and error. In nature, natural selection weeds out those unable to adapt, conferring strength by allowing successful survivors to reproduce.

In business, good risk and compliance departments have leadership with vision, of course. Great risk and compliance departments also resist falling into the trap of dictating from the top rather than adapting from the bottom. They can see adverse events as something not only to be weathered, but as something from which they can learn.

One of the most important functions of an ERM system, Bowman notes, is to memorialize the dynamics of risk events after they’re over, capturing business impacts, control responses, procedural adaptations, and any other relevant data that might make future responses more effective. Channeling experiential feedback into the program is a way to fix insufficient controls and mitigations, thereby tuning the system for the next time.

Antifragile organizations put mechanisms in place to mimic the trial and error of natural selection. They consistently capture learnings from adverse events, aggregate them, analyze them for significance, and allow significant findings to inform their roadmaps and strategies.

number twoAdaptability vs Reliance on Successful Prediction

Bowman speaks in depth about the enormous amount of pre-planning and analysis of the risk landscape to inform his ERM program.

However, no matter how much foresight you put into your risk registry, there will always be risk events that manifest differently from how you anticipated. Your preparation can give guidance as to business impacts, velocity, etc., but you must also adapt to those aspects of the event that manifest differently than how you planned.

The COVID-19 pandemic is a good example. Bowman notes, “We recognized very quickly that this risk event may actually exceed reasonable planning, or reasonable mitigation efforts, and that the response may be more broad or have greater depth than originally anticipated.”

Many companies have pandemics registered within their ERM systems, but few – if any – imagined the scale of disruption caused by COVID-19. An agile risk manager recognizes that COVID-19 resembles different aspects of several risks. The pandemic, for example, may partially resemble a natural-disaster risk in its capacity to shut down physical offices and force work-from-home. It may also resemble risks related to economic downturns, in its effect on third-party vendors.

We can better understand a novel or surprising risk event by analyzing other risks that have similar qualities, pulling a little from this and a little from that to complete the picture.

number threeRisk Events Leading to Fewer Future Events (Negative Correlation of Errors)

Here’s a common risk management math problem. Say you have three potential risk events: 1) a successful cyber penetration with a 2% likelihood of occurring within the year; 2) an economic downturn with a 5% likelihood; and 3) a large employee lawsuit with a 3% likelihood. What is the chance that all three events would happen at the same time?

If you assume that all three of these events are unrelated, you would multiply 2% by 5% by 3%, arriving at a .003% chance that all three events might happen at once.

In the real world, however, events are seldom truly unrelated. They can be correlated in surprising ways.

Let’s say that in the next year you experience one of the events above, an economic downturn. You may feel very safe from the other two risks because you did the math, and the simultaneous odds are quite small. However, the economic downturn causes you to have to lay off staff in several departments, including your IT department. The resulting understaffed, overstressed IT department starts delaying certain crucial security patches, resulting in a cyber penetration. Meanwhile, the IT employee you only laid off because of said downturn feels they were targeted unfairly and sues for wrongful termination.

One risk event made the other two more likely to happen. That’s more how life works.

The opposite can also be true. Under certain conditions the presence of certain risk events can make other events less likely to happen. Taleb uses airplane malfunctions as an example. If an airplane has an emergency, the results are so high-profile and the investigation protocols so strict that flights are immediately grounded, and fixes are quickly propagated, which makes the whole system safer.

The value of Enterprise Risk Management is understanding business impacts of risks so thoroughly, that you can make your controls and mitigations maximally effective. Bowman talks about going beyond the simple assessment scores of a certain risk and developing an entire profile of associations, including policies, procedures, business objectives, indicators, controls, and affected third parties:

What if you could pair a risk assessment with a profile? … As we quickly convene the cross-functional incident response team, let’s equip each of them, individually and collectively, with a common body of knowledge relative to this risk. What if we could do that as a report output? What if that initial convening of the team, that initial briefing, the triage—and we’ll use an ‘as’ or ‘like’ here as well—what if all of that revolved around a known, detailed, mature profile that complemented the assessment?

Bowman uses the Riskonnect Risk Correlation Engine as the core of this 360-degree profile for understanding risks. With his detailed knowledge of a risk’s impact throughout his business, he can focus on implementing controls and responses that decouple a risk event from potential cascading events that it might set off. Information about the primary risk event is directly used to decrease the likelihood of connected events.

Beyond Resiliency: Incremental Strength from Stress

Discussing a post-COVID world, risk and compliance professionals are starting to talk more about operational resiliency. Resiliency is crucial – but the conversation must go beyond how fast and effectively an organization can return to status quo ante. The discussion must extend to how the organization can be built – like Antaeus – to acquire strength beyond its initial state whenever it is knocked down.

The core of any antifragile enterprise risk program is a procedural discipline and a commitment to agility, analysis, and learning. ERM programs don’t exist to be a static catalog of Things That Could Happen; they exist to make organizations ever better at surviving and flourishing.

For more on enterprise risk and how to begin an ERM program, download our e-book, Charting a Course for Enterprise Risk Management.