Overextension, Fragility, and the Cumulative Corrosion of Mediocre Risk Decisions

“We reach death [in a] moment, but we have been a long time on the way.”
– Seneca

If Only They’d Had Risk Management in the Middle Ages…
In February of 1399, young King Richard II had consolidated his absolute power as monarch of England. His political enemies arrested or banished, their lands and money expropriated, Richard could start sending his armies throughout the isles at will. He could do whatever he damn well pleased.

Within a year Richard would not only be dead, but would have endured the most debasing, humiliating deposition in the history of the nation. Shakespeare portrays Richard wallowing on all fours in a stupor on the throne room floor, pathetically staring into a mirror and wondering how he could look so utterly unchanged after losing all his majesty.

black chicken king risk management

To the casual observer, Richard lost his kingdom and his life due to an unpredictable, uncontrollable twist of fate: a traitorous army that came out of nowhere and conquered him in a perfect storm of predation and disloyalty.

But if you peel back the causes and effects, we see evidence of something much more banal: a series of small, short-sighted decisions that cumulatively resulted in devastation – in this case, embrittling an entire kingdom.

Strategic Error #1…
First, the usurping enemy, Henry Bolingbroke, started out as one of Richard’s most loyal nobles. He had been banished by Richard years previous in an act of royal caprice.

Strategic Error #2…
Richard later added insult to injury by confiscating Bolingbroke’s family fortune without justification.

Strategic Error #3…
The king had already increased taxes intolerably throughout the kingdom, to pay for an invasion of Ireland.

Strategic Error #4
On top of this, a steady stream of mediocre strategic decisions without thought or assessment (including a few summary arrests) had induced Richard’s nobles to start seeking alternative leadership.

Richard systematically strip-mined his own sovereignty to maintain a patina of glory he couldn’t possibly sustain.

Almost exactly six hundred years later, Enron would undergo the same tragedy for the same reason.

black swan events

Enron and the Accumulation of Slow-Burning Risks

Richard’s reign had been a parade of “slow-burn” exposure: risks too subtle to command individual attention but which, in combination, make his reign fragile and vulnerable.

The Enron saga of 2001 compares chillingly closely to this medieval story, perhaps suggesting that this kind of blindness to subtle risk is part of the human condition.

Enron didn’t start out as a fraudulent company, just as most Ponzi schemes don’t start out as Ponzi schemes. They more often start out as legitimate companies and only become fraudulent when they try to sustain their glorious reputations in the face of waning performance.

Enron was a real energy asset owner that was accruing real wealth: powerplants, pipelines, transmission, and every other energy asset one can imagine. When the industry deregulated in the ‘90s, Enron made further billions as an energy hedge fund, the first of its kind. And like Richard’s court, Enron loved to revel in its opulence with a magnificent corporate headquarters and above-market pensions and benefits.

Like Richard, Enron felt compelled by an insatiable desire for growth and power. Also, like Richard, it extended itself beyond propriety.

Strategic Error #1…
Whereas Richard simply stole the lands of his rivals, Enron invented a sophisticated illusion of wealth by hiding unprofitable ventures and other irregularities in special sub-companies whose financials didn’t roll up to the corporate balance sheet.

Strategic Error #2…
They used an accounting technique called mark-to-market to claim an increased value for assets that it hadn’t sold yet, based on the anticipated sell price.

Strategic Error #3
At the height of their share price, Enron ill-advisedly entered business areas completely unrelated to energy, like its ludicrous video-on-demand partnership with Blockbuster. It then recorded its anticipated future revenues (revenues they imagined would materialize) as present gains.
Shares of Enron that had traded the previous year at $90 were, by November of 2001, valued at 61 cents.

One might be tempted to say that Enron could have kept going if it hadn’t run into bad luck in 2001. Enron executives largely blamed the dot-com burst—but for that “unforeseeable” event, they insisted, the company might have kept operating. But Enron didn’t fail because it was unable to predict a single major event; it failed because of an entire decade of smaller decisions to hide unprofitable transactions and other mistakes–over and over and over again.

Black swan black chicken risk management
It’s Not the “Black Swan” That’s Gonna Get Ya

Corporate interest in managing noninsurable risks developed in large part due to catastrophic corporate failures that no insurance policy would have helped. However, the dazzling, cataclysmic nature of high-profile corporate downfalls too often makes us focus solely on train-wreck scenarios—the unpredictable, worst-case risk events that we’ve come to know as “Black Swans.”

While it’s natural to worry about social-media disasters, data breaches, massive accidents, and other dramatic and unpredictable calamities, these proximate causes are rarely the real reason that companies fail.

Companies fail because they are made fragile over time by more insidious, “slow-burn” risks – culminations of numerous, everyday decisions that gradually overextend a company to the point that it cannot withstand the common shocks of the marketplace.

In contrast to the unpredictable randomness of actual Black Swan events, Forrester analyst Renee Murphy refers to these more predictable, self-inflicted risk events as “Black Chickens.”

Enron may have felt at the time that they were justified hiding liability after liability off their balance sheets. They were arguably within the law (certainly their auditor, Andersen Consulting thought so). But no one could argue that the inevitable consequences of these practices weren’t foreseeable.

It’s not the reputational dumpster fire that you need to worry about. It’s the mundane, everyday risks that pile up the fuel for the dumpster fire.

Strip-Mining Your Organization

A question for you: if a company decides to no longer maintain its infrastructure in order to cut costs, is it taking on a value-adding or a non-value-adding risk?

Enterprise Risk Management practices like to distinguish between risks that add value to the business because they are endemic to the business model (e.g., a bank taking on credit risk in its loan portfolio), versus risks that have no upside (e.g., security or intrusion threats). In ERM orthodoxy, one wants to court more of the former and less of the latter.

But if we grant that taxonomy, then into which category do corner-cutting risks fall? Take the above example of suspending infrastructure maintenance. The risks taken on by such an action are not endemic to the business model of the company, but they do generate cash and enhance profitability (hence adding value). Such decisions aren’t even per-se unethical. Executives are charged with managing costs as part of their fiduciary responsibility to the well-being of the company.

One might be tempted to think: who would be so stupid as to deliberately shirk the upkeep of one’s own infrastructure? This very decision, however, caused the 267,000-gallon Prudhoe Bay Pipeline Rupture of 2006. The company had decided to stop crucial pipeline maintenance procedures to save money.

No one sets out to become a corrosive decision-maker. All leaders are capable of rationalizing decisions that kick the viability can down the road in favor of a profitable present. Often these decisions are so small as to seem innocuous–a cut here, a trim there–until we have essentially strip-mined our own organization by extracting the maximum short-term value and mortgaging its future options and flexibility.


Which CEO is likeliest to survive and win out: the CEO who trades in all her prospects for a short-term show of growth and glory, or the CEO who sacrifices speed, multitasking, and diversification in the short-term in order to gain long-term flexibility and resilience?

The same question could be asked, by the way, of a 14th century king.

In his book, Antifragile: Things That Gain From Disorder (Incerto), Nassim Taleb argues that the stressors of the world, including so-called Black Swan events, are completely unpredictable. Instead of wasting time trying to make better predictions, we would do better to focus on how fragile we make ourselves to such stressors.

Taleb refers to “fragility” in a strict sense: something that has more to lose than to gain from an interaction with volatility. A glass has more to lose than to gain from an earthquake. Fragile propositions are asymmetrical risks with downsides that are ruinous (e.g., beyond a certain severity of earthquake, the glass breaks).

The following is a non-exhaustive list of factors that would tend to make a business more fragile (modified from my earlier blog on Antifragility):

  • Big expensive mistakes as opposed to small, manageable mistakes (including precarious cash/debt positions)
  • Sheer size, because it reduces the options available when one needs to act quickly
  • Single points of failure
  • Decisions made by those with no skin in the game, or who are somehow isolated from the consequences they create
  • Top-down controlled planning, or other resistance to trial-and-error
  • Over-reliance on prediction, and trying to draw more definitive conclusions than the data will bear
  • Investing 100% in medium-risk strategies, instead of balancing low-risk with some aggressive-risk strategies
  • Operating incongruently with your brand promise, as brands that are perceived as “authentic” on average have more reputational resiliency than those that are not.
  • Time itself. Time is a stressor. Eventually, everything falls to time (see: Shelley’s “Ozymandias”).

CEOs frequently make deliberate decisions that render their companies more fragile. In addition to cutting costs, they are charged by their boards to produce speed, growth, and profitability, none of which come for free. It may seem counterintuitive, but the very act of optimization itself increases fragility (by removing redundancies).

According to Jim Wetekamp, CEO of Riskonnect:

Most typical slow-bleed risks aren’t ethical or scandalous in nature, at least at the start. They are motivated by performance with speed being the first goal and multitasking or diversification of effort being the second. These two things together can lead to an overall slow decline in quality.

A slow erosion to quality through short cuts, reduced sampling, or audit and testing can have eventually dramatic impacts to brand through harm to consumer satisfaction or health, employee safety, or even economic competitiveness due to rework.

Introducing fragility is not necessarily a bad decision, but it must be done without making the business fragile to a specific, ruinous shock from which it could not recover.

IRM and the Strategic Voice of Risk Management

To truly integrate risk management is to integrate all risk data from the insurable side (in a RMIS) and the non-insurable side (in a Governance, Risk, and Compliance solution) into the same set of analytics, so one can:

  1. Trace the root causes of adverse effects across traditionally siloed fiefdoms.
  2. See where one may be creating so-called Black Chickens (foreseeable adverse effects springing from the accumulation of short-sighted decisions).
  3. Understand the organization’s overall risk posture, which is perhaps better expressed as understanding the effects to which an organization is most fragile (or even ruinously fragile).

Insurable and non-insurable risk activities should be rightly thought of in the same way. They should be tracked and reported from the same system because they both serve to mitigate downside and thereby decrease fragility.

If an office building catches fire, for example, the insurance policy, the building code compliance measures, and the employee response training all serve to mitigate different kinds of losses. Are these elements properly thought of as claims, compliance, and enterprise risk? Or does it make much more sense to see them as any common sense-possessing human being would see them–as a fire plan.

Further, fragility is additive, which means that risks that aren’t normally associated with one another start to correlate in extreme circumstances. For example, when a company has a hard time attracting new talent for reputational reasons, adverse effects branch out into production, outsourcing, unemployment claims, and a host of other risks areas all at once.

As amusing as it is to think about Richard II sitting down to his analytics dashboard, the fact remains that even 14th century monarchs survived by taking a comprehensive view of their risks. Like us, he faced:

  • Competitor risks, in the form of powerful political rivals
  • Fiscal risks, by emptying his treasury too carelessly
  • Political risks, having overtaxed his subjects
  • HR risks, having treated his nobles (workforce) over-harshly
  • Insurable risks, in the form of royal “insurance policies,” otherwise known as treaties and alliances

Richard did have an IRM system of sorts, called a privy council. It would have been the job of that council to point out how fragile his kingship was to the invasion that deposed him.

Should Richard have been able to see that he was leaving himself exposed to a ruinous downside? In truth he probably did know but was not willing to listen. And that brings us back to Enron.

Imagine being in the room in 2001 when Enron and Andersen were preparing the former’s financial reporting. Think about how everyone in the room knew exactly how many billions of dollars in losses were being hidden from shareholders.

Would it have done any good to present comprehensive risk information to decision-makers who were hell-bent on willful blindness to that very risk?

The sine qua non of corporate fragility and survival is a top-down culture that listens and cares. No amount of additional information would have helped Enron, because they already believed they knew everything, and they believed they knew best. Enron became a veritable Black Chicken factory, taking on risks that everyone can see in retrospect were ruinous in combination.

Beware the Black Chicken

Mark Twain said (apocryphally) that, “History doesn’t repeat itself, but it often rhymes.” Today we tend to repeat the same mistakes about risks that our historical forebearers made. This is particularly true when we misapply our attention to a single, dramatic potential risk event rather than making the sound strategic decisions that make our companies robust to whatever shocks may come.

To which risks is your company most fragile? When hard times come (and they will), where will you lose flexibility first? Which risks look manageable on their own, but could be ruinous if several events happened at once?

The so-called Black Swan events that executives blame for bankruptcies are, upon reflection, more like “Black Chickens.” Some companies are lost to utterly unforeseeable circumstance, yet most are lost to perfectly foreseeable shocks that they failed to withstand because they had made many short-sighted decisions that robbed them of crucial flexibility.

If organizations are to survive in view of the risks they face, they need two things: 1) A way to view risk attributes and relationships comprehensively, and 2) A culture that values the insights such views would produce. The proper culture is especially crucial because mitigating risks requires investing resources and time into measures that might detract from short-term profitability. Investments like these, whether in risk management or compliance, are hedges, and therefore might appear wasteful to the untrained eye.

The Black Swan isn’t going to get you. A bunch of Black Chickens will. So start looking for them.