Risk 360

Complexity And Risk: The 4 Principles

Those beginning careers in risk management must also get involved and take some courses on complexity management.

Traditional risk management grew up in the industrial age. In the first part of our complexity special focus, Warren Black in the IRM’s Enterprise Risk Management Magazine says today’s hyper-connected world requires a new approach underpinned by complexity risk theory. Risk managers need to be asked how they can help their organisations build up natural resilience so that they do not need to predict crises because they have the right systems in place to deal with any events as they arise.

If we understand what drives the behaviours, we can control the behaviours, which means we can control the whole system.


 First and most importantly, management needs to accept that the system in question is advanced and complex. Black says this is often the biggest barrier because once managers acknowledge this reality, they are also accepting that conventional approaches to project and risk management will not work as well, so new approaches need to be thought through and developed. “Formally acknowledging that existing methods are contextually impaired and therefore new, advanced levels of thought and practice are required is often the hardest step to addressing complex problems,” Warren says.

The second principle is to focus more on the connected whole of the system rather than its individual components. In risk management, individual components are often put on a heat map and assigned separate controls that are prioritised in relation to impact and likelihood. “As soon as a whole series of contributing components are connected into a common goal – in other words, the organisation – it is a system of co-dependent risks,” Black says. “When we are dealing with risks in a complex environment, we should be looking at managing the whole system not merely the individual contributors.” He sees this as critical learning for macro-global threats such as growing economic vulnerability, increasing COVID disruption, geopolitical tensions and climate change. They cannot sit as individual items on a risk register because they cut across many parts of the organisation in often unpredictable ways. “They are all connected and need managing as a co-dependent connected system because they all drive and influence each other,” he says.

Principle three recognises that because complex system behaviours are influenced by signals and feedback, they react to changes in the environment and to the behaviour of the other elements in the system. Take a flock of birds, which is influenced not only by the behaviour of the predominant half a dozen members of the flock but also by the changing environment and by feedback from each other. Fortunately, control agent theory comes to the rescue. It says that no matter how complex the system is, its entire behaviour is normally determined by only a handful of leading contributing agents. “Risk managers need to pick out what the leading contributing agents are – and if you can influence, say, those three to five agents, the signals and feedback that they will generate will be in the direction of what you want,” Black says. “It may never be total control so that it does exactly what you want it to do, but if you influence them positively, you will more often than not get positive risk outcomes.”

The fourth principle is to recognise that all genuinely complex systems will shift through different states and orders as they naturally evolve and transition. With each new state or order, new phenomena and behaviours specific to that order will emerge. For this reason, standardised, “one size fits all” approaches to management control are extremely limited when engaging in complex problems.

Source- Enterprise Risk Magazine, Autumn 2021. Get the latest print edition today (India only).




You may also like

Leave a reply

Your email address will not be published. Required fields are marked *

More in Risk 360