In the past, companies have tried to manage risks by focusing on potential threats outside the organization: competitors, shifts in the strategic landscape, natural disasters or geopolitical events. They are generally less adept at detecting internal vulnerabilities that creep into organizations and other human-designed systems. Indeed, as companies increase the complexity of their systems – products, processes, technologies, organizational structures, legal contracts and so on – they often fail to pay sufficient attention to the introduction and proliferation of loopholes and flaws. Ericsson, Barings Bank and Comair are but a few examples of companies that have suffered disastrous breakdowns in their complex internal systems.
Without the benefit of perfect foresight, how can businesses uncover and forestall the fatal flaws lurking within their organizations? There are three complementary strategies:
- Assess the risk to make better-informed decisions, such as purchasing an insurance policy to cover the risk
- Spot vulnerabilities and fix them before catastrophic events occur
- Design out weaknesses through resilience
These ideas have been around for years, but researchers have recently had to reinvent them in the context of extremely complex, interconnected cascade-prone systems.