Moving from simple risk management to real resilience is a critical new capability that organisations are striving to attain. Teams seek to quickly mature resilience as we reopen our businesses, countries and economies in the post-COVID-19 world. Organisations that do this well and become ‘anti-fragile’ will thrive – those that do not will find themselves being driven and battered by new waves of change.

In previous posts on Risk Quantification, the Digital Impact Chain and how 2020 is Changing the way we 'Do Risk and Resilience'– Forever – I’ve focused on how risk management is changing and becoming more aligned with scoring techniques based on multiple factors from both technology and business stakeholders. This blog post takes Risk Quantification a step further and redefines Resilience in terms of becoming anti-fragile.

What is Resilience? What is Anti-Fragile?

Traditionally we think of resilience in terms of how quickly something can ‘bounce back’ from an impact. Business Continuity teams focus on metrics such as the number of days or hours to return to operations (RTO) or a recovery point (along a process) objective (RPO).  RTO and RPO are typically used to measure resilience goals through business impact assessments (BIAs). Disaster recovery teams execute playbooks that have been tested – often months back in a different environment – and struggle to bring processes back online after an incident.

But all that has changed with the COVID-19 pandemic and the call for change that worldwide protests are demanding. In a world where human speed is outflanked by digital transaction speed and decisions are made on real-time analytics, old approaches to business continuity and disaster recovery simply don’t cut it.

Developing real Resilience means becoming ‘Anti-fragile’ – a concept spearheaded by Nassim Taleb, author of Fooled by Randomness, The Black Swan, and Antifragile. Organisations and processes become anti-fragile by continually testing with small shocks to the integrated fabric of people, process and technology. Why? Because Risks are interconnected. Risks can cascade. A COVID-19 hot spot can close access to a critical single-source supplier. Creating greater diversity and fairness at work can mean reworking resource plans and partnerships but in a good and sustainable way. In a world where rare events dominate the landscape because risks have cascaded in ways we have not anticipated, anti-fragile is the route to real resilience.

How Do We Develop Anti-Fragility?

If you have been able to incorporate Risk Quantification, with a bottom-up, top-down approach to score risks, by aligning operational, infotech, security and cyber teams - you can now start moving from risk to true resilience. But to develop anti-fragility, your teams must do more and increase the scope of resilience across a digital environment - not only within your organisation, but also across your vendors and cloud service providers (CSPs). This means aligning processes such as incident response that now have a larger, wider-spread impact across many distributed, virtual stakeholder groups. Anti-fragile as a goal, especially with increasing digital transformation, assumes your teams see where there can be a chain reaction across the technology and business process workflow – with upstream and downstream processes across CSPs connected to other third and fourth parties. 

The best way to start building anti-fragility into resilience programs is to start acting with agility, begin building a strong capability to quickly adapt, leverage early warning signals and have tested, executable plans to bounce back.

Let’s look at some general categories with examples of how our current reactive practice can be transformed by building anti-fragility into our GRC programs and technologies:

• CONTROLS
  • Reactive practice - Go through a (sometimes long and protracted) remediation action plan as a result of a (sometimes long and protracted) assessment or audit.
  • Anti-fragile practice - Fix control/test failures faster and completely – address it as a fix right away prior to it getting tied up in a prolonged process. Look across your environment and fix similar problems proactively and ask where else could this be happening with the same failed control?

• ROOT CAUSE CANALYSIS (RCA)
  • Reactive practice - Fix an issue with a band aid due to resource and budget constraints
  • Anti-fragile practice - Fix issues by going deep and wide: conduct a real RCA by asking the Five Whys involving the right people across the organisation and CSPs. Use this a point of real learning.

• WEAKNESSES
  • Reactive practice  - Wait until an emerging risk shows up as a failure in order to get the remediation budget
  • Anti-fragile practice - Be proactive on suspected weaknesses. For example, cyber controls are increasing with X-From Home (work, school, medical check-ups, news, recreation, social visits, advice etc.) XFH has pushed the envelope and hackers have upped the ante. In addition, look at the infrastructure. For example, if there is a power outage – that can be critical if a doctor is WFH on a call with a patient! What risk can you transfer? Where does your accountability stop and where is it shared? Think through your way of responding.

• CLOUD
  • Reactive practice - Use your own datacenter with older apps to run portions of the business
  • Anti-fragile practice - Be proactive on cloud modernisation. If you have 20 CSPs now, think about everything that could be improved with leading, safer, more secure scalable CSPs. Proactively define your standardisation strategy – such as your SSO strategy across the cloud. You’ll need this kind of standardisation to scale as an enterprise.

• REAL TIME SENSING AND MONITORING
  • Reactive practice - Use continuous controls monitoring in isolated areas, not looking at the opportunity to automate the end-to-end process
  • Anti-fragile practice - Up your game on monitoring and sensing mechanisms. More and more we see utilities, cable operators and other providers using IOT and remote sensing technologies where real-time data is being pulled and continuously analysed which is proactively avoiding risks. This puts an entirely new view on resilience. Think about your business and technology processes – what needs to be digitalised and what can you continuously sense and monitor?

• DATA ANALYTICS AND ARTIFICAL INTELLIGENCE (AI)
  • Reactive practice - Use metrics in isolated areas, not looking at the opportunity to build analytics into the end-to-end process
  • Anti-fragile practice - Get proactive on predictive analytics where it makes sense. Understand your ethical risks and put an AI governance program in place that provides visibility into common pitfalls. Test for bias of the creator or bias in your data. Your organisation needs clean, relevant data, and transparent algorithms for optimal decision-making.  

Summary and Call to Action

Remember – Business Continuity Planning is not enough. Real Resilience requires a commitment to developing anti-fragility across the entire fabric of your extended enterprise. We are in an unprecedented age of change with more digitalisation and greater diversity in both people and technologies which is transforming our third party relationships and the way we work. Organisations should anticipate and be ready to embrace this change by building anti-fragile concepts into your Resilience strategy and plans.