The changing nature of risk and risk management: The challenge of borders, uncertainty and resilience
The nature of risk management and the challenges generated by its theory and practice have been in a state of evolution over the past 10 years. This process of evolution has created a number of difficulties for those involved in the management of risk, who now increasingly find themselves lacking the necessary capabilities to cope with the nature of this change – not least because of the increased volume of information around the various sources of threat and the trans-disciplinary nature of the problems. The dynamic nature of emergent hazards requires new techniques and analytical frameworks for dealing with low probability – high consequence events (sometimes termed as ‘black swans’) (Taleb, 2007) that are contextualized within a highly connected system. The oft quoted ‘post-modern’ nature of risk also generates a set of task demands around our understanding of public perceptions, media ‘amplification’ and the distortion of risks (in both probabilistic and consequential terms), along with their subsequent impacts upon policy making. Policy makers and practitioners, when turning to the academic world for insights, solutions or at least the important challenges to the dominant worldview, may now be finding the academic field somewhat ‘wanting’ in this regard. This is because of a number of reasons but may chiefly be because of the multi-disciplinary nature of the problems generated by the risk and the difficulties that many universities have in structuring and supporting research beyond conventional departmental boundaries. In this editorial, we attempt to set out what we consider to be the characteristics of some of the shifts in the nature of risk, and in doing so, hope to initiate an agenda for debate and development that we consider to be of significance to the authors and readers of Risk Management.
Risks such as the ‘new’ forms of terrorism, pandemic flu and the recent economic collapse within the financial sector, along with the consequential global economic crisis, serve to illustrate the borderless nature of risk in a renewed, but in several respects, significantly different manner. Moreover, they present several challenges to conventional approaches to risk management: (1) they often lack the a priori evidence that would render them predictable to any degree; (2) they are sufficiently large, in terms of the damage that they cause, to trigger further hazards or crises further down the timeline and (3) their origin, evolution and final scale and form are frequently unknown, such that they represent an emerging, ill-understood and ill-defined set of risks that need to be dealt with. As a result, they often require mediation by technical experts in an attempt to provide an evaluation of the likely failure modes and effects.
As a consequence, and on the basis of these characteristics alone, many emergent forms of risk often do not yield to conventional forms of risk assessment and management or indeed to conventional policies at an institutional or Governmental level. These new forms of risk also illustrate the interconnected nature of ‘risk’, ‘crisis’ and ‘disaster’ and the manner in which discrete events can serve as triggers for other problems within an all too often nested system. In addition, the mitigation and response to risks in the broadest sense is increasingly a function of interagency and networked forms of management and organization. Although such approaches are essential for dealing with risk, they invariably represent a ‘double-edged sword’ as they can also be important factors in inhibiting or complicating risk communication and early warnings of failure. The question remains as to what role such networks play in allowing risk potential to contribute to the ‘incubation’ (Turner, 1976) of risk and what techniques are available to deal with this process. As governments, practitioners and academics increasingly engage in debate around the nature of these threats, along with their mitigation and future impact, then a particular note of caution needs to be given on how these events are understood, and the ways in which different communities of practice define, conceptualize and seek to address them. Of particular salience here is the growing use of, and importance attached to, the policy concept of resilience.
The potential range of issues arising from these new forms of threat, and from the response of these various communities of practice, is beyond the scope of this editorial. Here, we seek to address three particular aspects of the challenges that face academics and practitioners associated with risk management, and to set out some directions in which we hope that debates might develop. The first of these is the particular difficulties that arise from the ways in which risk transcends the natural and artificial borders that surround institutions, nations, cultures and bodies of knowledge. The second is the way in which we understand the notion of resilience in terms of both theory and practice. The third relates to the spatial interactions that take place within a networked society to generate what we term ‘spaces of vulnerability’ and, ultimately, ‘spaces of destruction’ (Smith, 2009).
Risks without Borders
The notion of a ‘risk society’ (Beck, 1992) and the ‘management’ of risk, across a number of dimensions, have assumed positions of considerable importance within several bodies of academic literature (Perrow, 1984; Shrivastava, 1987; Giddens, 1990; Hewitt, 1997; Reason, 1997; McGuire, 1999; Smith, 2001). What is clear from this burgeoning body of research is that risk transcends a number of academic disciplines and also cuts across other boundaries – whether they are sociotechnical, geopolitical, organizational, cultural, physical or health related. In many cases, the borders or boundaries between these issues are permeable and the effects and consequences of particular hazards can migrate across these borders. At the same time, risks are mitigated and controlled by organizations that seek to work together through communities of practice and thereby seek to transcend their own organizational and professional constraints. Thus, a complex mosaic emerges in which the causal factors, mechanisms of transmission and escalation, and the range of processes around mitigation, and control cut across disciplinary and structural boundaries.
Risk is, therefore, and perhaps always has been, a borderless phenomenon and, yet despite this, there has been insufficient academic attention focused on the issues that surround the management of those risks across the various ‘borders’ that exist. In part, this is because of the silo mentality that often exists within organizations and which is exacerbated by strict disciplinary boundaries within academia. In practical terms, the interplay between elements of ‘risk’ at the various intersects generates some interesting issues for ‘organizations’ to deal with. It is almost axiomatic that there are problems that are generated across a range of tangible and intangible borders. However, there are also some important lessons for organizations and policy makers that take place at this very nexus. The interplay between disciplinary perspectives on risk can generate new understandings that may have a relevance to various types of hazards along with their prevention and ‘management’. The year 2008 provided several examples of the pervasive and trans-boundary nature of risk within modern societies.
Emergent Forms of Risk
The failure of the sub-prime market in the United States and its effects on European banks and beyond, provides a stark reminder of the interconnected nature of business and the manner in which failures can cascade through the ‘system’ (Altman, 2009). This particular failure cascade was both swift and, for many organizations, catastrophic. The ‘failure’ of established and reputed financial institutions and businesses, and the need for others to be rescued by their respective national governments provided a clear indication of the vulnerability of connected organizations to shock events within the globalized business ‘environment’. Although financial connectivity and risk is an obvious and highly visible aspect of modern organizational forms, there are also other more physical manifestations of the interconnected mosaic of hazards that bind organizations together.
When a pathogen can find refuge or a place to mutate in a range of hosts, controlling it becomes far more complex, requiring an integrated – and much more difficult – approach. (Karesh and Cook, 2005, p. 41)
The close proximity of people to livestock in certain parts of the world, the density of population and the ease with which people travel, all combine to create a ‘tightly coupled and interactively complex’ (Perrow, 1984) system in which disease can both mutate and can be transmitted quickly from animals to humans.
Terrorism, as has been seen, is the weapon of those who are prepared to use violence but who believe that they would lose any contest of sheer strength. All too little understood, the uniqueness of the strategy lies in this: that it achieves its goal not through its acts but through the response to its acts. In any other strategy, the violence is the beginning and its consequences are the end of it. For terrorism, however, the consequences of the violence are themselves merely a first step and form a stepping stone toward objectives that are more remote. (Fromkin, 1974–1975, pp. 962–963)
A bold terrorist attack on a peaceful city strikes fear, then horror among bystanders, then an entire nation. Gunmen barely out of their teens, sent on a clandestine one-way mission against a hated foe, create a bloody international incident with huge implications. Two neighboring states, long at loggerheads over issues of borders and identity, lurch towards war as a nervous world watches. (John R. Schindler, US Naval War College, 2008)1
The attacks on Mumbai have, to-date, failed to fully ignite the tensions that exist between India and Pakistan, does not detract from the potential for risk that exists within the region. It also raises questions about the long-term strategic goal of terrorist groups, who are actively targeting countries where there is an existing high level of tension and especially where the main protagonists have nuclear capability. If Fromkin is correct, then the stepping-stones that form part of the terrorist strategy may well lead to an end point that has frightening consequences.
Each of these examples given above illustrates the trans-boundary nature of risk and the potential that they have to ‘cascade’ through time and space. They also have the potential to by-pass organizational controls, thereby leading to an escalation of their consequences. They are trans-boundary because, at their simplest, they transcend national, political and social boundaries. For example, the migration of risk potential through a range of networks has become an issue of concern for managers, as risks within elements of company supply chains have implications for the management of risk. The disruption of those supply chains, and the underlying critical national infrastructures they support are particular threats that exercise the minds of government and those responsible for the elements of, and links between these essential network nodes (Flynn, 2002, 2004; Luft and Korin, 2004; Boin and Smith, 2006). Protecting these networks and infrastructures when they are so extensive, generates an interesting set of problems as the tension between Russia and the Ukraine (and its consequences for gas supplies in Europe) has illustrated. There also seems to be a risk of conflict between energy-rich states, a phenomenon that may well increase as resources deplete further and the demand for energy increases (Ross, 2008).
The risks we have explored are also trans-boundary because they do not have a single-root cause for the nature of the threat and also involve multiple causal agents and pathways for transmission. As such, they do not ‘fit’ neatly into the conceptual mind-sets that we often have for categorizing threats and the causes of risk. They can also emerge as potential crises that evolve and develop at different speeds and over different time frames. Thus, from an organizational point of view, a particularly vexing question is how do we create organizations that are resilient to the escalation of ‘normal’ perturbations within the system, where those perturbations have the potential to shift the equilibrium of system to the point that they become major ‘risk’ or crisis events (Smith, 2009)?
The examples listed above also raise some interesting issues for the management of risk and the development of ‘resilience’ within organizations. ‘Resilience’, for example, has become the politically accepted term of choice to describe the processes around crisis management and business continuity. The nature of resilience, as an operational construct, is an important element in the ability of nation states and organizations (especially those that transcend national borders) to cope with the task demands of those risk events that have been called ‘a new species of trouble’ (Erikson, 1994). The ways in which resilience is understood and operationalized, and the development of risk management strategies in light of these perspectives and approaches should arguably form the basis of an increasing level of enquiry and debate within this journal. As noted earlier, now we go on to set out two dimensions of these issues below, as a means of stimulating thinking and future work around this aspect of risk management.
Resilience and Risk
Resilience as a concept seems to have a strong relationship with the notion of stability – a resilient organism or organization is one that remains stable (or close to stable) in the face of perturbations or is able to return to the equilibrium point quickly after a perturbation impacts upon it. There are, however, some debates as to what the nature of that equilibrium means – does it imply that the ‘system’ has to return to the same point where it was before the perturbation or does it move to a new state of stability? There are also debates as to whether there can be multiple points of equilibrium within a system at a particular point in space and time. Although these might seem to be interesting academic debates, they also have implications for the design of resilient systems in practice and certainly have relevance to the relationship between hazardous consequences and system's stability.
As a concept, resilience can be seen as having both spatial and temporal dimensions – organizations and organisms are resilient to certain things, at particular points in time and within particular contexts (Carpenter et al, 2001). It is not, and cannot be, an all-encompassing process that provides ongoing protection to all threats or one that simply allows stability to be maintained in a changing environment. Although this might seem to be something of a moot point, it is important to recognize at the outset that the concept has its limitations and is not the panacea that some would claim for the problems that face governments and organizations. It is also important to note that different literatures consider the term in quite different ways. Depending on the perspective chosen, a key element in our understanding of resilience might centre on the notion of multiple, as opposed to a singular, point(s) of equilibrium. Our opening examples in this paper would lend weight to the view that the maintenance of equilibrium is a multi-dimensional process and that there might be both multi-scale, and variable speed processes taking place within these wider system contexts. A system may, therefore, be stable at a particular point in time but may be unstable elsewhere within its operational ‘space’. Equally, over time, a system may appear to be stable (or in equilibrium) but may be characterized by frequent fluctuations that establish potential points of instability and that could in turn lead to the erosion of defenses. From a risk management perspective, this creates a series of challenges for managers in their attempts to ensure that effective controls are in place to prevent the escalation and migration of hazard potential; although, at the same time, living with perturbations, multiple points of equilibrium and disequilibrium. There is, therefore, a need to develop and enhance our understanding of the point at which to intervene and manage the system – to the extent that effective ‘management’ of a dynamic system is even possible at the level of control that some managers would want.
… stability near an equilibrium steady state, where resistance to disturbance and speed of return to the equilibrium are used to measure the property. (Holling and Gunderson, 2002, p. 27)
… efficiency, control, constancy and predictability – all attributes at the core of desires for fail-safe design and optimal performance. Those desires are appropriate for systems where uncertainty is low. (Holling and Gunderson, 2002, p. 27)
… conditions far from any equilibrium steady state, where instabilities can flip a system into another regime of behaviour – i.e. to another stability domain. (Holling and Gunderson, 2002, p. 27)
… persistence, adaptiveness, variability, and unpredictability – all attributes embraced and celebrated by those with an evolutionary or developmental perspective. The latter attributes are at the heart of understanding and designing for sustainability. (Holling and Gunderson, 2002, p. 27)
Thus, one might argue that there is an important relationship between sustainability and resilience if we use a more biologically-oriented approach to the term than if we adopt the engineering approach. It could also be argued that the engineering approach is more suited to those areas where the determination of risk is undertaken on a firm basis of the a priori evidence of earlier failures. However, for low probability, high consequence events or where there is a significant level of emergence, then this reliance on an engineering approach no longer provides a firm basis for analysis or for assessing threats that are seen to be of an ‘emergent’ nature. Returning to the examples that we set out at the start of this paper, then it is clear that many of the issues that we face within a risk management context are of such an emergent form and we, therefore, need to reconsider our approaches to the management of such phenomena. The manner in which we deal with ‘stability’ within organizations and the policy-making processes also need to come under scrutiny and be subjected to careful, systematic consideration if there has to be coherence in the approach taken by the wide-ranging number of organizations involved within the increasingly global, boundary-less domain of risk.
Spaces of Vulnerability and Spaces of Destruction
A related, and equally important aspect of the treatment of resilience, is the notion of vulnerability and the way in which we conceptualize that process operating within space and time. The ‘landscapes’ in which organizations operate are invariably fractured and pitted. There are ‘spaces of vulnerability’ that exist both within and between organizations and these have the potential to expose weaknesses in organizational controls and thus impact upon the limitations of strategies to develop resilience. Inevitably, gaps in defences emerge, weak signals and early warnings are ignored, and there is a high degree of likelihood that managerial assumptions and beliefs will lead to an erosion of organizational capabilities around control. There are considerable service design issues associated with this process. For example, there are new challenges to the way in which we design organizations to provide both a seamless service to ‘customers’ and to maintain a level of security that is effective, and minimally intrusive. The interaction between these, and other elements, will serve to create and sustain ‘spaces of destruction’ (Smith, 2009) in which the interplay between resilience and the search for equilibrium by organizations will create fractures within the defences, which organizations establish to ensure stability in the first place. Managers may then ultimately become the authors of their own misfortune as they seek to create rigid systems of control that maintain a particular point of equilibrium in situations where, in fact, the dynamics of the system mitigate against such rigid attempts at control. These controls may inhibit the required levels of adaptation to environmental changes and may, therefore, result in a shift in the very equilibrium that the controls were designed to protect in the first place. This raises a question on how organizations can develop the dynamic capabilities that are required to cope with such challenges – a challenge that also faces the academic and research communities in terms of the ways in which we train and educate managers. If the MBA, for example, is to provide the means of developing these capabilities, and become more than a composite of the functional areas of management, then it will need to ensure that it also evolves to meet the future needs of organizations around the creation and maintenance of these dynamic capabilities. It needs to encourage future generations of managers to reflect upon the lessons that emerge from the various crises facing organizations and give them the skills to learn from those mistakes and, perhaps more importantly, to reflect upon the limits of their own knowledge and thereby help to prevent future events. By failing to do so, we will simply be destined to repeat the problems of the past.
Taking the Debates Forward
Identifying, measuring and managing risk, crises and disasters.
Exploring and explaining risk behaviours in both organizational and societal contexts.
Dealing with risks associated with environmental impact and change and the issues of sustainability and adaptation.
Examining the ways in which chronic and acute forms of impacts are dealt with in risk assessments and especially considering the problems associated with extreme events.
Developing debate around the protection and management of organizational reputation.
Examining the nature of resilience, especially around issues of risk and security in relation to critical national infrastructures and from catastrophic events.
Identifying and developing the dynamic capabilities needed to both prevent and manage risk and resilience within organizations.
Source: http://www.takimag.com/blogs/article/mumbai_2008_sarajevo_1914/, accessed 1247 on the 30th December 2008.
- Altman, R.C. (2009) The great crash, 2008. A geopolitical setback for the West. Foreign Affairs 88 (1): 2–14.Google Scholar
- Beck, U. (1992) Risk Society. Towards a New Modernity, Translated by M. Ritter. London: Sage.Google Scholar
- Erikson, K. (1994) A New Species of Trouble. Explorations in Disaster, Trauma, and Community. New York: W.W.Norton.Google Scholar
- Giddens, A. (1990) The Consequences of Modernity. Cambridge, UK: Polity Press.Google Scholar
- Hewitt, K. (1997) Regions of Risk. A Geographical Introduction to Disasters. Harlow, UK: Addison Wesley Longman.Google Scholar
- Holling, C.S. and Gunderson, L.H. (2002) Resilience and Adaptive Cycles. In: L.H. Gunderson and C.S. Holling (eds.) Panarchy. Understanding Trasnformations in Human and Natural Systems. Washington DC: Island Press, pp. 25–62.Google Scholar
- McGuire, B. (1999) Apocalypse. A Natural History of Global Disasters. London: Cassell.Google Scholar
- Osterholm, M.T. (2007) Unprepared for a pandemic. Foreign Affairs 86: 47–58.Google Scholar
- Perrow, C. (1984) Normal Accidents. New York: Basic Books.Google Scholar
- Reason, J.T. (1997) Managing the Risks of Organizational Accidents. Aldershot: Ashgate.Google Scholar
- Ross, M.L. (2008) Blood barrels – Why oil wealth fuels conflict. Foreign Affairs 87: 2–8.Google Scholar
- Shrivastava, P. (1987) Bhopal. Anatomy of a Crisis. Cambridge, MA: Ballinger Publishing.Google Scholar
- Smith, D. (2009) Making accidents happen in the imagination – Simulation, fitness landscapes, and the management of crisis. Simulation and Gaming, in press.Google Scholar
- Smith, K. (2001) Environmental Hazards. Assessing Risk and Reducing Disaster, 3rd edn., London: Routledge.Google Scholar
- Taleb, N.N. (2007) The Black Swan. The Impact of the Highly Improbable. London: Penguin.Google Scholar
- Zarocostas, J. (2008) WHO chief calls for united front in face of three crises: Food, climate change, and pandemic influenza. BMJ 336 (7654): 1155.Google Scholar