Warren Black is a qualified engineer, risk professional and complex systems theorist. He established Complexus in 2016 to research how risks need to be controlled within complex organisations, projects and programmes. AIQ asks him whether current risk management practices are adequate in a world transitioning into the Fourth Industrial Revolution.
Complex risks have increased in the last few decades. Why is that?
Complex systems and related phenomena have always been part of our existence, from the beginnings of the Earth. How the sun interacts with the tides – that’s a complex system. How the rainforest keeps the flora and fauna alive is another complex system. We’ve always been aware of complex systems.
But they have only become part of our mainstream conversation and corporate agendas in the computer age. As the world moves closer to the Fourth Industrial Revolution (an extended period of mass-scale technological, political and societal change), complex systems have in turn become more and more visible to the typical practitioner.
Of particular relevance is how, within the next 30 years, we will live on a fully digital Earth. The whole world is going to be a series of interconnected, complex, intelligent systems – collecting data, storing data, analysing data, sharing data and adapting to data. That’s the way the world is moving.
How could this impact the way governments, companies and societies manage risk?
Seven or eight years ago, I found myself head of risk for one of the largest natural gas programmes in the world. My team and I observed that the speed at which risks were emerging, changing and adapting was so quick we couldn’t keep up using conventional risk management tools and analysis. We recognised there was something missing; that if you took a stock-standard risk management approach, it just didn’t work. These standards assumed risks were linear and could be managed in a step-by-step manner: identify the risk, measure the risk and treat the risk.
That works fine if you’re dealing with a simple, logical and cause-and-effect risk. But if you’re dealing with a highly dynamic risk, which creates continuous shifts in relationships, then the idea of identifying, measuring and treating the risk in a linear, step-by-step fashion does not work because the risk is continually adapting and changing.
Nothing can be predicted or proactively controlled when there is chaos
Consider how at the highest level of complexity you have chaos. Nothing can be predicted or proactively controlled when there is chaos, so conventional risk management techniques don’t work in environments of advanced complexity.
What are the implications of this complexity?
For the last six years, I’ve been focusing on how we control risks in complex, dynamic, systems-driven environments. As fate would have it, in 2020 COVID-19 hit. I didn’t predict the coronavirus, but I did say that as the world gets more and more systemically complex and interconnected, the scale of the risks we will experience will increase and have global implications. Today we have COVID-19, but tomorrow it could be a global supply-chain disruption. A year or two from now, somebody could hack the Internet. How many professions would come to a complete standstill if the Internet went down? And it is not implausible somebody could hack the Internet given how sophisticated technology is becoming.
Nothing is happening on a localised scale anymore. Our risks are now more systemically complex, more adaptive, more agile. Conventional risk management techniques don’t work at this level, and for that reason risk management has some catching up to do to deal with the increased complexity, dynamism and systemic interdependencies in the world.
How do you think we should be responding to COVID-19?
If you take COVID-19, a global pandemic, we had decades of repeated, institutional warnings of the inevitability of a mass-scale, global pandemic. The World Health Organisation, the World Economic Forum, UNICEF and countless other bodies consistently warned us there was an inevitable global pandemic coming.
On top of that, we also had numerous dry-run misses: SARS in 2003; SARS in 2007; MERS in 2015 and countless others. Despite this, when COVID-19 did come along, the only mitigation effort we had ready was to put billions of people under house arrest, shut down economies and compromise our children’s futures. We knew it was coming, yet we weren’t prepared.
We have to prepare a genuine, strategic, proactive response to all those macro-global threats that are both known and inevitable
If this is how we are going to deal with every major pandemic or risk that comes down the line, we are in deep trouble. So, the single biggest thing we have to do differently is prepare a genuine, strategic, proactive response to all those macro-global threats that are both known and inevitable.
What are some of the key risks you see on the horizon?
There are all the natural risks of course; climate change is a big concern. If there is one thing we’ve learned from COVID-19, it’s that we are not ready to deal with climate change. But it’s not just climate change. There are numerous other risks, such as the growing disparity between the rich and the poor, which must be addressed.
If you were to ask me what the big organisational risks are, a big one is the impact of the Fourth Industrial Revolution. Many organisations and the people they employ don’t truly understand how quickly the world is going to change in the next two decades. This creates a massive threat for the future workforce because it takes 20 to 30 years to build up expertise in a particular management discipline, and the world is changing so quickly there are not going to be enough skills and expertise to deal with the knowledge requirements in future.
If you’re a company suddenly flooded by smart technologies, but only five per cent of your employees understand them, you are in trouble. The risk is that in five to ten years’ time we will find the working world has far outstripped the available expertise and skill sets within the average organisation. In short, the speed at which technology is advancing is happening faster than the speed at which our labour capability is upskilling.
What should we be doing to futureproof societies and organisations?
I mentioned structured upskilling and training. If you are a company that employs 5,000 people, you can’t replace 5,000 people overnight; you have to keep them relevant. That is a big part of futureproofing.
One of the things I recommend to my clients is to have five, ten and 30-year transformation plans. The best way to do that is to work with academic institutions and get them to map out how your industry is expected to change over those time periods. Once you can see how the industry is expected to change, you can start to build up adaptive workforces and capability development strategies. I see more organisations doing that, but not the majority and that is a concern.
