Beyond risk management: developing alertness, resilience and adaptivity


Lex Hoogduin - GloComNet (Global Complexity Network)


Traditional risk management approaches often do not sufficiently take into account the complexity of society and the fundamental uncertainty of the future. That leaves society, organisations and individuals vulnerable to serious disruptions, Black Swans and “blow-ups”. Unfortunately numerous examples show that this is not just hypothetical, but actually happening far more frequently than deemed possible in traditional risk management approaches.

What is needed, is what may be called Risk Management 2.0, going beyond traditional risk management, complementing and extending it. Below I will briefly present an outline of the main features of what that approach may look like.

Risk Management 2.0

The key problem with traditional risk management approaches is that they do not incorporate the ever present potential for surprise in a complex and uncertain environment. Risk Management 2.0 builds on this fact. It brings “alertness”, “resilience” and “adaptability” to the fore as defining elements of this approach.

Alertness in this context is the capacity to detect negative surprises and disrup'ons. Resilience is the capacity to avoid nega've surprises and recover from such surprises and remain viable. Adaptability is the capacity to respond to surprises. The objective of Risk management 2.0 is undisrupted operations.

Key considerations

Operations are broken down into separate interconnected elements and sources of potential disruption are imagined, like fraud, IT failure, human error, etc. Early warning, detection, escalation and prompt action are crucial. The framework is designed to create and use opportunities for fail-safe learning. Complex operations can never be fully comprehended and their outcomes can not be fully predicted. Learning while running the opera'ons is the only way forward.

A continuous feedback process is needed to avoid, detect and learn about vulnerabilities of one’s operations and eliminate discovered vulnerabili'es. An evolutionary approach is crucial. Resilience and adaptability require shaping a “just” culture (Dekker 2012) in which incen'ves for exploring, detecting, learning on the one hand are combined with forward looking accountability on the other hand. A blame culture should be avoided.

Four phases

The required permanent feedback process can be defined in four phases:

  1. Building security: Identifying and anticipating potential disruptions; avoiding disruptions; protecting operations against disruptions; mitigating the potential impact of disruptions
  2. Being alert: Monitoring and detecting negative surprises, errors and/ or disruptions
  3. Being robust: Responding to and recovering from negative surprises, errors and/or disruptions
  4. Learning: Reviewing and providing feedback into earlier phases of this process and into other similar operations where appropriate

Language and tools

Risk management 2.0 should be developed into the logic and language of alertness, resilience and adaptability, just like probability theory is the logic and language of traditional risk management.

Different supporting methods and tools can be fitted into this approach. That is similar to what we see in traditional risk management. Think in that context for example about the VAR approach, using normal or fat tail distributions, etc.

Examples of tools and methods that fit the logic of resilience are different types of scenario analysis, narrative techniques, like participatory narrative inquiry (PNI, see Kurtz 2014), and evolutionary learning methods.

For more information: Feel free to contact and /or


Dekker, C. (2012), Just Culture. Balancing Safety and Accountability
Kurtz, C. (2014), Working with Stories in Your Community or Organiza'on: Pa'cipatory Narrative Inquiry