Complexity and Resilience in an Information Centric World

by | May 15, 2015 | Big data, Cybersecurity, management and leadership, Organisations, Resilience

Complexity and Resilience

How do organisations develop resilience in the complex environment that is the 21st century information centric world?

The lifeblood of the modern organisation is information. Every organisation, from small business to government department depends on information being passed to the right place at the right time.

Organisations and society are becoming more complex, but that doesn’t mean that they are more resilient. Complexity and resilience are more often enemies than friends!

Complex Organisations in the 21st Century

The opportunities posed by increased information flows are enormous,

Information is being gathered, stored and manipulated in larger quantities at higher speeds and analysed in more detail by organisations and society. They aim to to drive greater efficiencies and provide new and improved services. The information revolution allows organisations to become larger and more complex and to develop more complex systems and processes to support their organisational models.

1 billion Carbanak hackThe threats are also enormous

But the opportunity to become larger and therefore more complex often comes with a downside for organisational resilience and longevity. Complex systems are prone to catastrophic failure as small problems cascade and become enormous.

Information is damaging organisations when it is leaked or lost. Organisations are struggling to cope and governments are struggling to keep their own data secure. In other cases, too little information being passed to the places that need them. The organisational strategy is a delicate balancing act!

Survival and resilience

Why do organisations fail. Organisations are by definition self organising systems. However, when a self organising system loses the capacity to self organise – it is dead. Broadly, the story is similar for each one. The organisation was unable to adapt to the business environment before it ran out of resources. The end is often brought about by an acute event, but in many ways such an event is really just the ‘final straw that breaks the camel’s back’ .

The Australian Government’s resilience strategy shows Australia’s leadership in resilience thinking. It identifies four options for an organisation

  • Decline;
  • Survive;
  • Bounce Back;
  • Bounce Forward. 

However, in practice I think this may be too gentle. Taken over the longer term, organisations either live or die. There is no middle ground. Organisations that survive crises are able to do so for two reasons

  1. They have the resources, capital personnel,  leadership etc to manage themselves out of a crisis once it hits emerging weaker but alive; or
  2. They are prepared to adapt if a crisis arises and have developed a broad set of principles which will work with minimal change in most eventualities.

It is this second group which are truly resilient and survive long term. They still suffer from crises, but emerge stronger over the long term as they adapt to their new environment.

ICT is a two edged sword in the quest for resilience

As organisations become more complex, they are relying more and more on information technology and systems to help them understand themselves and their environment. Organisations can become more efficient. However, most organisations do not have control of their ICT infrastructure and it is increasingly difficult to understand how information flows within an organisation. It is also important to realise that efficiency and resilience are not the same. In fact, some efficiency practices may increase organisational fragility

Are the tools that organisations are using to try to understand their own organisations becoming in themselves part of the problem?

Possibly, though it is more the issue of complexity. There are a number of other factors

Speed of change

The speed that societies are changing is accelerating as technology advances. This means that organisations need to be able to adapt faster in order to keep up.

Interdependence

Organisations are more interdependent than ever. It is a trend that will continue to increase. In fact, countries are also more interdependent than ever. During the Cold war, sanctions didn’t affect Russia nearly as much as they do now. This is positive from a global political perspective, no country can survive without others, not even the USA or China. It is even forcing Iran to make compromises. In some ways this trade interdependency may be an alternate for the Mutually Assured Destruction (MAD) that nuclear weapons threatened to the USA and Russia during the cold war.

However, interdependency inherently leads to complexity and that is not a characteristic of resilience. Most organisations are increasingly dependent on long supply chains for materials and services, meaning that failure at one end of the supply chain can be expensive or time-consuming. On the other hand, international supply chains are extremely reliable … until they aren’t.

Everyone’s your neighbour

Because everyone is connected. Organisations can get closer to their customers and suppliers via the Internet. At the same time criminals and competitors are able to get closer to their target organisations as well.

Some organisations have been struggling. Sony corporation is one of the most prominent, but it is by no means the only one.

sony hacked again

From http://blogs.umb.edu/itnews/2015/01/06/the-sony-hack/

 

 

 

 

 

Affecting organisational longevity?

The evidence seems to be showing that organisational longevity is being reduced by a number of factors. Not least the ones I’ve written about above.

This graph produced by Innosight plots the average company lifespan on the USA Standard and Poor’s company index from 1958 to 2012 and extrapolates this out to 2030.

average company lifespan on SP500

US corporations in the S&P500 in 1958 remained in the index for an average of 61 years. By 1980, the average tenure of a similar organisation was 25 years. By 2011, that average had been cut to 18 years. In other words, the churn rate of companies has been accelerating over the last Century. On average, one S&P500 company is dropping off the index every two weeks! In total, 23 companies were removed from the S&P in 2011, either due to

  • declines in market value – eg Radio Shack’s stock no longer qualified in June 2011.
  • acquisition – eg National Semiconductor was bought by Texas Instruments in September 2011.

At the current churn rate, 75% of the S&P organisations that were there in 2011, will no longer be on the index in 2027.

The flaws in simple risk

Risk assessment loses specificity with complexity. That is, the larger, more complex the organisation, the less accurate the risk assessment can be. This is also true when we think about societal risks.

The sum of overall risk that an organisation has, is greater than its parts.

It is hubris to think that an organisation or society can know all its risks. There will be risks faced by an organisation that are either unknown, unquantifiable or both. Moreover:

  • The organisational environment continues to change rapidly. This means that risk owners ie company boards have less time for consideration and risk assessments need to adapt to the changing circumstances.
  • Perception bias is a significant problem. Gardner talks about bounded rationality in risk – suffice to say we downplay risk of things that we think we understand. Taleb talked in the Black Swan that people focus on the simple things they could understand.

In a complex organisation, people tend to focus on problems in parts of the organisation, rather than the organisation as a whole.

Different risk events

We see these issues playing out in different events that affect organisations, whether it is a

acute failure

such as the
– Deepwater Horizon Oil Spill that may yet cause BP’s demise, but seems to have been caused by a failure in the relationship with its drilling contractor, Haliburton

Target(USA) hack which saw tens of millions of credit cards stolen due to weaknesses in service provider security.

Or chronic failure

such as Kodak’s failure over decades to manage the transition to digital imaging, despite the fact that it’s own researchers had discovered the technologies in the 1970s.

A resilient approach

Resilience is the capacity for complex systems to survive, adapt, evolve and grow in the face of turbulent change. Resilient enterprises are risk intelligent, flexible and agile
(Adapted from www.compete.org)

A ‘Resilience approach’ does ignore risk assessment and management, it builds upon it to address weaknesses in terms of dealing with unknowns (known and unknown) and perception bias. Particularly those ‘high consequence low likelihood events’ – the black swans, that sit untreated at the bottom of any risk assessment, or fall off the bottom because nobody wants to think about them, or are not acute but in the chronic creeping ‘must deal with it sometime’ category. Worse still, they may be completely unknown.

Resilience approach allows enterprises to put in place mechanisms ‘deal with the gaps’ in the risk approach – those things that have been missed or underestimated.

As the world becomes more complex and organisations become more complex themselves. A resilience approach is the only option.

The resilient organisation

Develops organisational adaptability. A culture of making things work in spite of adversity. This creates a capacity to deal with adverse events – adaptability to deal with rapid onset of shocks. They also analyse to see whether improvements can be made out of any adversity.

Organisations look for mitigations that are able to treat a range of threats, because these techniques are likely to be more adaptable than highly specialised methodologies.

Testing – Organisations test systems to breaking point and beyond in the most realistic scenarios possible.

Resilience from Chaos (Monkey)

An example of testing to breaking point in a real environment is the ‘chaos monkey’ tool developed by Netflix. This application/agent randomly turns off parts of the Netflix production environment simulating the failure of different parts of their infrastructure. It is set to only do this during working hours when engineers are about to respond. In this way, the system is tested in the best manner possible short of the real thing.

Chaos Monkey Released Into the Wild

 

 

 

 

 

This post is based on a presentation I gave in Singapore. Here are my slides

 

Resilience Outcomes would like to acknowledge the assistance of Emirates Airlines for getting Alex to and from Singapore in great comfort.