The long and winding road towards resilience - Part 9

In the previous post, we broadened our view and learned about the sameness of business and IT. We also used the four response types of resilience to change our static approach regarding threats towards a more dynamic one, including continuous evaluation of threats, learning and repositioning in an ever-changing threat landscape. This adds the last missing shard to resilience: Anti-fragility.

In this post, we will discuss what we find at the peak of Mt. Resilience, the peak of advanced resilience (anti-fragility).

The peak of advanced resilience (anti-fragility)

The peak of advanced resilience is our final stop on our journey towards resilience.

Very few companies are there. The most important reasons are:

• Embracing adversities as opportunities is a mindset shift that takes time and is challenging for most people.
• Continuously evaluating threats and their impact in order to learn from them and dynamically reposition oneself on the threat landscape takes time to learn and master.
• The inseparability of business and IT as a consequence of the ongoing digital transformation is still poorly understood. You cannot create a highly resilient IT without also looking at the business side. I wrote about this deficit of perception in most organizations, e.g., in this blog post about “Responsible IT”. ¹

As before, the lower plateaus do not become irrelevant. The concepts of the peak create another layer and complement the prior concepts. Also, understanding the impact of one’s IT actions in the overarching business context helps to make the actions more impactful.

Evaluation of the peak of advanced resilience

With that being written, let us explore the peak of advanced resilience using our meanwhile well-known evaluation schema.

Core driver

The core driver is to consider adversity as an opportunity to improve.

To learn from adversities and use our learnings to move to a better position, we need to give up the reflex to avoid and fight adversities at all costs. Instead, we should be open to examine them with a healthy dose of curiosity.

This does not mean that we should invite as many adversities as possible. This would be disadvantageous because it costs capacity, resources and energy to deal with the impact of the adversity.

Still, we should not only be in fight mode but also be curious and open for learning: “Ah, this is the effect of this threat. Hmm, lately this kind of threats occurred more frequently. How can I change my interactions with my environment in a way that this kind of threats will not hit me anymore or at least less frequently and with a smaller impact?”

This kind of curiosity is meant if we talk about embracing adversity. Of course, we need to handle the threat. But we also see it as an opportunity to learn and improve.

Leading questions

This leads to a quite different set of typical leading questions like, e.g.:

• How can I establish a continually learning and improving organization?
• How do I need to adapt at all levels to improve my ability to handle adverse situations successfully?
• Is adaptation enough or do I need a more radical change to reduce my vulnerability to adverse situations?
• How do I need to shift and change my organizational boundaries to become less vulnerable to adverse situations?

Establishing a culture of continuous learning and adaptation is a prerequisite for advanced resilience. Maybe you already have such a culture established in some other areas. Then it may be easy to extend it to improving from adversities. Otherwise, becoming anti-fragile may take a longer time.

The question is always how to improve the positioning, how to reduce the frequency and impact of threats – especially in the face of a continuously changing threat landscape. Cybercrime is a meanwhile commonly accepted area with a frequently changing threat landscape. But it is by far not the only one.

We can also see frequently changing threat landscapes in many other areas: New technologies create new types of issues and threats. Continuously changing markets – including the ever-changing needs and demands of our customers – frequently create new challenges and threats. New products and business models create new types of potential threats. Unreliable supply chains. Economic uncertainties. Geo-political instabilities. Extreme weather. And so on. There are many types of threats that may affect a company and many of those areas continuously change.

Sometimes, a surprise can push us from the viable area into the death zone if we do not change radically and quickly. This can be caused by a business disruption. This can be due to an adverse event like a crisis, or alike. In such a situation, continuous adaptation is not enough anymore. We need to leapfrog to move back into the survival zone.

Responding to a changing threat landscape often includes changing the interaction patterns at the organizational boundaries. While this may feel surprising in the first moment, it becomes obvious if we consider that threats typically hit us through our technical and non-technical interfaces with the outer world. Hence, the way we shape our collaboration patterns on those interfaces often affects how easily and severely a threat can hit us.

However, this realization often takes time and many companies hesitate to change their collaboration patterns with the outer world because they are afraid of a potential backlash from their suppliers, partners and customers. Nevertheless, becoming anti-fragile requires the willingness to also change the interfaces to the outer world including the associated collaboration patterns.

Typical measures

Continuous learning and adapting – and sometimes leapfrogging – requires a different approach which manifests in different measures like, e.g.:

• Building a culture of continuous learning and improvement creates the prerequisites to successfully adapt to an ever-changing threat landscape.
• Systems thinking creates a different understanding of measures and effects. After all, the goal is to improve the system, i.e., the positioning of the whole organization, not only its parts. A big lever for this lies in the interactions between the system parts. ²
• Leapfrogging, if continuous adaptation is not enough to remain in (or move back to) the survival zone.

Regarding systems thinking: We care about the whole organization and how it responds to threats. We want to position ourselves in ways that reduce the frequency and impact of threats. Threats enter at our system, i.e., organization boundaries and then unfold their impact while rippling through the system.

The internal interaction and collaboration patterns between the system, i.e., organization parts can intensify the effects of threats or they can dampen them. Therefore, it is not sufficient to look at measures with a simple cause-effect mindset. Instead, we need to look at the whole system and how its parts interact. Even small measures that change the interaction patterns of the system parts in subtle ways like changing a communication routine, requiring a little inquiry in case of doubt or establishing a little constraint that nudges the interaction in a different direction can make a big difference.

Of course, this does not rid ourselves from pondering all the other measures we discussed in the previous posts. But taking the bigger picture into account, we also need to look at the whole system, its interactions and the information flow at its boundaries as well as through the system.

Trade-offs

The peak of advanced resilience approach has several trade-offs:

• The effort required to reach the peak is comparable to the effort needed to reach the high-plateau of basic resilience.
• However, it requires a different mindset regarding adverse events and situations. It requires embracing them instead of only trying to avoid and fight them by all means. This mindset change can take a long time and lots of efforts to implement.
• Also accepting the sameness of business and IT as well as the required system thinking may take time to understand, accept, learn and master.
• Mastering the peak of advanced resilience approach will improve your anti-fragility, i.e., adverse situations will usually make you stronger.
• The approach will eventually affect the whole company, i.e., it will not stop at the boundaries of the IT organization. Remember: Due to the ongoing digital transformation, business and IT have become inseparable – also with respect to resilience.

When to use

Such a setup is of course also suitable for all contexts, the high-plateau of basic resilience is suitable for.

Additionally, it prepares for a successful endless game in an increasingly uncertain world.

The common keyword used to describe such a setting is VUCA. In short, VUCA means we cannot reliably anticipate anymore what will happen next. Thus, we face decision uncertainty as surprises become the new normal.

To successfully navigate in a world where surprises are the new normal, we need to be resilient because resilience is exactly about this: Successfully coping not only with expected adversities but also with surprises.

As the world around us continually changes, it is not enough just to be able to resist or quickly recover from surprises. We also need to build the ability to continuously adapt to a changing world, ideally to build anti-fragility – including the ability to leapfrog if needed.

Finally, the fact that business and IT have become inseparable due to the effects of the digital transformation, also affects resilience – at least if you aim for actual resilience and not only robustness: Without a resilient IT, business cannot be resilient – and vice versa.

When to avoid

–

Impact radius

The impact radius is the full socio-technical system, i.e., it includes the IT systems, the IT department, the business department, the processes, the organization and the collaboration modes at the (socio-technical) system boundaries.

Blind spot

–

Summing up

The peak of advanced resilience is the final stop on our journey towards resilience. We do not only accept adversities of all kinds, expected and unexpected; we embrace them and use them as an opportunity to improve. We build anti-fragility.

The effort required to climb the peak is comparable to the effort needed to reach the high-plateau of basic resilience. However, the required mindset change from avoiding adversities towards embracing adversities and the need for systems thinking when it comes to improving may put additional obstacles in the way. Maybe this is the reason we find even fewer companies at the peak than at the high-plateau.

Advanced resilience allows for everything, the high-plateau of basic resilience allows for. Additionally, it prepares for a successful endless game in an increasingly uncertain world.

Lost at the summit

So, yay!

We made it to the peak!

We conquered the summit of Mt. Resilience!

Finally!

Whew, this was a long and arduous journey!

But, um, where the heck are we and how did we get here?

This all looks very strange, not at all as we thought it would look like when we started our journey.

We started at an quite easily understandable technical IT level (at least for us IT folks). But then somehow the scope continuously grew until we ended up at a strategic business level. We never intended – nor wanted – to end there but somehow we did.

And so we stand at the peak of Mt. Resilience, dazed and confused, and ask ourselves:

Do we always need to climb to the top or is it okay to stop our journey at one of the interim plateaus?

This is the question, we will discuss in the next and final post of this series (link will follow). Stay tuned … ;)