There was an interesting post on Slashdot this week about someone who went to load their official Cisco VPN client CD only to find that it was in fact a bootleg music disc. These things happen, suppliers outsource to third parties who subcontract to others who find slack in someone else’s JIT delivery system.
Then I read this piece and cogs slowly, rustily start turning in my mind.
Complexity adds risk. If I have just a single rock then my risks are limited, the rock basically sits there. I could lose it or drop it or trip over it or break it but that’s about it. If I have two rocks then not only have I now doubled the number of those risks but I gain new ones as well – one of the rocks could fall off the other for example or I could lose one rock behind the other.
So complexity breeds risk, so far so obvious. Companies outsource and there is now an added creator of risk to mispress CDs, government buys from the cheapest supplier and there is now an added creator of risk to mis-sell hooky gear, you can name your own examples.
We work to try and mitigate these supply or delivery chain risks but there are two additional sources of complexity which we do not always consider.
The first is that risk mitigation can itself be a source of risk. Recent events in the financial world are a classic example of this. Some people thought that they had cracked the secret of achieving high returns without high risks. IT supports the creation of complex and often opaque financial risk management tools which make Black-Scholes seem like basic addition. Combine this with automated trading engines and we create a vast cybernetic plate-spinning engine which works until the first plate starts wobbling.
Paul Samuelson said “Business is the management of risk”, for me this means that unless you are willing to manage your risks then you should not be in business. And management does not mean magical thinking.
The second source of emergent risk arises out of the complexity of individual systems. Think for an instance about how you are reading this piece. You are using a computer whose hardware you trust, whose operating system you trust, a browser you trust, a network connection you trust, a network protocol you trust, a website you trust, a web server you trust, web server hardware you trust, and network hardware you trust.
That’s a lot of trust isn’t it?