This was originally published on the Resilience First website. Read more about our partners.

We need to look beyond traditional risk management if we are to deal with complexity and uncertainty.

Traditional risk management approaches often do not sufficiently take into account the complexity of society and the fundamental uncertainty of the future. That leaves society, organisations and individuals vulnerable to serious disruptions, Black Swans and ‘blow-ups’. Unfortunately, numerous examples show that this is not just hypothetical but actually happening far more frequently than deemed possible in traditional risk-management approaches.

What is needed is what may be called Risk Management 2.0, namely going beyond traditional risk management. Below, I will briefly present an outline of the main features of what that approach may look like.

Risk Management 2.0

The key problem with traditional risk-management approaches is that they do not incorporate the ever-present potential  for surprise in a complex and uncertain environment. Risk Management 2.0 builds on this fact. It brings ‘alertness’, ‘resilience’ and ‘adaptability’ to the fore as defining elements of this approach.

Alertness in this context is the capacity to detect negative surprises and disruptions. Resilience is the capacity to avoid negative surprises and recover from such surprises and remain viable. Adaptability is the capacity to respond to surprises. The objective of Risk Management 2.0 is uninterrupted operations.

Key Considerations

Operations are broken down into separate interconnected elements, and sources of potential disruption are imagined, like fraud, IT failure, human error, etc. Early warning, detection, escalation and prompt action are crucial. The framework is designed to create and use opportunities for fail-safe learning. Complex operations can never be fully comprehended and their outcomes cannot be fully predicted. Learning while running the operations is the only way forward.

A continuous feedback process is needed to avoid, detect and learn about vulnerabilities of one’s operations and eliminate discovered vulnerabilities. An evolutionary approach is crucial. Resilience and adaptability require shaping a ‘just culture’ (Dekker, 2012) in which incentives for exploring, detecting, learning on the one hand are combined with forward looking accountability on the other. A blame culture should be avoided.

Four Phases

The required permanent feedback process can be defined in four phases:

  1. Building security: Identifying and anticipating potential disruptions, avoiding disruptions, protecting operations against disruptions, mitigating the potential impact of disruptions.
  2. Being alert: Monitoring and detecting negative surprises, errors and/or disruptions.
  3. Being robust: Responding to and recovering from negative surprises, errors and/or disruptions.
  4. Learning: Reviewing and providing feedback into earlier phases of this process and into other similar operations where appropriate.

Language and Tools

Risk Management 2.0 should be developed into the logic and language of alertness, resilience and adaptability, just like probability theory is the logic and language of traditional risk management.

Different supporting methods and tools can be fitted into this approach. That is similar to what we see in traditional risk management. Think in that context, for example, about the Value at Risk (VAR) approach, using normal or fat-tail distributions, etc.

Examples of tools and methods that fit the logic of resilience are different types of scenario analysis, narrative techniques like Participatory Narrative Inquiry (PNI) (Kurtz, 2014), and evolutionary learning methods.


Dekker, C. (2012), Just Culture. Balancing Safety and Accountability.

Kurtz, C. (2014), Working with Stories in Your Community or Organization: Participatory Narrative Inquiry.


Lex Hoogduin – GloComNet (Global Complexity Network). For more information: contact and /or


For further reading, please visit our Knowledge Hub.

Read more: