Just about a year ago, I started posting weekly on Risk Musings. (I made an initial post in March 2022, then thought about it and built up a backlog of essays before starting in earnest.)
I wasn’t sure if I’d keep going. It was an experiment. But fifty-two weeks later, I’ve wandered all over the risk map, with essays ranging from the Vietnam War to Linux to climate feedback loops to AI regulation to insurance retrocession to bank runs and beyond, and have no desire to stop.
So, I hope you’ll stick with me and enjoy the various twists and turns. I’ll be digging deeper into system dynamics modeling this summer and hope to share some of what I learn with you. I’m attending some information security conferences and (separately!) trying to figure out an AI risk proof-of-concept. I hope to write some more lighthearted essays too.
For now, here are some key principles and themes covered in the first year of Risk Musings:
The goal of risk management is not to eliminate risk; it is to increase resilience to an acceptable level.
To identify risks early, before they escalate into catastrophes: look for anomalies that are suddenly widespread in small numbers, and that seem relatively ignored or dismissed. Then overreact rather than under-react to get risks under control before they spread like wildfires.
Ask what questions aren’t answered by the data you have available to you, then increase your resilience if you’re uncomfortable with the unknowns you’ve identified.
The best types of risk to take are those favoring the upside (whether limited or unlimited) and with bounded and tolerable downside.
Systems thinking and system dynamics can help identify leverage points—places where a small change can cause big and beneficial changes throughout a system—especially via simulation modeling.
While models shouldn’t capture every part of a system, they often leave out important factors. For example, demographics are powerful and are driving strong employment numbers and housing shortages in the US. Population aging and life-stage trends, immigration trends, and disability and illness trends should be factored into models, since markets don’t operate in isolation.
Opportunity and hope are leverage points. People need them and will seek them out however they can if current systems aren’t providing enough of them.
Good regulation and bad regulation, and good controls and bad controls, are differentiated by their attributes. Getting good regulation and good controls in place is hard but feasible.
Risk increases whenever controls lag behind capabilities. For critical areas like nuclear weapons and (eventually) AI, controls need to catch up with, keep pace with, and eventually outpace capabilities. This may mean periodic slowdowns or even drawing a “stop here” line. We’ve done it before, and we can do it again.
Regulation can be hard to discuss because its dynamics are complex. For example, small business is often over-regulated and big business is often under-regulated. That makes it hard to talk about “regulation” as an overarching entity. Also, some small businesses are exceptions because they work with critical technology and therefore should be regulated. Regulation is situation-dependent and criticality-dependent.
To get people and organizations united to abandon a harmful approach or product en masse, ready, attractive, and profitable substitutes must be available. This is not optional. It applies to fossil fuels, CFCs, consumption-based lifestyles, social media, and more. Replacing “something” with “nothing” or with “something far inferior” rarely works. Incentives play a major role and likely determine the success of most initiatives.
Return-on-investment (ROI) calculations discount far-future costs and impacts indiscriminately, but unacceptable consequences merit a different weighting. (Yes, defining “unacceptable” is the hardest part!)
Near-misses are incredibly valuable for getting people to share information about risks and coordinate to reduce them across industries or even globally. Incentives are usually aligned: people look good within their company and among their peers for stopping risk from manifesting, and everyone gets to reduce risk as a result. Incident reporting can be trickier because there may be organizational or cultural incentives not to share, to avoid blame, to get promoted, to create “not-an-incident” categories such as “events” to avoid reporting, and so on.
Risk management victory is often silent. It’s still victory.
I’m excited about the coming year, with all its risks and challenges and possibilities. Onward, and thanks for reading!
Stephanie
Congratulations Stephanie. In the short time since I started reading Risk Musings, it has become a GREAT habit. Sharing across a wide range of topics yet returning to the central theme of your Substack shows your talent. Looking forward to the year ahead.
Congratulations Stephanie on reaching this milestone. The world is a better place because you have chosen to contribute and you plan on continuing to contribute.
On a personal level, I am glad I found your Substack. I have been learning a lot form your insights that are brilliantly articulated.
Keep it up.