From risk policies to uncertainty policies. The new perception and management of security

Àngel Castiñeira Fernández

The nature of the new changes. From risk society to disruptive society

In my opinion, the current decade is determined by four main dimensions of a disruptive nature. These dimensions are the economy, technology, geopolitics and the environment. By extension, we could also talk about social disruption and the anthropological dimension. I do not mention them directly here, because these two disruptions (surely the most important) are to a large extent an effect / consequence of the other four, to which I attribute causality, although certain factors, such as the demographic factor, may also be classified as causal.

To clearly understand the nature of the new changes, a distinction must be drawn between the notions of risk and disruption.

The notion of risk warns us of the proximity or contingency of possible damage. The study of risk evaluates the nature of the threats or risk factors, their possible effects, and measurement of the degree to which individuals or entities are vulnerable and may be affected. It makes sense to talk about the "measurement" of risk, because the creation of a function is presupposed which, once a vulnerability is established, is capable of calculating the expected value of a certain type of damage. The logic of risk is very useful, because it allows us to develop ex ante strategies to reduce the probability of damage occurring (degree of danger) or to mitigate its effects (degree of vulnerability).

On the other hand, disruption in a broad sense refers to a radical, drastic, brusque, profound or traumatic change capable of producing an unforeseen, unexpected, unconventional and accelerated break from a given environment or situation, which alters the order and rhythm of events and establishes a new and different state, rendering the previous state obsolete; it may bring risks, but also opportunities. In other words, it may include a dimension that is destructive or, on occasions, also creative, but in both cases we identify the disruptive factor ex post, after it has occurred.

When in 1986 Ulrich Beck described modern society as a "risk society", in some way he was anticipating this impossibility of taming risk. In Beck's view, the risk society was that "phase of development of modern society in which the social, political, economic and industrial risks increasingly tend to elude the control and protective institutions of industrial society." What characterized that moment was not the calculation and control of risk, but risk beginning to spill over, the increase in uncertainty, the recognition of having entered the threshold of the unpredictable.

It is easier to understand now why, in view of the time that has passed since Beck's intuitions, we consider it more appropriate to talk about the new disruptive phase, because the sudden and extremely rapid accumulation of changes we are experiencing and will continue to experience during this decade will provide a test not of whether organizations and countries are strong or large enough, but of whether they will be able to respond to the unexpected. Let us look at some examples.

Black swans, grey rhinos, exponentiality, rapid acceleration and VUCA environments

Black swan effects

In some recent studies on economy and finance there is mention of black swan effects, chance events that are very unlikely to be foreseen, provoking surprise and having considerable repercussions, such as the impacts of the fall of Lehman Brothers, for example. The writer Nassim Nicholas Taleb has begun to theorize about what he calls a "robust black swan society", meaning a society which can learn to withstand events that are difficult to predict, based on the anti-fragility of systems, that is to say, on the capacity to benefit and grow as a result of certain kinds of random events, errors and volatility. Disruption, in this case, would be associated with an "epistemology of randomness". Taleb proposes an original way in which to confront black swans: instead of focusing on the (unknown) probabilities of an unexpected event, we should look at the consequences (which are indeed known) that it could have. "We will never get to know the unknown since, by definition, it is unknown. However, we can always guess how it might affect us, and we should base our decisions around that."

Grey rhinos

On the other hand, Michelle Bucker has also alerted us to the error of confusing black swans with another type of event which she calls grey rhinos. These are obvious, visible dangers, which come directly towards us; their potential impact is huge and their consequences highly probable, but we do not ultimately believe they will occur, or we do not include them in our forecasts and actions. The repeated and unheeded warnings about the effects of climate change or the imminent arrival of pandemics, for example, would surely correlate with this second animal metaphor, rather than the black swans. As occurs in the recent film by Adam McKay, we simply decide “not to look up.” The danger signs are quite clear, but our response is weak. Paradoxically, we are aware of the risk, but we choose to ignore it.

Bucker recommends a whole series of procedures to confront these types of event: admit the existence of danger and the imminent risks that it brings; determine the nature of the beast: the scope and the scale of the risks; avoid freezing and doing nothing; learn real lessons from what is happening; adopt a long-term view of the whole panorama and concentrate on strategy and its execution to overcome the predicament. If the grey rhino is recognized, it will be possible to control the risks that come with it. All these considerations are aimed at helping to modify our perceptual biases, incorporating scenarios and information that we often dismiss, and establishing protocols of actions that will enable us to react swiftly at the first signs of danger and in this way mitigate any negative impact. The conclusion to be drawn is that not coming to terms with a risk may be more risky than the risk in itself.

Exponential changes

In the field of technoscience, people no longer talk about linear or incremental changes, but exponential changes. Linear change is a mathematical model for representing a function where the values increase at a constant rate or ratio. Exponential change occurs when a phenomenon or a thing increases in a multiplicative way. An example of this can be found in the electronics industry, where until recently the number of transistors in the integrated circuit of a microprocessor doubled every two years. This is what has been called Moore's law.

Something similar has occurred with Human Genome sequencing. Thanks to the power of data processing, today the personal genome can be obtained in just a few days at a cost of no more than 100 dollars. This exponential transformation has been made possible by the connection between computing, biology and medicine.

One of the difficulties encountered in dealing with the current COVID-19 pandemic is that – unlike SARS – its capacity for infection is not linear, but exponential.


For example, on 20 March 2020 there were 16,000 infections in the US; by the following day this figure had jumped to 32,520. The number of infections doubled every two days. According to the Chinese Center for Disease Control and Prevention, COVID-19's R0 value was 2.5. Each patient could infect an average of 2.5 people. The infection rate was exponential. That is to say, if one person infects another two, they in turn each infect another two, and so on.


Something similar is occurring with access to and massive handling of personal data in the digital market. Thanks to Big Data and artificial intelligence, that is to say, a hitherto unthinkable capacity to track, process and store data, it is now possible to gain comprehensive information about people. And this knowledge of people, their tastes and preferences can make it much easier to control and manipulate them. As Yuval Noah Harari observes, now technology makes it possible to monitor everyone all the time. Governments and other organizations can use sensors and algorithms to spy on us and monitor our lives. Thanks to increasingly sophisticated technologies, people can be tracked, monitored and manipulated; access can be gained to our phones and our medical reports; there are cameras with facial recognition, and every movement of the population can be monitored. All this is possible because surveillance technology is also developing exponentially, at lightning speed.

The great acceleration

The other concept to bear in mind is the great acceleration. For years now, the scientific community has referred to a poor prognosis: the Earth has entered a new geological era – the Anthropocene – in which, for the first time in history, human activity is changing the limits or "vitals" of the planet. These "vitals" or constants are linked with the depletion of the ozone layer, the integrity of the biosphere, pollution of the air, acidification of the oceans, the impact of atmospheric aerosols, the use of freshwater, the changes in land use, the loss of biodiversity and chemical contamination. When alterations to these constants occur, the rhythm of the changes accelerates and the consequences are unpredictable. The paradigmatic example of this situation is global warming: the temperature of the planet has increased at an unprecedented rate due to human activity. According to Will Steffen, in 2021 we had already passed four of these nine planetary boundaries (climate change, biodiversity, deforestation and biogeochemical flows), which put our species – and many other animal and plant species – in a situation of risk. More recently still, in January 2022, the Stockholm Resilience Center announced that we had just breached a fifth boundary, the boundary related with the level of pollutants derived from synthetic chemical products and other new substances that inundate the environment and affect its stability. Since the Earth functions as a holistic system, a change in one of these boundaries directly affects the others, and we can easily embark on an escalation of changes in the natural dynamics of the planet that will lead to a hitherto unknown scenario.

In Will Steffen's new environmental studies on the Anthropocene, he refers to "the great acceleration" in changes to the planet, because in the end we have caused the socio-economic time series of modernity to converge with the geological time series (provoking, for example, the acceleration of climate change). An international team of researchers from the International Geosphere-Biosphere Program (IGBP) and the Stockholm Resilience Center have taken into account a set of 24 global indicators, which they have called a "planetary dashboard", in order to suggest that since the mid-20th century a "Great Acceleration" in human activity has occurred, leading to fundamental changes in the conditions and functioning of the Earth that can no longer be attributed to natural variability. "It is difficult to overestimate the magnitude and the speed of change. In a single lifetime humanity has become a planetary-scale geological force."


Source: Roman Krznaric, The Good Ancestor. How to Think Long Term in a Short-Term World, Penguin Books, 2020. Graphic by Nigel Hawtin.

VUCA and BANI environments

Finally, in geopolitical and business spheres, since the beginning of the 21st century people have talked about the VUCA (Volatile, Uncertain, Complex and Ambiguous) world or VUCA environments, in which the emphasis is on turbulence and instability, and prediction is replaced by reaction.


Volatility is linked with the nature and dynamics of change in things, situations or events and with the speed of the forces or catalysts of this change. When we say "everything that was solid (up until now) is vanishing into the air," we are talking at once about a volatile and a liquid society. This has inspired sociologists like Z. Bauman to talk about the fluid state of today's society, without very solid values and with human ties that are weak, provisional and fragile. The volatility of things and events also becomes a symbol of the transience and fluidity with which human beings' relationships are diluted. In the Global Risks Report of the Davos Economic Forum of 2022, the conclusion shared by the highest proportion of experts consulted (41.8%) was that over the next three years the world situation will be “consistently volatile with multiple surprises.”

Uncertainty, as we will expand on later, refers to the inability to confidently predict or foresee the future.

Complexity is related with the quantity, variety and interconnectivity between the factors that condition the environment.

And ambiguity refers to the vagueness or lack of clarity about how to interpret a situation, due to the fact that the information available is incomplete, contradictory or too inexact.

These descriptions seek to define the context in which countries and organizations find themselves at present and what they will have to react to in the future. A VUCA world presents new challenges to security and organizational planning, decision making, management functions and the exercise of leadership. VUCA environments force countries and organizations to reconsider learning models to prepare for contingencies, anticipate these and take successful action.

More recently, the researcher from San Francisco, Jamais Cascio, has suggested a new interpretative framework for structuring and better understanding our present, starting from the premise that the VUCA model no longer provides a good enough explanation of where we find ourselves. This new model is known as BANI: Brittle, Anxious, Non-linear and Incomprehensible. It is justified by the fact that now even volatility or complexity are insufficient lenses for understanding what is happening. At present, we are faced by “situations in which conditions aren't simply unstable, they're chaotic. In which outcomes aren't simply hard to foresee, they're completely unpredictable, situations where what happens isn't simply ambiguous, it's incomprehensible.” This is probably a good way of describing what we have sought to characterize as the “new disruptive decade.”

From risk policies to uncertainty policies

What the aforementioned disruptions have in common is not only the intensity and acceleration of the changes, but also high degrees of interconnection between them. It is precisely the combination of these elements that justifies moving from policies based on the notion and management of risk to policies based on the notion and management of uncertainty.


According to Knight, "uncertainty is an unknown risk, whereas risk is a measurable uncertainty." Risk refers to situations that can be measured quantitatively by means of a distribution of probability; on the other hand, uncertainty refers to those events for which there is not sufficient knowledge to identify objective probabilities.

We have been applying risk management to situations or environments in which we did not know the outcome of a particular situation, but we were able to measure the probabilities with precision. In contrast, uncertainty management is applied to situations or environments in which we cannot know all the information that we need in order to establish precise probabilities.

Unlike in situations of risk, when there is uncertainty it is impossible to identify a range of potential outcomes, and much less so scenarios within a range. It may occur that it is not even possible to identify, let alone predict all the relevant variables that will define the future. A good example can be found in the situation of the current pandemic. According to Federico Steinberg, "risks are expected in forecasts with a greater or lesser degree of probability, and they may or may not materialize. However, uncertainty is a situation in which our prediction models may go up in smoke, because we are entering unknown territory, as if we were making our way through fog. And the COVID-19 global pandemic has thrown us into a situation of radical uncertainty, which may also be prolonged in time; in other words, it may force us to move through fog for several weeks (sic). Therefore, the problem does not only lie in the fact that an unexpected event – a "black swan" (or grey rhino) – has appeared, but that as a result it has condemned us to spending a period of time in the purgatory of radical uncertainty. This black swan is more dangerous for the economy than other earlier ones, such as the terrorist attacks of 9/11 or the fall of the Berlin Wall, because the situation of fear, bewilderment, anxiety and insecurity among citizens will be more prolonged. Furthermore, the longer this goes on, the more possibilities there will be of new adverse economic effects appearing, such as prolonged slowdowns in investment and international trade, or more severe financial problems with unforeseeable consequences."


Source: Adapted from McKinsey&Company.

Treating the situations of uncertainty as situations of risk would be wholly inappropriate. When suppositions about risk are no longer valid and in reality they are applied to conditions of uncertainty, the effects may be destructive. Underestimating uncertainty may lead to strategies that neither defend a society against threats nor take advantage – in the best case scenario – of the possible "opportunities" that might be offered by the highest levels of uncertainty. Risk generates fear (the need to survive and seek protection), while uncertainty generates anxiety (considerable concern, intense nervousness and extreme insecurity about the future). Faced by risk, we react to an identifiable, specific, observable, measurable danger, the damage of which we are able to evaluate. Faced by uncertainty, we maintain a vague, unfocused and aimless belief about the future. We cannot predict the outcomes and this is what causes anxiety and frustration. In the risk society, security policies were risk policies, risk management policies. In the disruptive society, security policies become uncertainty policies. The problem is that we do not know how to handle uncertainty.

Security strategies in risk policies have developed ex ante and ex post initiatives. Ex ante initiatives have tried to turn a fragile society into a robust society. A fragile society (a brittle society, as Jamais Cascio would say) is vulnerable, and when it receives negative impacts, it has few possibilities of survival. A robust society is resistant, strong and capable of withstanding negative impacts. Ex post initiatives have tried to turn more or less resistant societies into societies that are also resilient. Robustness is a quality that enables us to prepare ourselves beforehand to withstand the blows; on the other hand, resilience is a quality that enables us to recover from the blows, after these have seriously affected us. Robustness gives us the capacity to resist a stressful factor or negative impact; resilience gives us the capacity to recover from the effect caused by this impact. In conclusion, security policies in times of risk have not only addressed "prevention", but also "recovery". In short, security in the face of risk has tried to incorporate ex ante robustness and ex post resilience.

Uncertainty and anti-fragility

We have observed that uncertainty occurs when events and their effects are completely unexpected. Now, randomness and variability are the rule, not the exception, and we cannot eliminate them from our equation. We will not be able to avoid (or hide from) adversity, but we will have to confront it. The problems of uncertainty arising from the climate emergency or the health emergency are a good example. This is why it is so difficult to take decisions at level of uncertainty 4 mentioned earlier. Those responsible for security will have to perform qualitative analyses, systematizations of knowledge, modeling of scenarios and take initiatives that help to move part of the problems from level four to level three. The aggravating circumstance is that they cannot become distracted, because they do not have a great margin of time once a highly relevant disruptive event makes its impact.

In a future approach to security policies, it might be advisable to create an ad hoc discipline for rigorous and systematic thought about uncertainty. The key lies in obtaining a minimally valuable perspective and identifying at least a subset of variables that will determine how a particular situation or context will evolve. As we have seen in the case of COVID-19, most countries have tried to identify favorable and unfavorable indicators of the disease, incorporate new information, study what the countries that have obtained the best outcomes were doing and determine the winning strategies to be imitated.

From risk policies to uncertainty policies


Source: Own elaboration based on: (PDF) Endogenous Stress Caused by Faulty Oxidation Reactions Fosters Evolution of 2,4-Dinitrotoluene-Degrading Bacteria (

  • Fragile system: collapse after a shock
  • Robust system: resistance to the shock
  • Resilient system: recovery of the state prior to the shock
  • Anti-fragile system: improvement or strengthening after a shock

For disruptive times, we will need to promote anti-fragile responses. Resilience withstands the shocks and enables us to overcome adversity; on the other hand, the anti-fragile strategy should help us to improve. Resilience is like the Phoenix bird, which is reborn from its ashes, that is to say, it helps us to recover from adversity. Anti-fragility is like the head of Hydra, the serpent with seven heads; when one of its heads was cut off, two or more grew back; in other words, anti-fragility strengthens us in the face of adversity. The responses that we make to random events, unforeseeable crises, the triggering factors of stress and threat and volatility can make us stronger or they can destroy us. Anti-fragility starts from the premise that variability, adversity and stress can strengthen us. The design of an anti-fragile security model should help us take decisions in opaque conditions and prepare us for what has not yet occurred.

There are things we know we know (known knowns); there are things we know we don't know (known unknowns); there are things we don't know we know (unknown knowns); and finally, there are things we don't know we don't know (unknown unknowns). We must situate the anti-fragile security model in the context of exploring and exploiting the last two formulations.

Disruptive times will force us to work more on our unknown knowns (our intuitions and prejudices) and our unknown unknowns, unknowns that we often dismiss, but which could be the source of new insight. If we explore reality in an open-minded way, we can recognize patterns and hidden behaviors that could point to opportunities or avoid dangers. This search for optionality based on small and constant alterations may not have anything heroic about it, but it may be the most effective solution in the period we are destined to live in.

Anti-fragility can benefit from volatility and disruption, even in the case of extreme shocks

Anti-fragility can benefit from volatility and disruption, even in the case of extreme shocks. An anti-fragile security system should be trained in a variety of tensions and a series of unexpected events fairly frequently. This would contribute to developing new capacities or to having more possibilities to adapt to important new unexpected stressful factors.

In the classic comparison between the fox strategy (diversification) and the hedgehog strategy (specialization), anti-fragility leans clearly towards the model of the fox. Anti-fragile systems develop ranges of options and test a variety of possible responses to different adverse conditions. In the hedgehog strategy, the skills are there, the resources are available, the problem that has to be faced is pinpointed and the solution is known. This is possible because the environment is stable and predictable and uncertainty is low. This allows the hedgehog to be an efficient specialist, expending little energy, with a low metabolism, dedicated essentially to exploiting its immediate niche. The hedgehog is completely adapted to its environment.

In the fox strategy, the situation changes radically. The environment may be turbulent and highly uncertain. The fox does not know what problem it will have to face, the solution required or what type of resources are appropriate, and it does not necessarily have the skill to deal with this new problem. This forces the fox to be a generalist, an unfocused, dynamic, stressed player, who expends considerable energy on exploring the environment in order to be effective. The fox is not adapted to an environment, but is able to adapt to almost any environment.

In disruptive situations, we will not know beforehand what conditions will prevail, but efforts will be made to offer sufficient diversity to ensure survival

In disruptive situations, we will not know beforehand what conditions will prevail, but efforts will be made to offer sufficient diversity to ensure survival. Investment will be made in a large number of initiatives, knowing that the majority will fail, but knowing too that some will be successful and prosper, so much so that the rewards will more than compensate for the losses incurred in the other initiatives. But firstly this involves keeping additional capacities active which we would not activate in periods of stability. Therefore, the energy expended and the investment of resources in research and trying out options is much greater in the anti-fragile strategy than in the specialization strategy. Ronald Heifetz has described this type of situation as an "adaptive challenge", because the habits and routines learnt in the past are no longer a guarantee of success now. The adaptive challenge demands a creative imbalance and a high level of stress.

Returning to the example of the climate emergency, scientists such as John Holdren and Lonnie G. Thompson say that we will basically have three choices: mitigation, adaptation and suffering. Mitigation involves doing things beforehand to reduce the rhythm and the magnitude of the changes to the climate caused by our actions. Adaptation refers to the measures or adjustments we will make afterwards to reduce the damage resulting from the climate change we do not prevent. Suffering corresponds to the adverse impacts we will have to put up with during climate change. We will end up doing a little of each. The question is what the mix is going to be. The more mitigation we do beforehand, the less adaptation will be required afterwards and the less suffering there will be. In the disruptive society, the adaptive challenge linked with climate change will be inversely proportional to the mitigation initiatives we deploy.

Secondly, we should take stock of the fact that when managing uncertainty, less can be more. In order to be anti-fragile, perhaps it is worth being small. Smallness contributes to greater adaptability and flexibility in volatile and chaotic times.

And thirdly, the anti-fragility strategy needs to recognize the value of error, for when faced by uncertainty it is only possible to move forward via a circuit of negative feedback, committing and detecting errors and correcting based on what is learnt from these errors. This, then, is a system that accepts provisionality and reinforces the detection of errors. It goes without saying that these three implications are based on the promotion of experimentation in search of successful adaptations and on non-stigmatization of error/failure.

In the presence of uncertainty, the anti-fragility strategy makes headway not by initially informing us of what works, but by establishing (and therefore reducing) what does not work. In other words, anti-fragility can help us – albeit modestly – to reduce unknown knowns and unknown unknowns. In this way, we can set out on the path that runs from total uncertainty (level 4) to risk management (levels 3 and 2), with which we are familiar.

All written content is licensed under a Creative Commons Attribution 4.0 International license.