Dealing with Complex Risk or Complicated Risk? Let us Avoid ‘Complicated Risk Syndrome’

By: Dr. Antonius Alijoyo

November, 30th 2021

People use the word ‘complex’ and ‘complicated’ interchangeably in many cases, and so does in a discussion of risk management. Do they have the same meaning or different ones? If they have different meanings, under which circumstances should we and would use ‘complex risk’ and/or ‘complicated risk.’?

Let us see what the dictionary says about the respective word. According to Cambridge Dictionary, complexity has many parts and is difficult to understand or find an answer to. Whereas the word ‘complicated’ refers to a situation that is not easy to deal with or understand. Although the descriptions of both sound similar as they intersect one another, they bring different profound meanings. Complexity is the phenomenon itself, while complicated is the elements of the mental standing of a person in dealing with such a phenomenon.

From a risk management perspective, we could say that complexity refers to the situation or the risk object itself, whereas complicated refers to the subject supposed to deal with such a risk object. In this regard, complexity brings some challenges to be sorted out, and therefore if we talk about complexity in the risk management universe, we call it complex risk. For example, cyber risks due to the rising of new technology may cause higher interconnectedness risk among concerned parties (as a result of much wider and numerous nodes). As it is a complex issue, hence we refer to it as ‘complexity.’

On the other hand, Complicated reflects the mental standing of the person dealing with a certain risk phenomenon. In this regard, the person tends to judge that the phenomenon is ‘complicated,’ either real or non-complex. Such a mental standing could happen because there is a gap between the capacity and capability of the person and the level of the phenomena they are dealing with. Unfortunately, such a gap may lead the person’s lens to be slipped into ‘complicated risk syndrome’ (CRS) if there are no cautious efforts to avoid otherwise. Moreover, since this syndrome is contagious, it could be widespread throughout the organization and may create an unhealthy risk culture later.

What actually can go wrong if this particular situation happens?

If such a situation happens, there is a possibility that people in the organization will be easily trapped to see all risks as ‘downside risks’ and therefore, they will allocate all the energy to reduce the likelihood of risk events and mitigate the impact to protect the value of the organization. If that happens, it will become a blind spot as the organization is not stimulated to explore their upside risk nor preparedness. As a result, their attention is blinded by downside risk. No or little energy will be allocated to exploit or capitalize upside risk to create value for the organization sustainably.

What should be done to avoid ‘complicated syndrome’?

Build healthy and conducive risk culture throughout the organization by having a higher risk management maturity level. Along with that initiative, develop risk management competency at the high and medium levels of the organization up to its critical mass. As such, they would be encouraged to see beyond their current horizon and do not fall into the trap of seeing complexity as a threat or downside risk. Instead, they could see complexity as an opportunity and then drive them up as upside-risk challenges.

The way onward?

Entering a new frontier Post Covid-19 Pandemic, we have seen many phenomena characterized by the origin of VUCA (Volatility, Uncertainty, Complexity, and Ambiguity). As such, the existence of complicated syndrome would hinder us from having a clear vision beyond boundaries and existing horizon lines, barely understanding and clarity over the VUCA.

On the way onward, there is a suggested approach to overcome such an originating VUCA, which is also called VUCA (Vision, Understanding, Clarity, and Agility). The VUCA (Vision, Understanding, Clarity, and Agility) can be established, developed, and institutionalized if no complicated syndrome is left throughout the organization. Therefore, let us begin to switch our mental standing whenever we face certain risk events. Risk due to ‘complexity’ is fine as we can always sort it out. Still, risk due to ‘’complicated’’ should not be tolerated as it will hinder us from progressing and capitalizing on opportunities that come with uncertainties.

I hope this article is helpful for risk management practitioners.


Dr. Antonius Alijoyo
Founder of Center for Risk Management and Sustainability Indonesia

By |

Organizational Resilience Through ISO 22316 Standard: It is not a Matter of “Why” but “How”

By: Dr. Antonius Alijoyo

26th October 2021

Organizational Resilience (OR) is important because it gives an organization the strength needed to process and overcome hardship. Many organizations have experienced hard lessons during pandemic Covid-19, as the world is still dealing with a deadly pandemic that negatively influences our social and business world. Those lacking resilience get easily overwhelmed and may turn to ineffective and unhealthy coping mechanisms. Whereas resilient organizations tap into their strengths and support systems to overcome challenges, work through problems, and even turn them into opportunities.

Question: What does it mean organizational resilience?

That is “the ability of an organization to anticipate, prepare for, respond and adapt to incremental change and sudden disruptions to survive and prosper” (Denyer, 2017). Resilience plays a crucial role in the survival of organizations as it is the ability to anticipate, survive in and recover from a turbulent environment with the ability to return to an original or an improved state (Chowdhury and Quaddus 2017; Brusset and Teller 2017; Pettit et al.2021/01/2). In that regard, resilience helps the organization recover control rapidly in unexpected change and maintain a general sense of comfort when managing several changes simultaneously without being affected.

Question: If organizational resilience is so important, why not all organizations take precautions and actions to build them up?

There are many reasons that organizations do not prepare and build their organizational resilience intentionally and systematically. One of them is the lack of enterprise risk management (ERM) practices, leading to the absence or insufficient risk assessment process. Therefore they don’t have a sufficient and comprehensive longer-term view of risk identification, analysis, and evaluation. As a result, they could probably fail to figure out their risk universe beyond the current horizon. Therefore they do not see any need or urgency to raise organizational resilience capability and make their organization future-ready at its earliest. Another reason is lacking standards or references that could help organizations establish their organizational resilience practically and effectively. In many cases, they found that establishing organizational resiliency is quite complex and requires a lot of resources and time-consuming exercise, whereas no such visible output and outcome could be expected and urgently needed.

Question: Is it complicated to build organizational resilience capacity and capability?

The illusion that drives many organizations about complexity in establishing and sustaining organizational resilience could be mixed up between the complexity of the object or the matter that we need to resolve and the approach of how to deal with it. In this case, the matter that drives the need of having organizational resilience could be due to the VUCA (Volatility, Uncertainty, Complexity, and Ambiguity) of the future, which is quite complex to figure out. Therefore, it might drive the opinion that the ‘how’ to deal with them is also complex and complicated. This opinion is ubiquitous as most organizational leaders recognize the VUCA issues but are not certain how to deal with them.

Question: Is there any standard or reference that organizations can use to establish and sustain their organizational leadership?

In this context, a new standard, ISO 22316, Security and resilience – Organizational resilience – Principles and attributes, has been issued to provide a framework to help organizations build and improve their resiliency effectively and practically.

Question: As a standard, what is the detail about ISO 22316, Security and resilience – Organizational resilience – Principles and attributes?

The standard contains some details of key principles, attributes, and activities. As such, James Crask, Convenor of ISO/TC 292’s working group WG 2, the group of experts that developed the standard, says improving the resilience of organizations ensures they are not only better placed for anticipating and responding to potential risks but can harness opportunities as well. Further, he also said that “The standard takes a wide view of the things that can drive resilience in an organization; many of these are behavioral and have historically been overlooked. This is why one of the key principles of the standard is to help them develop a culture that supports resilience”. Lastly, he said a very strong encouragement: “It also involves building upon existing forms of risk management, having shared values and an awareness of changing contexts, all the while underpinned by strong and empowered leadership.”

The existence of this standard would provide a tangible tool to simplify the process of building organizational resilience. As a standard, it brings a lot of help for organization’s leaders to lead, build and sustain organizational resilience more practical, simpler, and measurable. Further, it would also bring international reference and protocol organizations, which help them communicate their resilience approach to their international partners. As such, they use the same protocol, similar PDCA (Plan, Do, Check, Action) cycle. In short, resilience is rooted due to rising complexities in the business world. Therefore, it needs a practical approach rather than making the complexities we face more complex due to the use of a complex approach. Standard ISO 22316 serves the proposition and is therefore worth taking and be adopted for the organization to embrace their future by turning challenges to turn them out as opportunity, as it could turn out as threats if otherwise.

Question: How does this ISO 22316 interlink with ISO 31000 Risk Management Guidelines?

It fits and complements each other. The use of ISO 31000 and ISO 22316 help organizations not to deal with the ‘why’ risk management and organizational resilience are important but to deal effectively with ‘how’ to implement risk management and organization resilience simply and practically. As a closing, let us read together with the following citation: “The research on organizational resiliency suggests that successful firms are prepared for adversity and yet are also proactive and flexible when encountering a crisis. Resilient firms prepare for difficult situations and show a “generalized capacity to investigate, to learn, and to act, without knowing in advance what one will be called to act upon.” (Wildavsky, 1988).”


Dr. Antonius Alijoyo
Chair of National Mirror Committee Indonesia TC 262 – Risk Management and TC 309 –
Governance, Badan Standarisasi Nasional (BSN) Indonesia
Founder of Center for Governance, Risk Management, Compliance and Sustainability Studies

By |

Risk Management and Decision-Making Theory

By: Dr. Antonius Alijoyo

18th October 2021

Academicians often discuss the underlying theory of risk management, especially those related to the concept of Enterprise Risk Management (ERM). One of the underlying theories is the ‘decision-making theory,’ which was first introduced by Herbert A. Simon, the Nobel Prize winner for Economics in 1978. He is best known for his work on corporate decision-making, also called behaviorism. Decision-making theory is a theory of how rational individuals should behave under risk and uncertainty. The theory suggests that decision-making means the adoption and application of rational choice for the management of a private, business, or governmental organization in an efficient manner. The theorist argued that making a decision is choosing between alternative courses of action. It can even mean choosing between action and non-action.

Mulai Membaca

By |

Perjalanan Tata Kelola dan Risiko di Organisasi Menuju Kematangan

Penulis: Poppy Noviana, ST, MT, ERMCP

Staf Reporting and Monitoring of Risk Management Division in Indonesia Stock Exchange

Seringkali dalam sebuah organisasi, sumber daya manusianya terlena untuk memusatkan perhatian pada problem yang sedang terjadi. Jika berfokus disana dan akhirnya seluruh sumber daya dicurahkan secara intensif untuk menyelesaikannya maka kita bisa lupa, bahwa disaat yang sama, terdapat potensi problem-problem lainnya yang siap muncul jika terlambat terdeteksi lebih awal. Enterprise Risk Management (ERM) mungkin salah satu alat efektif yang dapat menjadi solusi dalam hal ini, kenapa demikian? Sebab mengantisipasi potensi problem jauh lebih murah dan mudah dibandingkan mengatasi problem.

Mulai Membaca

By |

Building Risk Management Culture: which one is more effective, the top-down or the bottom-up approach?

Penulis: Dr. Antonius Alijoyo

23 September 2021

The question above was posed by a director of a large company that operates in the Southeast Asian market region, and below are some thoughts that serve as a dialogic conversation rather than a definitive answer. In summary, both approaches have their own respective merits, issues, and challenges depending on the organization risk management maturity and whether we live in a country with a high or low-context culture. Since those two perspectives are dynamic, it will work better if both are used simultaneously through a spectrum of a journey that determines a balance of intensity and extensivity of the two approaches toward the goals of an organization. Below are some’s suggestions that are based on those two perspectives.

Mulai Membaca

By |

7 Langkah Hadapi Kejahatan Siber dan Serangan Malware Pada Sistem Live Chat

Penulis: Deselffina Parinduri

Ketua Bidang Kompetensi IRMAPA

Editor: Aprilia Kumala

Ancaman serangan siber berupa phising kini masuk ke dalam babak baru: peretasan melalui sistem live chat.

Dilansir dari Ditsti ITB, phising adalah tindakan memperoleh informasi pribadi, termasuk user ID, password, dan data-data sensitif lainnya melalui proses penyamaran sebagai orang atau organisasi yang berwenang. Istilah phising sendiri berasal dari kata bahasa Inggris, yaitu fishing yang berarti “memancing”. Artinya, aktivitas ini memang berfokus untuk memancing target agar dapat memberikan informasi penting yang diincar.

Mulai Membaca

By |

The Necessity of A Holistic Model of Fiscal Risk Resilience

Penulis: Dr. Antonius Alijoyo
Founder and Principal of Center for Risk Management and Sustainability

Along with the rising need for better risk management practices in the public sector, fiscal risk resilience becomes one of the critical agendas of countries around the world. It requires the respective government to have more effective fiscal risk resilience in respect of being able to address and capture more dimensions than what is currently practiced.

Mulai Membaca

By |

Akselerasi Teknologi IKNB


(Artikel ini telah dimuat di koran Bisnis Indonesia, 29 April 2021).

Adopsi teknologi digital mengalami akselerasi selama pandemi Covid-19. Menurut McKinsey (2020), organisasi dan industri melakukan quantum leap dalam adopsi digital. Hal serupa terjadi di Indonesia yang ditandai dengan melonjaknya transaksi daring.

Mulai Membaca

By |

5 Hambatan Terhadap Penerapan BCM Yang Efektif


Penerapan manajemen kelangsungan usaha, atau dalam Bahasa Inggris-nya kita kenal dengan busniess continuity management, disingkat BCM, hendaknya perlu diterapkan secara serius oleh tiap organisasi. Hal ini mengingat bahwa, seefektif apa pun manajemen risiko yang kita jalankan tidak mampu mencegah risiko disrupsi yang berasal dari peristiwa-peristiwa yang memang tidak dapat, atau sulit untuk, dikendalikan (uncontrollable event). Ditambah lagi kendali terhadap dampak dari risiko disrupsi pun juga kerap terbatas cakupannya. Contoh sederhana, gempa misalnya. Hampir tidak mungkin sebuah perusahaan mencegah bencana gempa untuk tidak terjadi. Di lain pihak, kendali terhadap dampak yang kerap diandalkan pun berupa asuransi kerugian. Padahal dampak kerugian yang mungkin muncul dari bencana gempa bukan hanya kerusakan fisik infrastruktur. Organisasi bisa saja kehilangan data, SDM bisa pula kehilangan nyawa, ditambah lagi pelanggan dan pemangku kepentingan lainnya bisa kehilangan ekspektasi untuk melihat organisasi segera pulih.

Mulai Membaca

By |