Using the Cynefin Framework for Identifying Risks

Risks are everywhere, both known and unknown. Using the Cynefin framework can guide us in approaches to identifying different types of risks.

Why Care about Identifying Risks?

This is not a trick question.?

There are times when it can feel obvious why you would want to be able to identify all of the potential risks that could impact a situation. For example, consider an aircraft manufacturer. It would seem prudent to fully evaluate all potential risks that could cause an aircraft to fall from the sky. I can’t imagine anyone would want to see part of the fuselage fall off a plane that they were responsible for and realize that they hadn’t considered a risk around the bolts not being secured.?

Of course, not every situation is so life threatening. However, if your work impacts the lives of other people, then you should aim to identify the risks that could really hurt them. If you store or process user personal or confidential information, what are the risks that could lead to a data breach or the loss or corruption of that data? If you have employees, what are the risks that could damage the company to an extent where you would need a reduction in staff? If you offer a service that other companies rely on, what are the risks that could lead to the service not being available?

Having said all this, the purpose of identifying risks is not so that you can mitigate them all.

There will always be risks, and you will never achieve anything of value if you focus on being risk free.

The purpose is to understand the biggest threats that you face, and to make a conscious choice about which risks to work to reduce, and which ones to accept.??

?????

What is the Cynefin Framework?

The Cynefin Framework is a sense-making or decision-making tool, created by Dave Snowden , and consists of five domains. By understanding the domain in which you are making a decision, you can adopt an appropriate method or approach for making that decision. The framework also guides you in how to move a situation from one domain to another, as well as the liminal areas at the transition between domains.?

For the purpose of this post, we are only going to consider the high-level characteristics of the five domains, and not consider the liminal areas and transitions. The five domains are clear, complicated, complex, and chaotic, with a central domain of confusion / aporetic.?

Clear

This is one of the two ordered domains, alongside complicated. Within the clear domain, the relationship between cause and effect is self-evident and the constraints are fixed. In order to make decisions in this domain, you need to sense (establish the facts), categorize (determine the type of situation), and then respond (follow the relevant rules or best practices). The constraints around how to act are rigid, which leads to best practices to follow.

Complicated

This domain is also ordered, in that a relationship between cause and effect exists. However, after sensing the facts,? expertise and judgment is required to analyze the situation prior to responding. Rather than rigid constraints as found in the clear domain, there are governing constraints that lead to a series of good practices.

Complex

Within the complex domain it is not possible to deduce in advance a correct answer based on the facts of the situation. Instead, we need to poke, or probe, the problem first, and then sense what happens in order to decide how to respond. The extent to which the system can be probed is set by enabling constraints – the space within which you can act. This leads to exaptive practices, meaning the adoption or evolution of new ways of working.??

Chaotic

As in the complex domain, it is impossible to initially know what to do. The first and only thing that you can do is to take some action so that you can begin to gain more understanding. Unlike the complex domain, however, there are no effective constraints in the chaotic domain, and this can result in novel practices.?

Confusion / Aporetic

The central domain is one of the mechanisms for transitioning between domains, and you can enter and exit it from any of the other domains. This domain is considered confusion if you act with no understanding of the context of your situation, and is a dangerous place to be. However, it is possible to deliberately enter this domain for the purpose of aporia, whereby you contemplate contradictions and paradoxes as a means of gaining insights.

How can the Cynefin Framework be used to Identify Risks?

I have been using the Cynefin Framework to help organizations explore their risk landscape for several years. It can help in two main ways:

1. Provides starting points for thinking about systems and how risks can be identified. This can help to avoid inaction that can occur when people feel overwhelmed.
2. Ensures that a broad range of risks are considered. This can help to avoid a tendency of focusing within a narrow scope.

The approach I typically recommend is to first go through each of the Cynefin domains and identify the different processes that can be used in that context to control or surface risks. Then, step through each of these processes to identify specific risks relevant to your situation.??

Example: Childproofing a Home

To exemplify the use of the Cynefin Framework for identifying risks, let’s look at how we can identify different types of risks that are present for children in the home. I have 16-month old twins, so will focus on risks for inquisitive toddlers!

Clear

We’ll start with the clear domain, where there is obvious cause and effect. Look for checklists and best practices, and use these to identify risks relevant to your situation. For example, the US Consumer Product Safety Commission provides details on 13 ways for childproofing your home.

It is important not to blindly follow best practices and checklists, as they can provide a false sense of security. For example, in childproofing your home for toddlers, it is recommended to use safety gates to prevent children falling down stairs or entering rooms with other dangers. However, if the gate is not well secured or if the child can climb or open the gate, then the presence of the gate can actually increase rather than reduce risk. The Cynefin Framework talks about a catastrophic fold, or cliff, at the boundary of the clear and chaotic domains as a means of cautioning against this type of excess confidence in the applicability of rigid constraints.??

Complicated

While there is still cause and effect in the complicated domain, expertise and judgment are required to identify the relationships. When childproofing your home, you could invite friends or family that have children to apply their prior experience to identify risks. You can also step through the process that you expect the children to take for any activity, and look for risks at each step. Another approach is to perform a pre-mortem, whereby you imagine some event has occurred and work backwards to identify what could have caused it to happen. For example, what are the possible events that could have occurred for one child to have fallen requiring a hospital visit?

Complex

In the complex domain you have to set some enabling constraints and watch to see what happens. You can do this with a technical spike or experiment. For example, prior to installing a full scale climbing frame, you might want to first see how the child manages at a commercial play area, or on a smaller piece of equipment, and use that to identify potential risks. You could also use observability, whereby in this example the children could only use the play equipment while they were being closely watched until risks had been identified and suitably mitigated.

Chaotic

There are no effective constraints in the chaotic domain. You could invite a slightly older and confident child into your home and let them find all the ways your controls and safety measures can break or be circumvented. Or you could deliberately alter configurations, processes, or controls and see how the children manage with them. These two approaches would be analogous to pen testing with an ethical hacker, and chaos engineering.

Confused / Aporetic

You can inadvertently enter the central confused domain when you believe you are in one domain but you are actually in another. For example, when installing a new outdoor play structure, you might consider it from the complicated domain and seek the expertise and prior experience from other parents. However, this could miss the fact that you are actually in a complex domain, given twins can introduce factors not necessarily experienced by parents of singletons.

You can also enter the central domain deliberately for the purpose of aporia, that is, to contemplate paradoxes and contradictions. For example, exposure to germs can make children ill, but that same exposure is required for them to develop a healthy immune system. Perhaps an apt quote for all parents is this one from F. Scott Fitzgerald:

The test of a first-rate intelligence is the ability to hold two opposing ideas in mind at the same time and still retain the ability to function. One should, for example, be able to see that things are hopeless yet be determined to make them otherwise.

Next Steps

In this post, we have looked at approaches to help in the identification of risks. In a previous post, we saw how to communicate risks in a clear, concise, and consistent way, and the next step will be to prioritize those risks so as to focus attention where it matters most.

The Bottom Line

It is important to identify the risks that threaten your system(s), so that you can focus your time, effort, resources, and cognitive load on those that represent the greatest threats.

The Cynefin Framework can be useful in ensuring that the full scope of risk types are considered.

• From the clear domain, consider relevant best practices and checklists, and use these to identify risks within your system that have an obvious cause and effect.
• From the complicated domain, use approaches such as prior experience from related situations, taking a step-by-step look through processes, and performing pre-mortems. Here, you are enlisting expertise and judgement to identify risks with a less obvious cause and effect.
• From the complex domain, perform experiments or technical spikes to probe the system for risks, and employ observability to gain insights that can uncover non-obvious risks.
• From the chaotic domain, look at how you can remove constraints and see what happens. For example, conduct penetration testing of software systems, and deploy chaos engineering.
• Finally, it can be useful to consider contradictions and paradoxes in the aporetic domain, as an approach to thinking about the situation in a different way.