The Inevitability of Failure: Building Resilience in a World of Uncertainty

Michael RasmussenWritten by
Published onUpdated onDiscussionLeave a Comment on The Inevitability of Failure: Building Resilience in a World of Uncertainty
stamp fail with red text over white background

I’ll be exploring this theme in depth at Gameday Ready, London – November 7, 9:00 am–1:00 pm GMT and during the Supplier Risk Resolution Workshop – November 10, 1:00 pm–4:00 pm GMT. Both sessions will examine the inevitability of failure as the cornerstone of risk and resilience management across strategy, objectives, and operations.

“Failure is not the opposite of success; it is the landscape through which success must travel.”

Steinbeck’s borrowed line from Robert Burns — “The best laid plans of mice and men often go awry” — captures a truth that every leader must face. Even the most advanced GRC architectures, the most disciplined controls, and the most intelligent systems cannot eliminate risk.

In a world defined by uncertainty, failure is not an anomaly: it is inevitable. The challenge is not to avoid failure, but to design for it: to build the capacity to anticipate, absorb, and adapt when the unpredictable becomes reality.

From Security to Resilience: My Early Encounter with the Inevitability of Failure

In the mid-1990s, my work centered on information security: the frontier of what I now call digital risk and resilience to deliver digital trust. Those were formative years, as the internet connected the world and simultaneously exposed its vulnerabilities.

A paper from the U.S. National Security Agency titled “The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments” profoundly shaped my early thinking. It argued that absolute security is an illusion: the growing complexity of computing systems ensures that somewhere, at some time, something will fail.

Over time, I came to see that this principle applies far beyond the digital realm. It’s a universal law: as business expand, operate globally, depend on the extended enterprise, systems grow more interconnected and adaptive, so too does their exposure to uncertainty. The inevitability of failure is not a flaw in our systems: it is a fact of their complexity.

This realization has guided my evolution from cybersecurity to governance, risk management, and compliance (GRC) — from protecting systems to understanding the architecture of risk and resilience management that allows organizations not merely to survive failure, but to learn and grow through it. Even thrive in it!

The Personal Reality of Failure

The inevitability of failure is not an abstract concept for me; it has been a personal journey.

My wife, Mandi, has always embodied health and vitality: active, strong, and without a trace of genetic risk factors or family history. Her diagnosis of breast cancer came as a devastating shock. It shattered assumptions and redefined our understanding of certainty, shaped our perspectives on risk, and watching her this past year my understanding of resilience.

As she now reaches the end of treatment, I’ve been reminded that even when everything appears perfectly aligned — every control, every indicator positive — failure can still strike without warning. Her heart and organs have been weakened from all of the treatment. Despite having no sign of cancer present, it has led to other “operational issues.”

This experience has deepened my belief that organizations must confront uncertainty the same way individuals do: with perspective, humility, adaptability, and resilience. The absence of warning is not the absence of risk.

The Certainty of Failure in a World of Uncertainty

Steinbeck’s borrowed line from Robert Burns — “The best laid plans of mice and men often go awry” — captures a truth that every leader must face. Even the most advanced GRC architectures, the most disciplined controls, and the most intelligent systems cannot eliminate risk.

Failure will always find a way in. The only question is how we will respond when it does.

Modern organizations operate within a perpetual storm of uncertainty:

  • Geopolitical volatility and shifting trade landscapes.
  • Technological dependency creating fragile interconnections.
  • Extended enterprise of complex relationships and dependencies.
  • Regulatory complexity spanning jurisdictions and expectations.
  • Societal and environmental pressures driving accountability and transparency.

In this environment, risk is not a variable to control; it is a condition to navigate. Strategic foresight, objective alignment, and operational preparedness form the triad of resilience: the ability to absorb disruption and emerge stronger.

Strategic Level: The Failure of Foresight

Strategic failure rarely begins with catastrophe; it begins with assumption. It begins when leadership mistakes stability for certainty . . . when confidence blinds foresight.

At the strategic level, organizations often fail because they design for predictability rather than adaptability and resilience:

  • A company doubles down on a single market just before geopolitical tensions erupt.
  • A financial institution assumes interest rates will remain stable, until they don’t.
  • A manufacturer invests in efficiency at the cost of redundancy, eliminating resilience.

These are not poor decisions; they are incomplete decisions. They reveal the danger of treating the future as a linear extension of the past.

Strategic risk and resilience management is the art of living with uncertainty without being paralyzed by it. It demands that boards and executives engage both hemispheres of thinking:

  • The left-brain that structures, measures, and plans.
  • The right-brain that imagines, questions, and re-envisions.

The resilient strategist does not seek control, but coherence amid chaos; constantly testing strategic assumptions through simulation, scenario analysis, and cross-functional dialogue.

Failure at the strategic level is not a single event. It is the erosion of curiosity.

Objective and Performance Level: The Failure of Alignment

Between the boardroom and the front line lies the zone of objectives and performance, where purpose becomes execution. This is where organizations most often fracture: not because of poor intent, but because of poor integration.

Here, failure hides in misalignment:

  • KPIs without KRIs — performance measured in isolation from risk exposure.
  • Objectives detached from purpose — efficiency pursued at the expense of ethics or resilience.
  • Fragmented accountability — where performance, compliance, and risk operate on different timelines and metrics.

The result is a silent drift between what the organization says it values and what it actually measures.

The answer lies in GRC — Governance, Risk Management, and Compliance: a unified model that views objectives not as fixed targets, but as dynamic relationships between ambition and uncertainty. A capability to reliable achieve and perform against objectives (governance), address uncertainty (risk and resilience management), and act with integrity (compliance).

A resilient organization continuously tunes its objectives to environmental signals. It understands that every success metric must be weighed against the volatility that sustains it.

Failure at this level is subtle but dangerous: it is the illusion of progress while risk accumulates beneath the surface.

Operational Level: The Failure of Execution

At the operational level, failure is most visible. It is where systems break, processes stall, and controls falter. Yet even here, the root cause is often not incompetence but complexity.

Operations today are a living network of technologies, suppliers, and people. A disruption in one node can cascade globally.

Examples abound:

  • A single supplier’s disruption halts production for months.
  • A cyber vulnerability, left unpatched, becomes the entry point for a systemic breach.
  • An overly rigid process delays crisis response, because it was built for compliance, not agility.

These are not anomalies: they are the natural symptoms of complex adaptive systems under stress.

Operational resilience requires a shift from control mentality to capability mindset. From preventing every failure to ensuring that when failure occurs, it is absorbed without collapse.

That means embracing continuous testingtabletop exercises, and micro-simulations; where failure is rehearsed, not feared. It means creating digital twins of the organization to simulate cascading risks and test response strategies in real time.

As I explored in Gamification of Risk: The Art of Role-Playing in Micro-Simulations and Digital Twins in a Complex Risk World, organizations must make risk experiential. People learn best not from instruction, but from interaction.

Gamification transforms risk management from a static compliance function into a creative rehearsal of resilience.

Thinking Beyond the Binary: The Right-Brain of Risk and Resilience

Risk management has long been dominated by left-brain logic: quantitative models, frameworks, and matrices. These tools matter, but they capture only half the picture.

The right-brain — intuitive, emotional, imaginative — is equally vital. It is what enables leaders to anticipate patterns that models cannot yet see. It is what fosters empathy, creativity, and the human connection that sustains organizations through disruption.

Resilience emerges from the balance between logic and imagination. It is both an engineering discipline and a human art.

By merging analytics with storytelling, simulations with strategy, and controls with culture, organizations develop not only stronger defenses but also more adaptive identities.

Small Failures, Big Consequences

History reminds us that small oversights often lead to the largest catastrophes:

  • A faulty O-ring destroyed the Challenger.
  • A single line of code triggered a global outage.
  • A missed email escalated into a regulatory crisis.

The resilient organization treats near-misses as data, not as dismissible anomalies. It studies them, learns from them, and adapts . . . building an institutional memory that transforms failure into foresight.

Preparing for the Inevitable

The inevitability of failure is not a curse . . . it is a call to design for risk (uncertainty) and resilience.

Resilience is not about invincibility; it is about recoverability. It is about organizations that fail gracefully, learn continuously, and adapt dynamically.

The most resilient organizations are not those that avoid risk but those that understand it, engage with it, and turn adversity into evolution.

I’ll explore these ideas further at Gameday Ready, London and Supplier Risk Resolution Workshop — diving deeper into how we can build strategic foresightperformance alignment, and operational adaptability in an age when failure is not an exception but a constant companion.

Leave a Reply