The most dangerous failures are not large single events. They are sequences of smaller events that each make the next more likely.
The Cascade Structure
Most serious institutional failures are not produced by a single large shock. They are produced by cascades — sequences of events in which each failure creates the conditions that make the next failure more likely or more severe. The initial event is often modest — a system overload, a relationship breakdown, a resource constraint — that would be manageable in isolation. What makes it a cascade initiator is its interaction with conditions in the wider system: the dependencies that propagate its effects, the buffers that have been depleted, the safeguards that have been eroded, and the responses that each partial failure triggers in the actors trying to contain it.
Understanding cascade dynamics requires understanding systems: how the components of a system are connected, what the feedback loops are, where the buffers are and how depleted they are, and which failure modes trigger compensating responses that inadvertently amplify the original failure rather than damping it. These are questions that event-based risk analysis does not naturally ask, which is why cascade failures consistently surprise institutions whose risk management was designed around the assessment of discrete events rather than the dynamics of connected systems.
Cascade Enablers
Cascades require enablers — conditions in the system that allow a contained failure to propagate into a larger one. Tight coupling is the primary enabler: the design of systems in which components are so closely integrated that the failure of one immediately stresses others, with insufficient time or buffer for containment before propagation occurs. High utilisation is the secondary enabler: the operation of systems at or near capacity, so that the additional load produced by a partial failure cannot be absorbed by the system's slack and must be transferred to adjacent components. Opacity is the tertiary enabler: the absence of visibility into the propagation dynamics of a system, so that the cascade is discovered at a late stage when containment options are already limited.
Cascade Interruption
Cascade interruption — the design of systems that can contain a failure at an early stage before it propagates into a larger one — requires the inverse of the cascade enablers: loose coupling that allows components to fail without immediately stressing others, operating slack that can absorb the additional load that a partial failure transfers, and visibility into propagation dynamics that allows early detection and response. Each of these design choices has a cost: loose coupling reduces system efficiency, operating slack increases resource requirements, and visibility investments consume analytical capacity. The cost is the price of resilience, and its justification is the expected cost of the cascades it prevents.
The cascade failure is the failure that the risk register showed as ten small risks, each individually manageable, without showing how their simultaneous materialisation would interact to produce a loss that none of them individually could generate.
Discussion