Are businesses using the right tools to tackle risk?
At the heart of security is the question: What are the chances X will happen and what can be done to reduce those chances? This month’s cover story, “District Offers Security Lessons ," looks at how one school district is trying to reduce the threat of gang-related violence. While achieving that limited aim is no small feat, the country as a whole faces the far more difficult proposition of trying to reduce risk for the nation’s 18 critical infrastructure sectors.
Just deciding how to assess the threats, vulnerabilities, and potential consequences within and among sectors to identify and prioritize the risks that need to be addressed is a daunting task. The extent to which progress is—or isn’t—being made on that front is examined in this month’s homeland security feature, “How Vulnerable Are We?”. (subscription only)
The bottom line, however, is that, whether it’s from the gut or derived using computational software, risk assessment is subjective. As Henry Willis of The RAND Corporation said at a congressional hearing on applying risk management to terrorism policy, “the notion of a cold, analytic, actuarial risk assessment is largely a myth. Risk is a social construct that incorporates value judgments about context and cause.”
It makes sense that the Department of Homeland Security (DHS) “is striving to implement an approach where major decisions about investments, budgets, grants, planning priorities, operational posture, and security priorities are risk informed,” as explained in testimony by Robert Jamison of DHS. But we must not forget, as he noted, that “Managing risk depends on accepting uncertainty; managing risk does not mean eliminating it.”
Nassim Nicholas Taleb goes further, driving home the point in his book Fooled By Randomness that “we live in a world where important events [like 9-11] are not predictable.”
For that reason, a number of terrorism experts say that we should be giving at least equal weight to developing resilience—the ability to recover quickly from hits we didn’t see coming. James Carafano of The Heritage Foundation told the congressional committee that “The current paradigm of ‘protecting’ infrastructure is unrealistic. We should shift our focus to that of resiliency.”
Others don’t view it as an either-or choice. They see resilience as a component of risk management.
Another part of the equation is the need to manage public expectations. “[T]he public’s expectations and emotions can impact the effectiveness of response efforts,” said Norman Rabkin of the Government Accountability Office (GAO), discussing comments from a forum of experts convened by GAO to discuss risk management.
In addition, he said the forum called for an honest discussion with the public to reach “a consensus on an acceptable level of risk” for the country to take on.The problem with that last point is it creates the illusion that we can fine tune our exposure. As Taleb might say: Don’t be fooled.