Risk management & low probability-high impact events
Risk management is process for controlling exposure to security & safety risks. It is an important function in organizations as corporations undertake increasingly complex & ambitious projects in uncertain & often risky environment.
It can be challenging for those in authority to use the best available evidence & professional advice to identify, assess & mitigate plausible high risk scenarios in capability planning. This is particularly difficult for low probability high impact risks which, by their very nature, are difficult to identify or occur only infrequently. Management needs to identify & mitigate risks arising from a wide range of non-malicious hazards & malicious threats. In this context, the overall challenge for management is the ongoing review & improvement of risk management.
Extreme risks are risks with very bad outcomes – high consequence or high impact – but of low probability of occurrence. They include the risks of terrorist attacks & extreme natural disasters such as major earthquakes & hurricanes.
Within the past 6 weeks, there were 2 major events which fell into this “low probability-high impact” category.
In New Zealand, on Friday, 15 March 2019, a right-wing extremist armed with semi-automatic weapons rampaged through two mosques in Christchurch during afternoon prayers, killing 50 worshippers & wounding another 50. The attacker live-streamed footage of himself going room-to-room, victim to victim, shooting the wounded from close range as they struggled to crawl away.
The attack was totally unexpected. In New Zealand there have been very few terrorist incidents & the terror threat is generally regarded as very low. Before the March 15 2019 event, the last terror related events were the Rainbow Warrior Bombing in 1985 & the Wellington Trades Hall bombing in 1984.
In Sri Lanka, on Sunday, 21 April 2019, as yet unidentified terrorists used suicide bombers with IEDs to attack churches and hotels in Colombo, killing 311 & injuring another 500. An attack of this scale upon Christians at Easter during an extended time of peace & prosperity is out of character & shocked the nation. There were a total of 8 explosions. The first 6 explosions occurred just as church services were starting. Another explosion south of the capital happened later & there was an 8th explosion at the house that was the subject of a police raid in Colombo. Many of the attacks were carried out by suicide bombers. Although there have been a marked increase in discrimination, threats & violence against Christians, the VBIED attacks in the churches on Easter Sunday were unexpected.
Bombs & bloodshed are certainly not new in Sri Lanka. Next month marks a decade since the end of Sri Lanka’s 26-year civil conflict with the Liberation Tigers of Tamil Eelam, a militant organization, who wanted to carve out a separate Tamil state called Tamil Eelam in the north & the east of Sri Lanka. The conflict between Sri Lanka’s government forces & armed Tamil rebels raged for nearly 60 years, killing an estimated 80,000-100,000 people. Since then, the country had not experienced an act of terrorist. A decade of peace had lulled the security agencies into a state of complacency. Nobody really thought a terror attack could occur but it did.
Terrorist incidents are all low probability-high impact events. It is impossible to predict where &/or when the next terror attack will take place. But, such incidents invariably result in high fatalities & casualties because soft targets with plenty of people are selected. As such, it is always highly recommended to have contingency plans in place.
The Risk Impact/Probability Chart provides a useful framework that helps responsible managers decide on which risks require immediate attention.
The Risk Impact/Probability Chart is based on the principle that a risk has 2 primary dimensions:
- Probability– A risk is an event that “may” occur. The probability of it occurring can range anywhere from just above 0% to just below 100%. It cannot be 100% because it would then be a certainty, not a risk. Likewise, it cannot be 0% or it would not be a risk.
- Impact – A risk, by its very nature, always has a negative impact. However, the size of the impact varies in terms of cost & impact on health, life, or some other critical factor.
- Low probability-low impact– Risks are low & can be ignored.
- High probability-Low impact– Risks are moderate. If things happen, you can cope with them & move on. Nonetheless, efforts should be made to reduce likelihood of occurrence
- Low probability-High impact– Risks are high if they do occur, but are very unlikely to happen. Nonetheless, efforts must be made to reduce the impact they will cause if they occur. Contingency plans must be in place. Black swan events are occurrences that falls outside the range of normal expectations. Even though the probability is low, when a high impact event come along, the impact is significant. Unanticipated & consequential events carry enormous impact.
- High probability-High impact– Risks are critical. These are top priorities & must be attended to immediately.
To reduce the impact in low probability-high impact events, it is imperative to identify vulnerabilities & reduce the likelihood of their exploitation. Other impact reducing steps include:
- Emergency Response
- Relief & Recovery