NASA recently performed a worst-case scenario simulation demonstrating what would happen if a giant asteroid crashed into NYC. Although highly unlikely, NASA wanted the issue to be exposed and planned for, given natural disasters are one of the biggest threats to our civilization.
The simulation may seem unwarranted given the low probability of an attack, but just because something is unlikely to occur, doesn’t mean it does not carry huge consequences. Since asteroids are the only natural threats that can truly be prevented – there are technical ways to deflect them before they reach earth – why wouldn’t we take steps to protect the planet from an attack? NASA’s call for proactive risk planning should encourage organizations to manage enterprise risk the same way.
Risk events come in all shapes and sizes.
Risk comes in a variety of forms – financial, operational, strategic, tech, personnel and more. And though having a crystal ball is every risk manager’s dream, organizations never know what type of risk event is going to hit and when. This is why it’s important to proactively plan for all potential events, especially the ones that could cause severe damage — even if they seem unlikely. It’s often these events that hurt the most.
Terrorist attacks, asteroids and tsunamis are examples of low probability, high consequence scenarios – risk events that are unexpected but when they happen, the impact is extreme. Aside from societal concerns, the costs of such events can be significant, why is why they should be prioritized as part of a holistic and proactive risk mitigation plan. To put it in perspective, the five terrorist attacks the UK experienced in 2017 alone cost the UK economy €3.5billion.
Low probability, high consequence events are hard to plan for because it’s inherently difficult for organizations to determine cascading effects of such large unknown events in advance, and even more difficult to imagine the real human impact of the event in such a way to define next steps and procedures. The role of the organization in the aftermath of a high consequence risk event depends on its proximity to the situation– if located far away, it’s hard to support triage, evacuation and remediation. If close by, those things are much easier to support. Location can only be revealed, however, once the event occurs.
This is why most organizations are generally more prepared for the casualties of risk events that impact their own operations, such as interruptions to power or supply sources, or having to take a facility out of operation. These are the aspects organizations can contemplate, model, plan and respond to, regardless of things outside of their control such as an event’s duration or location.
It’s also impossible to identify all the potential sources and causes of high consequence events and prepare for each one. For example, if a utility tried to conceptualize everything and anything that could cause a large-scale power outage, it would be difficult to define all the steps and outcomes to prepare for each possible type of unique threat. It’s much easier to create a plan for managing the impact of an event, such as knowing what to do when the power goes out, regardless of what caused it. That’s a base level requirement for good risk management that goes a long way in being prepared for all types of risks.
Organizations aren’t powerless in the face of “asteroid-level” risk.
Integrated risk management (IRM) approaches can help companies better manage and plan for even the most unlikely, yet damaging risk events. This is because an integrated strategy provides a holistic view of all types of risk – financial, reputational, strategic, tech, personnel and more — allowing organizations to see the big picture, including where every potential threat could occur and the impact of that risk on the rest of the organization. This complete view is incredibly hard to conceptualize with the disparate tools, static information and siloed stakeholders typical of traditional risk management approaches.
Specific to low probability, high consequences events, IRM helps risk managers not feel powerless against the inherent difficulties of managing such situations by enabling better planning and understanding of impact analysis, continuity planning and procedure definition, and simulations and test exercises. This sets the business and the team up for as much smooth sailing as possible in the aftermath of a high consequence event because everyone understands the best way to address and manage the risk as it relates to the business, and their individual courses of action.
Even if an asteroid attack isn’t in your business’ future, it’s important to know how to deal with other high consequence events, as risks on this level rarely come with lead time.
Learn how integrated risk management can help your company prepare for risk events of all sizes.