We have been witness to every
major disaster in the last 40 years: from the pervasive East Coast power failure in the sixties, to the Blackout in New York
City in the seventies and the violence and vandalism that ensued, to the many hurricanes, tornados, floods, the Trade Center
bombing in 1993, 9/11, Katrina, the Washington Sniper, another major NYC power outage and the beat goes on. It is astonishing
to see that every time one of these events occurs, we pick ourselves up, dust ourselves off, and BURY OUR HEADS IN THE SAND.
There is a human tendency to return to the status quo. After 9/11, we were all hyper-alert and as the months and years have
gone by, we are no longer white-knuckling the commuter flight from DC to New York.
When engaging in a disaster preparedness
or business continuity exercise, typical planning includes predictable and probable events (and lower planning costs). Catastrophic
event often are left out because of their statistically improbable likelihood.
How improbable are the catastrophic
events that we have experienced over the last 20 years? If we look closely, in almost every instance of a catastrophic event,
there were red flags that might have strengthened the disaster preparedness or security efforts to address potential threats.
But it seems that, in many instances, those red flags were overlooked or discounted.
After the 1993 bombing of
the Trade Center, although stronger security measures were implemented to make it more difficult to get into the Trade Center,
the nature of the measures in no way addressed the scope of a 9/11 event. (Although, I am not sure how that would have been
possible.) How unlikely would 9/11 actually have been? Post facto analysis showed
failures in our preparation for and response to the event. Homeland Security
has implemented robust detection and forecasting systems to prevent a recurrence of a similar event on our soil.
Recently, our government
revealed that the Russians and others have penetrated our electric grid and planted grid-disabling code. Almost every week,
one reads of significant incursions by hackers into government agencies. One wonders how this can happen? Is our most vital infrastructure so vulnerable? Any number of movie-of-the-week plots comes to mind. In
recent weeks, the government has addressed the serious red flag raised by the Russian incursion to the U.S. electric grid
by announcing the formation of an elite cyber security corps.
From rising tides and tornados
to terrorist events, pandemic flu to rogue virus we have repeated red flags. It
is easy to fall into complacency, to put our heads in the sand, and ignore the red flags. When we say these events are just
too overwhelming and costly to plan for, do we count the cost of the occurrence of these events? What is the cost to brand
and revenue of an event? If we do not address the red flags identified by risk systems; if we do not plan for the worst-case
impact of terrorist activities, of malicious hacking, the cost to our entire nation could be considerable.
Risk identification systems produce
red flags to identify action-requiring situations. We see red flags that have been ignored, resulting in failures of various
kinds. In the securities industry, we see firms with elaborate, regulatory mandated supervisory procedures that ignore the
alerts raised by their risk systems. Our current economic problems and failures of large firms were portended by risk systems
at least 18 months before the major bank failures. If risk identification systems identify red flag situations, where is the
accountability of ignored flags?
Similarly, the kinds of events
that have been occurring are not just in the nature of the 500-year flood event: that is an event that is rare but predictable.
What we have been experiencing lately are events that go beyond our imagining. How do you plan for the metaphorical 500-year
events? Or, plan for the unthinkable. The
red flags have been raised. So perhaps you do not build the best levees possible, but you do something to get you part of
the way there. And, have good sound disaster planning for the improbable that gets you the rest of the way there. Planning for every predictable event is just not practical. Therefore some approach that involves development
of generic infrastructure response is the best approach to planning for either likely or unlikely events. Redundancy in communication
and electric, evacuation and relocation capability: basic but flexible preparedness not specific to any one type of event.
One thing we have learned from
Katrina and 9/11 is the broad economic impact of such different kinds of 500-year events. This should motivate us to consider
generic capabilities that soften the blow when next event occurs. We read daily warnings of cyber incursions, likely climate
change, rising tides: the red flags have been raised.