NEW YORK — A decade of disasters from Hurricane Katrina to the 2008 financial crisis to Superstorm Sandy, coupled with the onset of cyber risk, has perceptibly altered the way some risk managers approach risk.
Whereas many sought to squelch risk at its source, this view has gradually given way to a more nuanced view that — because risk cannot entirely be avoided — a risk manager's primary efforts should entail building an enterprise robust enough to withstand risks when they do occur.
Stephen E. Flynn, Boston-based professor of political science and director of the Center for Re-silience Studies at Northeastern University, said a process-based, rather threat-centric approach works best in prudent risk management.
“In the latter half of the 20th century, we seduced ourselves into thinking that we could reduce risk to near zero,” Mr. Flynn said, during a keynote speech at Business Insurance's Risk Management Summit in New York this month. “In the process, we started to lose some of skill sets we need when a risk does manifest itself.”
Accordingly, risk managers need to concentrate efforts on making systems resilient through better internal modeling, design and planning, Mr. Flynn said. For example, while it may be impractical to provide backup generator power for the entirety of a company's operation, a resilient system design would enable a risk manager to direct power to only the most critical places.
“Pre-event, we have to model our systems and then do resilient design,” he said. “We can bake-in resilience. There is a big difference between 10% of your power available and having no power.”
In a separate keynote, Tom Ridge, former secretary of the U.S. Department of Homeland Security, struck a similar chord about the need for a holistic approach to risk. Mr. Ridge, president and CEO of crisis management advisory firm Ridge Global L.L.C., said that one of the keys to effective risk management is proper emphasis on the seemingly mundane aspects of the role such as response planning, employee training, and penetration testing. “You have to go from a reactive mindset to a preventive one,” he said.
Mr. Flynn said Superstorm Sandy's powerful punch to Manhattan proved instructive in how a wider focus on resilient systems can be more effective than a focus of mitigating individual risks. The risk manager who wisely chose to pile sandbags in front of a facility to stop storm surge may well have succeeded in keeping the building dry to little avail, he said. “A dry building is no good if nobody can get to work,” he said. “It's not the assets we are seeking to protect, it is the functions they provide.”
Thus, Mr. Flynn said companies should not just evaluate the vulnerabilities of critical systems but also the consequences arising from their disruption. “We need to work our way through interdependencies,” he said.
Mr. Flynn said efforts by information technology departments to combat cyber risk can provide a useful template for risk managers in general. “Nobody involved in cyber security thinks we can stop all hackers,” he said. “Many of the concepts of cyber security need to migrate elsewhere.”
Mr. Ridge, also a former Pennsylvania governor, cited cyber risk and terrorism as the defining risks of the era. He stressed that organizations must designate sufficient resources for proper risk management and establish clearly defined policies to measure those efforts. “What is the governance model you have established for building a resilient enterprise?” he asked the audience of mainly company risk managers. “This has to be a C-suite priority.”
Even with the appropriate resources, risk managers will need to carefully evaluate how they deploy them both before and after an event. Mr. Flynn cited the effort by Verizon Communications to replace its aged copper wire-based infrastructure in New York City with more resilient fiber optic cables in the wake of Sandy, as a good example of how risk managers can effectively marshal resources after a disaster.
“With a holistic approach not only can you come back but can use crisis as opportunity,” he said.