Home » Business Continuity » Disaster Recovery

Understanding Risk, Post-Katrina

FEMA's disastrous handling of Hurricane Katrina's aftermath was all the more galling because the scenario was long foreseen. So what catastrophe should DHS plan for next? We pick apart the risk equation.

Figuring out probabilities is also intensely political. Just consider the debate about the role of risk in divvying up federal DHS funds. Uproar over the funding formula started when an early budget proposal would have given landlocked Wyoming seven times as much funding per capita as New York State, and it hasn't stopped yet.

Even trying to figure out terrorism probabilities is intensely political. Retired Adm. John Poindexter's controversial FutureMAP proposal, part of the disbanded Total Information Awareness program, would have established a futures exchange where terrorism experts could "bet" on national security scenarios, thus yielding probabilities about which were considered the most likely. Critics railed against this program as a "terrorism betting parlor," and the project was canned.

This inability to figure probabilities opens the door for spending on terrorism to be driven not by logic, but by mainstream media, hysteria, local economics—and, of course, politics.

The good news, if you can call it that, is that determining probabilities with very low numbers may not necessarily be worth the time anyway. "You have something called ALE: average loss expectancy," says security pundit Bruce Schneier, CTO of Counterpane Internet Security. "You multiply the probability of an event happening with the amount of damage you'll incur, and that'll tell you how much to spend on security. When you deal with events that have a very, very high damage [amount], and a very, very low probability of occurrence, you multiply infinity by zero and get whatever you want."

All of which is why the more important question to ask may not be "What's next?"—although that's an enticing question—but "What's the set of potential consequences?" "I believe with great passion that everything is hard to predict," says Peter Bernstein, financial market guru and author of the best-seller Against the Gods: The Remarkable Story of Risk. "We never know what the future holds. When I say that to people, their heads go up and down, but they still act as if they know what the future holds.

"We don't know what's going to happen," Bernstein continues, "but there's a range of outcomes out there. The ones that may make a difference are the ones you really have to make preparations for. If someone is walking around my house with a lit match, I have to worry about it. It doesn't mean my house is going to burn down, but if it does, it's going to be a disaster."

Tim Williams, CSO of Nortel Networks, says he simply wouldn't want to discard any risk as a low-probability one. "In this day and age, it's hard to determine what's a low-probability event, given what we've seen over the past years," he says. "When you see all the issues that have occurred, such as war and natural disasters, the tsunami and all the rest—those were all low-probability, but they happened. I think our whole concept of recognizing what are low-probability and high-impact events has substantially changed. The universe of what can happen is much larger. We've had our minds opened."