Why Should I Consider Climate Change in my Risk Assessment?
by Ernie Hayden MIPM CISSP GICSP(Gold) PSP
I have been performing critical infrastructure risk assessments since the mid-1980s. Over time, these assessments and the assessment process have become even more sophisticated and comprehensive. However, I have observed an interesting omission in these risk reviews.
Please let me explain.
In my book Critical Infrastructure Risk Assessment: The Definitive Threat Identification and Threat Reduction Handbook, I talk about the classic risk equation. This equation is:
RISK = THREAT x VULNERABILITY x CONSEQUENCE
- Threat is defined as any event or circumstance with the potential to adversely impact an organization’s or facility’s operations, missions, functions, image, or reputation.
- Vulnerabilities are any weakness in a component or system that can be exploited by a threat source.
- Finally Consequence is related to the magnitude of harm expected to result from a particular event.
When approaching a risk assessment with this equation in mind, it is common for the analyst to spend time looking for the threats to a facility, inspecting for any vulnerabilities, and finally considering what the impact or consequence is after the threat hits the facility or organization.
Unfortunately, the more subtle aspects of climate change are not being included in the “normal” risk assessments. There is a tendency to look for physical and cyber security issues but a long view of the facility and the subsequent threats are often missed.
For example, a large facility built near the ocean may include emphasis on manmade threats such as insider attacks, outsider sabotage, etc. Even terrorism would be an obvious threat; however what about the natural threats?
Natural threats can include disease, pandemics, earthquakes, landslides or movements, and weather. With these the evaluator needs to include a long look on the consequences of climate change.
For instance, rainfall is a common weather event that can result in flooding. Unfortunately, climate change is causing some rainfall events to be catastrophic flooding events. A recent example was in the Northeast United States as the remnants of Hurricane Ida passed through. The New York City subway flooded and the New York Times attributed 43 deaths to Ida in four states.
A question: when doing a risk analysis of the subway or other critical infrastructure in New York and New Jersey, did any of the reviews take into account stronger storm events probably caused by climate change?
Lets look at the risk assessments and how they consider droughts due to climate change. Climate change is causing severe droughts in the Western United States even now. In April 2021 the Environmental Defense Fund observed, “More than 50% of Western drought conditions are categorized as either extreme or exceptional drought. Even more drastically, extreme and exceptional drought have comprised more than 75% of drought conditions across the Four Corners region (Arizona, Utah, Colorado, and New Mexico) since late autumn.”
What is a risk assessment evaluator to do? With this information and the example from Ida, I would suggest the risk assessment to include some very hard questions on how an organization is prepared for heavy rains and flooding along with drought and water shortages.
I believe once you include these questions in your assessment you will be surprised at how the risk equation calculates.
Doing a comprehensive risk assessment requires a long view and should include some hard questions about climate change impacts along with the usual threats from humans and “normal” weather.
Ernie Hayden, MIPM, CISSP, GICSP(Gold), PSP is a highly experienced and seasoned technical consultant, author, speaker, strategist and thought-leader with extensive experience in the power utility industry, critical infrastructure protection/information.
Ernie is author of the new book, Critical Infrastructure Risk Assessment: The Definitive Threat Identification and Threat Reduction Handbook.
In this chapter — The Power of the Observation — you will discover:
- An overview of the concept of an “observation.”
- The primary elements included in the observation as well as its format.
- Fundamental considerations when performing and documenting the observation including the power of one’s influence on the actions being observed, the need for critical thinking, and considerations on how the observation supports the risk assessment.
#erniehayden #criticalinfrastructure #infrastructure #riskassessment #climatechange