“All levels of government failed in its obligations.” So said Sen. Susan Collins (R-Maine), chair of the U.S. Senate’s Homeland Security and Governmental Affairs Committee. In a joint press release with Sen. Joe Lieberman (D-Conn.) announcing an investigation into the federal relief efforts for Hurricane Katrina, they said they would focus—just as after 9/11—on the question “How could this have happened in America, and what must our government do to make sure to the best of our ability that nothing like this national nightmare ever happens again?”
While answering this question is important from the perspective of risk-management lessons learned, it will be woefully inadequate if we don't ask a set of more fundamental questions: “What is the obligation of government—local, state, and federal—to manage its citizens’ risk? What are U.S. citizens’ expectations in regard to management of their risk? What is the nation’s risk appetite and risk tolerance? How much risk management is enough? Can the government protect its citizens from all their risks, and even if it can, should it? What are the responsibilities of individuals to manage their own risk?” Without addressing these and similar questions, we are likely to end up with more poorly conceived and costly risk mitigation strategies that will actually increase risk.
As Harvard Business School professor David Moss points out in his book When All Else Fails: Government as the Ultimate Risk Manager, the U.S. government over the past century has increasingly taken over the role of ultimate risk manager. As Moss notes, “risk management constitutes a potent and pervasive force of public policy,” one that goes far beyond preventing terrorist attacks or responding to natural disasters, to all aspects of our lives. From the Food and Drug Agency trying to manage the risks associated with obesity to the Consumer Product Safety Commission looking out for unsafe products to the Department of Agriculture testing for mad cow disease, the business of government has been more and more the business of managing risk. Instead of risk manager of last resort, the expectation voiced by Collins, Lieberman, and other politicians is for the government to be the risk manager of first resort.
However, there are limits to what the government can realistically do. Can New Orleans be protected forever from Category 5 hurricanes? Even if feasible purely from an engineering perspective, is it worth the cost? Are there other, better alternatives to spending the country's resources than trying to achieve this goal?
Plus, if it is decided that New Orleans must be protected, then what about similarly protecting Miami, Houston, Gulfport, or Biloxi? What about protecting San Francisco, Los Angeles, or Anchorage from an earthquake measuring 7.9 on the Richter scale? Or shielding Oklahoma City from an F-5 tornado, Davenport from raging Mississippi floodwaters, or Tacoma from both an eruption of Mt. Rainier and an earthquake? Don’t they all deserve the same level of protection from risk?
Should the government spend resources to protect us from these and other risks, or should it focus on improving its response capability? And what about government policies that actually create risk, by encouraging citizens to build in coastal or flood-prone areas where disasters are natural and recurring events?
If it is going to act as risk manager of first resort, then the U.S. government, at all of its levels, must articulate its risk priorities to its citizens. For instance, when the government says it has an obligation to protect public health and safety, it must define what this obligation means in practice, not political-speak. The government has to draw a bright line describing which risks it will try to anticipate and act to prevent and which risks it can only react to. In these latter cases, the government must forcefully articulate its expectations in terms of what it can and cannot reasonably do, and just as forcefully articulate what it expects are the risk-management responsibilities of its citizens.
For example, if these “react to only” risks are in the nature of hurricanes like Katrina, future terrorist attacks, or a bird flu pandemic, then the government is obliged to make it clear that all but the very neediest citizens are going to be on their own for five days, two weeks, or some other prescribed time period. Then no one will be under the illusion that the government can control risks that it can not, nor guarantee a risk-free life where it will make a “person whole” once more after such events occur.
So far, the congressional and White House reports describing the government’s risk assessment and management actions prior to and after Katrina have failed to address the fundamental issue of risk and responsibility, let alone spark a national conversation on the subject. This is an opportunity wasted, which if a bird flu or some other pandemic or natural disaster occurs, we all may come to regret.
Paraphrasing the late Peter F. Drucker, an economist and professor, managing risk is not about future decisions but about the future of present decisions. Unless we have an open and honest national debate on the roles, responsibilities, and expectations of government and its citizens in terms of risk—and decide which risks and responsibilities are whose—we might as well plan the next Senate oversight investigation now.
About the Author
Robert N. Charette is president of ITABHI Corp., a risk-management consultancy in Spotsylvania, Va. An IEEE member, he is the author of several books on risk management and chair of the ISO/IEEE committee revising the 16085 standard on software and systems engineering risk management.