The Growing Issue of Dark Risk

Dr Rupert Booth
The term ‘dark risk’ has been coined to refer to risks that arise from small components but which are widely connected, making the effects of a failure widespread.

'Dark risk' can apply equally to the construction of new infrastructure or to the robustness of critical infrastructure to an external shock. The issue of 'dark risk' is growing with the trend to make infrastructure ‘smarter’ i.e. more dependence on ICT; the resulting control systems may represent a small proportion of the costs but is inherently complex and is widely connected, magnifying the consequences of a failure.

'Dark risk' can apply equally to the construction of new infrastructure or to the robustness of critical infrastructure to an external shock.

Tackling these ‘dark risks’ requires new approaches, those which are focused on uncovering the interdependencies between components of the infrastructure systems.  Most infrastructure companies will already be familiar with enterprise or project risk management systems. These begin by determining current risks, the capacity of the organisation to absorb risk and the degree of risk deemed acceptable. They go on to identify potential risks, categorise them by severity and type, devise potential responses and implement a control and reporting regime. It is at this stage that it might be possible to anticipate the extreme event in advance rather than reacting to it after the event. Despite the "unforeseen circumstances" excuse often applied in retrospect, it is likely that the circumstances were foreseen somewhere in the organisation, although not necessarily at the top.

To access this information early, the best way is to adopt a non-confrontational approach where it is in the interests of staff to expose risks to examination rather than hide them. There are proven self-assessment processes for this. It may also be useful to recruit specialist outside assistance.

Despite the "unforeseen circumstances" excuse often applied in retrospect, it is likely that the circumstances were foreseen somewhere in the organisation...

Risk management workshops can then be held to progress from risk identification, to mitigation and estimation of the residual risk and its consequences. The workshops should think broadly – for example, a vehicle striking an aqueduct, a failing chemical plant co-located with a reservoir, or a flu pandemic. They should also allow staff and contractors to speak frankly and openly.

Yet even the most thorough examination of internal risks and compliance with the relevant civil contingencies advice may not be enough to elude potentially catastrophic risk at the systems level. This could cause failures in interrelated systems. For example, a weather-related event could cause both utility systems and the GSM on which utilities rely to fail. Such systemic issues cannot be tackled at the company level but need co-ordination.

...even the most thorough examination of internal risks and compliance with the relevant civil contingencies advice may not be enough to elude potentially catastrophic risk...

And what about cost? Clearly, risk management and continuity planning cost time and money. Avoiding a fall in share price is one incentive, but how else might this be self-financing? Ultimately a reduction in business volatility should lead to better credit ratings and hence a lower cost of capital. Ensuring revenue is robust and containing operating costs are also valid considerations.

However, these benefits will not accrue automatically. There is a need to demonstrate through modelling how reducing risk is worthwhile. It is possible to combine financial and engineering approaches, with consequences of the initial event being quantified using reliability engineering approaches such as failure mode, effects, and criticality analysis. This should include the systemic effects that might arise from the event occurring in other organisations. The results can then be related to revenue and costs. The benefits of mitigation can then be expressed in discounted cash flow form and used as a business case.