Over the past week or so I’ve been following the pirate attacks on international shipping off the east coast of Africa. As I was listening to the news coverage a few statistics were given. While I couldn’t write them down immediately these were the notes that I took as soon as I could pull over and find a pen.
Every year there are approximately 80 successful pirate attacks off the coast of Somalia. (The number of unsuccessful attacks is higher) This may sound like a lot but when you compare that with the estimated 300,000 commercial vessels that pass through this section of ocean. That amounts to 0.027% of the traffic. It would take 3,000 successful attacks before you would reach 1% of the estimated commercial traffic in that region. Now I’m not sure what the statistics are worldwide but my guess is that the ratio would be about the same.
As I was listening to the coverage I began to think about the parallels with other kinds of risk management. It sounds cold, especially considering all of the human interest pieces the media has been doing on Captain Richard Phillips and his crew but it is no different than decisions that business leader’s make daily on how their critical information is protected.
Situations like these tend to put risk-based decisions into perspective. The decision makers at the A.P. Moller-Maersk Group now have a different perspective on the risk of piracy than they did two weeks ago. Now I’m not deriding the decision makers at the A.P. Moller-Maersk Group. Up until now I would bet that their decisions were based upon quantifiable numbers and in line with their industry’s best practices. In other words they have taken a risk-based approach that has worked.
Worked?!? – you say. Yes it has worked. By all accounts some crews have been trained in how to respond to pirate attacks and thus have been successful in avoiding or thwarting the occurrence of this risk up until now. (Another good example of this is the evasion of another pirate attack conducted against another U.S. flagged ship within the past 24 hours) It is a common fallacy that risk management is about the elimination of risk. Risk management is not about the elimination of risk but rather its reduction to acceptable levels. The risk still exists though be it in a reduced form.
This then uncovers two important concepts:
· Risk can never be totally eliminated – it can only be managed to acceptable levels; and
· Perception is as large an influencer of decisions as statistics and other forms of measurement.
In the coming weeks I’ll take some time to explore these two concepts in relation to information risk management.
Entries (RSS)