Preparing for resilience: analysing and treating risk

Resilience of infrastructure is moving up the policy agenda, according to a report published this year by the UK’s National Infrastructure Commission (NIC). The NIC considers resilience to be characterised by an ability to ‘Anticipate, Resist, Absorb, Recover, Adapt and Transform’. Dr Rupert Booth, Oxera Economic Adviser, examines the first element—‘Anticipate’. He considers the role of the economist in working with executives on the analysis and treatment of risk as the first step in creating a resilience strategy.

The NIC is not the first organisation to report on the topic of resilience in recent years.¹ Ofwat, the UK’s water regulator, published a report on the matter in 2017,² while the UK Office of Rail and Road has expressed concern this year that railway resilience has not kept pace with climate change;³ and Ofgem, the GB energy sector regulator, has produced a report on cybersecurity.⁴

The NIC’s report took a cross-sectoral, holistic view, identifying gaps in resilience standards and recommending the publication of ‘clear, proportionate and realistic standards’⁵ for the resilience of all major infrastructure sectors. Once these standards are published, infrastructure operators will have to adhere to them, using their own Enterprise Risk Management (ERM) systems and enhancing their business continuity plans.

Types of risks and uncertainties

The risks and uncertainties affecting major infrastructure sectors can be categorised as follows.⁶

• Event risk. An unexpected event may cause major disruption. Such an event might only be unexpected in terms of time, rather than type. For example, a global pandemic has long been predicted, and the COVID-19 pandemic has a relatively low case fatality rate compared to some earlier coronavirus epidemics; however, it has still caused significant disruption, because it was not expected within planning horizons. Less dramatic types of event risk include price shocks—such as changes in oil prices following a political event.
• Macroeconomic risk. This may follow an event or be due to cyclical changes. In either case, the consequence can be recession or even deflation, which will lower demand and profitability and increase default risks. However, macroeconomic risk can also refer, for example, to an overheated economy giving rise to inflation.
• Strategic risk. The strategic assumptions of a business can change—for example, through the emergence of product substitutes or new competitors. A common strategic risk is the digitisation of products and services, leading to the removal of intermediaries from the supply chain—an example is Amazon’s Kindle Direct Publishing, which offers both electronic delivery and print-on-demand, and which is a threat to traditional publishers.
• Demand-related risk. As noted above, events (e.g. the onset of COVID-19) can lead to a reduction in demand for some services (e.g. travel), while boosting others (e.g. broadband). At the macro level, the transit-oriented development paradigm of urban planning is now in retreat, as the earlier preference for highly dense urban communities is now reversed with a preference for suburban or rural living and working. This will require more costly infrastructure to service, such as broadband or roads.
• Supply and project risk. Disruption can lead to a shortage of supplies for operations, asset management, or the construction of new assets. ‘Supplies’ can include staff who can no longer work, leading to a reduction in operational capacity.
• Financial and market risk. For public companies, a fall in share price can trigger a takeover attempt. Many utilities are reliant on cheap debt financing, and a change in credit rating can affect the cost of new debt and hence profitability. Currency fluctuations can affect the cost of supplies.
• Regulatory risk. This is a two-sided risk involving either a failure to meet licence conditions or an unexpected response of the regulatory agencies (including the government) to new circumstances.

The risk-management process

With such a lengthy and diverse set of risks and uncertainties, operators require a framework for identifying and studying them. Such a framework is provided by an international standard, ISO31000. The first version was published in 2009, a product of the cooperation of 25 countries; work continued with the publication of an implementation guide in 2013, and a revised standard in 2018, along with a related guide on risk-assessment techniques in 2019.

Once the communication approach and context has been set (e.g. the organisation’s risk appetite and its relation to corporate strategy), the ISO31000 process involves the following steps.

• Risk identification, to identify sources of risk, vulnerabilities, and consequences. The output is a register of risks and supporting information.
• Risk analysis, to generate sufficient information to evaluate the risks, including the method of evaluation.
• Risk evaluation, which is the critical decision support stage, to prioritise risks and prioritise resources with the aim of reducing vulnerability to the risks and mitigating their consequences.
• Risk treatment, the enactment of the decisions taken during risk evaluation, leaving a residual risk that is deemed acceptable.
• Risk monitoring, the monitoring of residual risks, the effectiveness of treatments, and any emerging risks.

These generic principles are helpful, though more specific guidance on embedding the system in organisations is available from COSO, a US not-for-profit organisation that focuses on auditing. COSO has published a framework for ERM systems and additional guidance on their use.⁷

The role of economists in supporting executive management

So what is the role of economists in all of this? This is usually one of decision support—helping executive management to understand probability, risk and uncertainty. As noted in Sam Savage’s ‘Flaw of Averages’,⁸ it is not uncommon for managers to demand, ‘Give me a number!’—brushing away any notion of complexity. The number typically supplied will be the average or expected value of an uncertain outcome. However, as I illustrate in the first box—through an analogy of coin tossing, often used in the risk literature— relying on the expected value parameter alone is unwise.

The example in the first box shows that the simple notion of an ‘average’ (ignoring the distinction between an ‘ensemble average’⁹ and a ‘time average’) provides an incomplete picture, and that an understanding of the distribution of outcomes is essential—given the necessarily complex judgements made in evaluation of risk.

Even managing risk exposure using variances as well as means, as in classical portfolio theory, can be misleading. Consider two possibilities: (i) an investment yielding a 99% chance of a loss of £1 and a 1% chance of a gain of £99; and (ii) a second investment with a 99% chance of a gain of £1 and a 1% chance of a loss of £99.

The means and variances are identical, yet these are radically different risks, because the first has a positive skew (not dissimilar to pharmaceutical R&D or a national lottery) and the second has negative skew (similar to insurance or the financial carry trade).¹⁰ In addition to mean and variance, there is a need to consider the third and fourth moments—namely skewness and kurtosis,¹¹ features of ‘fat tails’ that are discussed below.

To reinforce the point that statistical skills are needed, the second box provides another famous example in which functional experts struggle with probabilities and Bayes’ theorem, which entails that extraordinary claims require extraordinary evidence.

Expert decision support is therefore essential if mistakes are to be avoided. However, the expert input also has to recognise the valid role that subjectivity and behavioural issues have in making decisions on the allocation of resources.

The role of subjectivity

On the issue of subjectivity, utility theory has a long history of accounting for the non-linear relationship between wealth and satisfaction; a generally concave relationship is observed, showing diminishing satisfaction for increased wealth. This is consistent with the risk aversion shown by most individuals and organisations.¹³

More recently, prospect theory recognises that most people are more sensitive to losses than gains,¹⁴ which is why the coin-flipping investment discussed in the first box above is unlikely to be attractive. Finally, there are the fields of behavioural finance and economics, which attempt to explain the irrational preferences of investors (or managers), and which contrast with traditional finance theory, with its emphasis on means and variances, and the hypothesis of the ‘rational economic man’.¹⁵

The role of the economist here is to act as an interpreter, making sense of subjective viewpoints and checking their validity, rather than trying to eliminate them. Ultimately, investor and consumer sentiment is subjective, and managerial judgements need to reflect this.

‘Fat tails’

‘Kurtosis’ refers to the ‘fatness’ of the distribution, and many real-life distributions have been shown to have ‘fat tails’—i.e. the frequency of extreme events is greater than is expected than for a normal (i.e. Gaussian) distribution. Fat-tail distributions may be power law or lognormal distributions (which apply to hurricane damages), or Pareto distributions (first observed in income distribution). In such cases, it is possible to use alternative approaches—such as a Monte Carlo simulation (‘MCS’), which can not only forecast a distribution of outcomes, but also examine path dependencies.

Spreadsheet packages for MCS are widely available.¹⁶ These approaches can be especially useful in business cases and cost−benefit analysis, where differences in opinion in costs and revenues can be captured in the distributions used for the independent variables, rather than requiring agreement between parties on single-point estimates.

A further twist to risk management occurs when new information is presented or expected. This creates the possibility of ‘keeping options open’ and option values that may require recognition in cost−benefit analysis. As the Treasury Green Book notes:¹⁷ ‘Real Options analysis is particularly applicable to proposals that exhibit significant uncertainty following initial investment, but where learning opportunities and flexibility in future decisions can help mitigate this’.

Qualitative methods

Risk analysis is not confined to quantitative methods—indeed, a qualitative analysis of risk usually precedes the quantitative analysis, to focus attention on where analysis will be most worthwhile. The qualitative analysis is typically undertaken by plotting risks on a 2×2 matrix showing ‘likelihood’ and ‘effect’. This analysis usually leads to different treatment approaches—for instance, a combination of low likelihood and low effect may well lead one to ‘accept’ a risk, while a combination of high likelihood and high effect could lead one to ‘avoid’ a risk.

For some risks, ‘transfer’ is an option—such as through insurance, which requires analysis of the balance of premiums and losses. A very common approach is to ‘reduce’ risk, either through lessening vulnerability or mitigating the consequences, though this may require investment and a cost−benefit analysis to confirm value for money.

Given that it may be difficult to estimate probabilities of major and infrequent events, another approach is ‘scenario analysis’, where alternative futures are envisaged. This allows organisations to assess the effects of hypothetical scenarios. One particular variant of scenario analysis is ‘stress testing’, where a combination of adverse circumstances is examined to assess robustness. This has been used by financial regulators and is given special mention in the NIC report, which recommends that ‘infrastructure operators should carry out regular and proportionate stress tests, overseen by regulators’.¹⁸

Reporting and monitoring

Once the analysis and evaluation stages are complete and management has taken decisions on risk treatment, it would be best practice to summarise the outcomes in a risk-management report that is used as a basis for ongoing monitoring. The report can also be a key input to the development of a business continuity plan.¹⁹

Applications

An analysis of risk is the foundation for the ‘anticipate’ stage of the resilience process. It also supports the creation of a realistic business continuity plan, which places an infrastructure operator on a good footing for discussions with the regulator, as it responds to the NIC recommendation that ‘infrastructure operators should develop and maintain long term resilience strategies’.²⁰ Equally as important, the existence of such a business continuity plan can reduce the level of operational risk within the operator itself, potentially leading to enhanced profitability.

The NIC report noted that ‘regulators should ensure their determinations in future price reviews are consistent with meeting resilience standards in the short and long term’.²¹ Robust analysis allows economists to highlight the incremental cost of implementing a resilience strategy and to determine whether incurring this cost is completely consistent with economic efficiency.

Furthermore, infrastructure operators may be engaged in litigation on many fronts, and it is worth developing the capability to quantify risks of adverse events and their likely costs.

Anticipating risks to improve resilience

As resilience to extreme events is being recognised as increasingly important to infrastructure operators, so the need increases for robust quantitative and qualitative analysis to estimate the likelihoods and consequences of risks. This Agenda in focus article has illustrated some of the wide range of tools that are available to executive management as they seek to manage the risks of their operations and prove their preparedness and resilience to regulators.

¹ National Infrastructure Commission (2020), ‘Anticipate, React, Recover: Resilient infrastructure systems’, May.

² Ofwat (2017), ‘Resilience in the Round: Building resilience for the future’, 14 September.

³ Office of Rail and Road (2020), ‘Annual Report of Health and Safety Performance on Britain’s Railways 2019/20’, 14 July.

⁴ Ofgem (2020), ‘RIIO-2 Cyber Resilience Guidelines’, 5 February.

⁵ Ibid., p. 11.

⁶ A risk is usually defined as an (undesirable, possible) outcome of an event, the probability of which can be predicted, whereas an uncertainty has an unknown probability. However, the two terms are often used interchangeably.

⁷ COSO (2020), ‘Creating and Protecting Value: Understanding and implementing enterprise risk management’.

⁸ Savage, S. (2002), ‘The Flaw of Averages’, Harvard Business Review, 80:11, pp. 20−1. See also the summary of Savage’s article in the online magazine of the Harvard Business Review.

⁹ An ensemble average is the average of many identical systems at a given time, whereas a time average is the average of a single system over a period.

¹⁰ A skew is positive when the right-side tail of a distribution is fatter or longer, and a skew is negative when the left-hand tail is longer or fatter.

¹¹ Kurtosis is a measure of fatness of tails of a distribution. A leptokurtic distribution has longer or fatter tails than a normal distribution, indicating a greater exposure to extreme events.

¹² Casscells, W., Schoenberger, A. and Graboys, T. B. (1978), ‘Interpretation by physicians of clinical laboratory results’, New England Journal of Medicine, 299, pp. 999−1001.

¹³ Moscati, I. (2016), ‘Retrospectives: How Economists Came to Accept Expected Utility Theory: The Case of Samuelson and Savage’, Journal of economic perspectives, 30:2, pp. 219–36.

¹⁴ Wang, L., Wang, Y. M. and Martínez, L. (2017), ‘A group decision method based on prospect theory for emergency situations’, Information Sciences, 418, pp.119–35.

¹⁵ Costa, D. F., Carvalho, F. D. M. and Moreira, B. C. D. M. (2019), ‘Behavioral economics and behavioral finance: A bibliometric analysis of the scientific fields’, Journal of Economic Surveys, 33:1, pp. 3–24.

¹⁶ For further information, see University of San Francisco (2020), ‘Spreadsheet Analytics: Monte Carlo Simulation’.

¹⁷ HM Treasury (2018), ‘The Green Book: Central government guidance on appraisal and evaluation’.

¹⁸ Ibid., p. 7.

¹⁹ The ISO 22301 International Standard for business continuity management provides further guidance.

²⁰ National Infrastructure Commission (2020), ‘Anticipate, React, Recover: Resilient infrastructure systems’, May, p. 7.

²¹ Ibid., p. 7.