On the morning of September 11, 2001, Wharton Professor Howard Kunreuther was bicycling along the Hudson River in New York City. He had arrived just a week before from Philadelphia to spend a sabbatical at Columbia University’s Earth Institute. As he was riding, he was thinking about a questionnaire on catastrophic risks sitting back on his desk.

The topic of low-probability/high-consequence events had occupied Kunreuther’s thinking for more than two decades. As co-director of Wharton’s Risk Management and Decision Processes Center, he had wrestled with the implications of chemical disasters, earthquakes, siting nuclear waste facilities, as well as insurance, building codes, and other protective measures. This topic was what brought him to New York, but he had no idea how that day would bring him right into the heart of the issues of catastrophic risk and protection.

An avid cycler who normally bikes to his Wharton office, Kunreuther was listening to his Walkman as he rode along the river. He heard a report that a small plane had hit the World Trade Center. It took him a little while to understand the full extent of what happened, and while the Columbia campus was far enough away from Ground Zero that he experienced little direct fallout, his life and his work were changed completely. Not only did that day bring catastrophic risk front and center on the agenda of businesses and policymakers, Kunreuther’s examination of that tragedy fundamentally changed the way he looked at these challenges. It led him, along with a few colleagues, to develop a new theory of “interdependent security” that is now influencing the national debate on how best to protect society from terrorism and other risks.

“September 11 changed my life,” Kunreuther says. “In October, we were supposed to go to China for a month with Wharton, but I realized there was no way I could go. To leave New York City at that time didn’t make any sense, given that the ultimate low-probability/high-consequence event had occurred there.”

Sprinkler Systems, Airline Baggage, and Interdependent Security

A short time later, Kunreuther was having lunch with Geoffrey Heal, an economist at Columbia. They were talking about a problem that long had interested Kunreuther: the interdependent nature of security. Suppose you live in an apartment building and want to invest in a sprinkler system to receive a lower insurance rate. The problem is that, even if you purchase a sprinkler system for your apartment, if your neighbor doesn’t make the same investment, his apartment next door could still catch fire and destroy your home. Your security is dependent on the actions of your neighbors, and the insurers will not reward you with as low a premium if they know that your apartment unit is vulnerable due to the possibility of contagion from others.

Airlines face a similar situation in baggage screening. Even if an individual airline invested in creating a tight baggage screening system, it is only as strong as its weakest link. The bomb that made it onto the Pan Am flight that exploded over Scotland in 1988 arrived via a loosely protected airline that connected to the tragic flight. If some airlines don’t invest in security, other airlines have much less of an incentive to do so. Unless everyone has an incentive to invest, no one has an incentive to invest.

“We spent the month of October thinking about that problem,” Kunreuther says. “When we started thinking about it, it raised a whole variety of other problems.” One distinctive aspect of these catastrophic disasters is that the risks are extremely high, and nonadditive. “You can only die once, your apartment can only be destroyed by fire once, and it takes only one bomb to destroy an airplane,” he says. “This type of problem has a very simple game theoretic solution: if everyone else invests in protection, you will also want to; but if no one else does, then you won’t. The interesting question is whether one is able to develop strategies short of formal regulation to convince some individuals or firms to take protective actions and encourage others to do the same. One needs to find a tipping point and then make good things happen.”


No Prisoners’ Dilemma

The dynamics of these catastrophic risks make the situation and its solution very different from the well-known “prisoners’ dilemma.” In the prisoners’ dilemma, which might apply to a challenge like investment in reducing pollution, neither party has an incentive to invest in measures to reduce pollution individually, yet they would all be better off collectively if everyone invested. In this case, the players will not resolve the situation left to their own devices. Regulation can sometimes fill the void, forcing individual companies to make decisions that are in the general interest.

But catastrophic events that rely upon interdependent security have a different dynamic. First, they are probabilistic, so the consequences are not known. Second, at a certain tipping point, both sides will want to invest; and once they make these investments, they don’t have an incentive to back off from them. Once everyone in the apartment house has a sprinkler system or every airline is checking baggage thoroughly, there is no incentive to dismantle the system.

So the question is: How do you bring the system to the point where the players choose protection? If you rely upon free markets alone, individuals and companies will underinvest in protective measures that only help if everyone does them. On the other hand, regulation and legal action are very expensive.

Kunreuther and Heal developed an approach to this challenge of “interdependent security” that uses a combination of regulations, insurance, and third-party inspections to tip the balance toward protection at a reasonable economic cost. As they write with colleague Peter Orszag in a Brookings Institution Policy Brief, “When security is interdependent, firms acting on their own may choose not to invest in risk-reduction measures even though they all would be better off if they did.”

For companies, there are similar interdependencies within organizations that could lead to business disasters. For example, Arthur Andersen was sent into bankruptcy because of the action of a relatively independent unit in Houston, and the Barings Bank in London was destroyed by the actions of a single trader in Singapore. In these cases, the autonomous players within the company had incentives to pursue their individual interests even when they threatened the security and survival of the larger organization. “One of the most important things that managers should take away is the recognition of the interdependencies and complexities within an organization, if each division is operating in a semiautonomous fashion,” Kunreuther says.

In addition to these internal concerns, managers have to recognize that to address problems such as security, they may need to look beyond the borders of their own organizations. “There is also need to cooperate outside the organization,” he says. “Think in terms of associations and the important role they can play. Appreciate the importance of public/private partnerships, regulations, subsidies and fines, taxes, and third-party inspections.”

Risk Management: Bhopal, Chernobyl, Valdez, WTC

How do individual companies protect themselves from natural disasters, accidents, or terrorist attacks that could sink their businesses? The field of risk management has developed rapidly over the past few decades, spurred on by a series of well-publicized disasters. Risk management arrived in force in the chemical industry with the leak of poisonous gas at a Union Carbide plant in Bhopal, India, in 1984, which killed more than 3,000 people and injured thousands of others in the surrounding villages. In 1986, the meltdown and explosion at the Chernobyl power plant in the Ukraine and the Exxon Valdez accident in 1989 hammered home the importance of risk management.

“People realized then it could sink a company,” says Paul Kleindorfer, co-director of Wharton’s Risk and Decision Processes Center. “A major company, Union Carbide, with 111,000 employees disappeared from the planet because of Bhopal. This was a gripping, chastening experience. These incidents gave rise to the whole risk management paradigm and particularly the crisis management side of it.”

While risk management was well recognized in safety-intensive and environmentally sensitive industries, it wasn’t until the terrorist attacks on 9/11 that managers realized every company needs to be concerned about this issue. Terrorist attacks also expanded imagination about potential risks. Kleindorfer humbly points out that while he has written ten books on the postal service, not one of them recognized the potential for a few letters containing deadly anthrax spores to bring the entire system to its knees.

How do companies address these challenges? The standard risk management paradigm that has emerged follows four key phases:

• Vulnerability and threat assessment: Understanding what parts of your system are vulnerable to natural disasters or terrorist attacks.

• Risk assessment: Once you can see the vulnerabilities, you need to determine which ones are most important so you can focus on the big ones.

• Risk management: These risks can then be managed by mitigation of the risks through strategies such as hardening the facility, containment, or mitigating the consequences through mechanisms such as insurance.

• Crisis management: These are the plans for responding quickly and effectively to disasters and other crises.

Duct Tape and Denial

Strategies for interdependent security and risk management planning all look well and good on paper, but the uncertainty of the environment also leads to less rational reactions – particularly when it comes to life-and-death decisions. Anyone who doubts this only has to look for duct tape at the local hardware store. This focus on the way real people make decisions is the “decision processes” part of the Wharton center.

“In developing strategies for interdependent security”, Kunreuther says, “one needs to take into account the ambiguity of the risk and how individuals react to this type of uncertainty. That’s the principal reason why terrorist insurance didn’t take off. Insurers thought the risk was too ambiguous. There are issues of myopia, shorter time horizons, and misperceptions of the risk. All these have to be taken into account in developing risk management strategies.”

One typical reaction is to bury one’s head in the sand. “In these troubled times, most of the companies have come to the conclusion that the best they can do is remove the flammables from the fence and go to church – hoping the government is going to solve this problem for them,” Kleindorfer says. “They can’t figure out what it is they can possibly do to avoid terrorist attacks.”


Effective Strategies

What do managers overlook in addressing these risks and catastrophes? One key is leadership and communications. “I don’t think most companies have recognized how fundamental this is in times of great turbulence and uncertainty,” Kleindorfer says. “Companies may have great systems and audits for risk management. They may have near-miss management and crisis management strategies, but half the employees still are running around shell shocked because no one is telling them what is going on. There is a set of denial reactions that arise naturally in human beings when confronted with adversity. We are just beginning to put all the pieces together.”

Another issue highlighted by 9/11 was the importance of having well-rehearsed plans for business processes and continuity. “People had backup plans, but many of them were absolutely devastated for many months and unable to pull themselves together in an effective way,” Kleindorfer says. “Who would have imagined that you would have to rehearse losing your entire office space in the World Trade Center? Today, if you say to a major company that we have to think through the scenario in which your top three people are out and your headquarters is out, people won’t say not to do anything as ridiculous as that. Now companies are rehearsing through these things on a quarterly basis with the senior management team. The company has to be prepared to withstand anything and put itself back on its feet.” Risk management should be integrated with ongoing management of current processes. “The whole process can be seen as part of near-miss management or accident prevention systems,” Kleindorfer says. Managers also need to consider broader strategic issues, such as supply chain design, global diversification, public policy, and second-order effects of an attack on one part of the system that can affect other industries, or the whole economy. Where the efficiencies of agglomeration normally dictated centralized operations and IT, companies are now spreading supply chains and other parts of the business around the globe to diversify their risks. They also are building up a buffer of inventory. “Inventory was evil,” Kleindorfer says. “Now you need strategic inventory at key points in the supply chain, multiple suppliers, and other redundancies that are beginning to reverse the long trend in the 1990s of ‘leaning’ the supply chain.”

Kunreuther’s trip to China, which was postponed after September 11, is now scheduled for June 2003. He has a lot more to talk about when he participates on an alumni panel on interdependent security in Shanghai. “I know this is literally the most important thing I have ever done,” he says. “It is important for policy, on a social level, and for business. It is a global problem. I now understand what I’ve been doing for the last 20 years.”