Risk Management After the Atrocity

For this issue, I was asked to write about risk management as it would apply in the aftermath of a terrorist attack. It is an interesting subject because if risk management strategies had been effective then arguably, the atrocity would not have occurred. However, disturbing surprises and risk management failures do happen. I want to look at risk management from the point of view of both sides – those on the receiving end of a terrorist act, and those who form the organisation or group delivering politically motivated violence. Terrorist acts are usually a form of violent political protest against the established order. From the terrorist’s point of view, this violent action is a form of societal risk management, albeit an extreme type.

For circumstances when conventional risk management by the establishment ceases to be effective, then resilience is required. This resilience may be in technical, organisational or societal dimensions. For example, some level of physical resilience to blasts might be achieved using standoff distances created with vehicle barriers; resilient structures such as blast walls; or perhaps special film on windows to minimize harm from fragments of glass which are imploding into a room full of people.

Good crisis management, business continuity planning, simulation exercises to practise the response, and procedures to recover operations quickly, all help with resilience.

Risk managers need to plan for surprising disasters by drafting crisis management frameworks that might be utilised by crisis managers immediately after an atrocity. Planning for the aftermath of catastrophic events is a type of risk management but quite different to conventional notions.   I refer to post-atrocity risk management as ‘Type 4’ Risk Management.

The first three types include risk management aimed at achieving high reliability operations in a regulated environment (Type 1); risk management directed at maximising the payoff in a competitive business environment where accidents or errors are normal (Type 2); and risk management in a political environment directed at finding a compromise solution that is tolerable for the majority of stakeholders (Type 3).

In a Type 4 situation, all stakeholders are equal in that all are exposed to extreme danger, and survival is the primary consideration. A crisis manager needs to determine the immediate response to the catastrophe. The risk manager needs to think about strategies to return the organisation back to a steady-state condition. This may involve transitioning through different states or types of risk management, determined mostly by the nature of the operational environment through time.

The worst case for risk management is when the maximum environmental variety exists. This is referred to as a ‘turbulent field’ (Emery and Trist 1965). After an atrocity of catastrophic proportions, relatively insignificant events are seemingly amplified within the turbulent field and so the organisations and people within the disaster zone find it difficult to predict future safe states of this new environmental reality. Conventional risk management thinking and tactics may be difficult to implement. Where is safe? How can people in the disaster zone find a safe place? What will happen next and how can people in the disaster zone cope with the hazards?

A turbulent field is an inherently unstable non-linear environment. It is one the inhabitants might perceive as ephemeral (Thompson, Ellis and Wildavsky 1990) or chaotic (Christensen 1985). Survival is determined by the environment and not guaranteed by tactics, operations or strategies. Crises prevail. The number of choice opportunities are too numerous and too disorganised (Jarman 2001) to evaluate in a value free way. Any small movement in the wrong direction could be fatal. Therefore errors of judgment are not acceptable.

Risk is everywhere but rejected and deflected. The environment is dualistic, being both the controlled variable and the disturbance. Floods and fires are typical examples. Another is the sectarian terrorist on a murderous rampage of revolutionary change.

Emergency services personnel train to work in a Type 4 environment.   However, even their training may be inadequate for worst case scenarios, or those not previously considered in risk management planning.

Contemporary terrorism itself exhibits some of the characteristics of a Type 4 Risk Management state. Not only do terrorists cause carnage but they themselves justify their acts because they believe they are in a dangerous and turbulent field of operations.

Terrorist organisations may regard their operational environment as being in crisis, caused by the established order.   An organisation in a Type 4 operational environment regards their crises as normal but unacceptable. This is a risk management system that focuses on urgently correcting current crises. The system attempts to manipulate its operating environment. However, it has no long-term goals other than to prevent other decision systems from disturbing their operational environment. The aim of the system is to restore the operating environment to its natural but delicate and unstable state. Internal ‘grouping’ seeking new values is the hallmark: in a word – ‘millenarianism’ (Schwarz and Thompson 1990).

The inhabitants of this type of organisation display a critical ‘logicality’ based on fundamental cultural beliefs about the existence of crises caused by disturbances from conventional risk decision cultures. A Type 4 organisation does not trust the other types “to do the right thing” and will demonstrate their fundamental objections to unacceptable values and behaviour. This type of ultra-participative messianic organisation rejects and deflects risks which are seen as the causes of further crises and instability. The emphasis on this system’s behaviour is not towards reliability but towards sustainability through fundamentalism. Rules and regulations are not as important as responding to the crisis (current or future) led by a new messianic leader.

A Type 4 organisation, also called a ‘Murphy’s Law Organisation’ (MLO) has elements grouped in a shallow hierarchical structure, but a grided hierarchy as in Type 1 does not exist. There is a leader (perhaps charismatic); however there is no formalised hierarchy. This is typical of a Sect. The leadership is small but all-powerful. Risks will be rejected, deflected and punished severely if ‘anti-group’. The focus is on creating a new operational environment for the benefit of all – for example the creation of an ‘Islamic State’. While risks are anticipated, there is a greater concern about responding to a current crisis that is escalating into chaos.   Neither trials nor errors are acceptable. The two primary dynamic risk management strategies aim to:

  1. Create a new value system; and
  2. Share pain and scarce resources consistent with new leadership values.

Positive feedback is important for maintaining ethical values, solidarity and the achievement of fundamentalist goals. System failure occurs due to an inability to generate greater power or strategic force (especially if no charismatic leader is present); redundancy is generally rejected and there is a reluctance to accept system resilience. The Type 4 organisation can only exist in the short term. If successful, these Type 4 organisations evolve to become the new Type 1 order.  Established Type 1 organisations will do all they can to prevent the Type 4 organisation from becoming the new order. If both the established Type 1 and the new Type 4 organisations evolve to be competitors in a Type 2 environment, then full scale war might be the result.



Christensen, Karen S. 1985. Coping with Uncertainty in Planning. Australian Public Administration Journal. Winter, 63-73.

Emery, F.E., and Trist, E.L. 1965. The Causal Texture of Organizational Environments. Human Relations. vol. 18, no. 1, 21-32.

Foster, Kevin J. 2010. Unstable Risk Management Systems: The Evolution of an ‘Intelligent Building’ in Singapore. Saarbrucken: Lambert Academic Publishing.

Jarman, Alan. 2001. ‘Reliability’ Reconsidered: A Critique of the Sagan-LaPorte Debate Concerning Vulnerable High-Technology Systems. Chisholm and Lerner Paper.

Thompson, M., Ellis, R. and Wildavsky A. 1990. Cultural Theory. Boulder Colorado: Westview Press.




Kevin Foster
Dr Kevin J. Foster is the managing director of Foster Risk Management Pty Ltd, an Australian company that provides independent research aimed at finding better ways to manage risk for security and public safety, and improving our understanding of emerging threats from ‘intelligent’ technologies.