Measuring and managing risk in the quest for resilience

You're reading Route Fifty's Public Finance Update. To get the latest on state and local budgets, taxes and other financial matters, you can subscribe here to get this update in your inbox twice each month. You can find a full archive of these newsletters here. 

The collapse of the Francis Scott Key Bridge in Baltimore last month showed how quickly a major disruption to our transportation network can have ripple effects beyond just the physical infrastructure sinking below the water.

Lives were lost on that bridge that early Tuesday morning in March, and commerce, jobs and commutes were strangled. Leaders in Baltimore were jolted into action, but so were government officials around the country as they rushed to assess their own infrastructure vulnerabilities.

The catastrophe was an opportunity for local leaders to reevaluate their community’s risk profile and grapple with a concept that is complex but vital for local resilience: the total cost of risk, or TCOR. The big challenge in these events is to weigh not only the risk itself but also those ripple effects that ultimately prove to be the most costly.

By categorizing and quantifying the costs—calculating the TCOR—municipal leaders can get better at managing the fiscal impacts and directing resources toward mitigating them, thereby preventing some of the damage.

TCOR appears to be increasing for most governments, although we can’t know for sure because most jurisdictions haven’t been capturing that data. However, looking at the risk of failing infrastructure, ever more frequent environmental disasters, reports of cyberattacks on local governments and today’s litigious environment, it’s hard to escape that conclusion.

Measure and Manage

To borrow insight from the management visionary Peter Drucker, you cannot manage risks you haven’t measured.

To better understand TCOR, ”you must look at all of its component parts,” explains Dorothy Gjerdrum, senior managing director at the consulting firm Gallagher, which focuses on the financial services industry. “If an entity wants to understand what is driving the cost of risk, they need to look at the drivers. Otherwise, you’ll focus on either the biggest budget item or most inflammatory issue, and then you go into that rabbit hole.”

Measuring TCOR includes identifying the cost of transferring risk (such as insurance deductibles and premiums), the cost of retaining risk (uninsured expenses and the cost of capital), and current risk management expenses (outside-vendor and in-house costs).

These help to:

• Proactively allocate risk management costs throughout the enterprise.
• Improve the understanding of risk throughout the enterprise.
• Develop benchmarks for TCOR.

Various events can cause TCOR to increase, such as climate change and crumbling infrastructure, growing numbers of sexual assault and molestation lawsuits, and the increased scrutiny around police misconduct. In addition to cyberattacks on municipal systems and services, other new and emerging risks include the impact of newly mandated limitations on PFAS (“forever chemicals") in local water supplies.

Assessing your jurisdiction’s total risk profile is a complicated undertaking. “Talk to your experts,” suggests Ann Gergen, executive director of the Association of Governmental Risk Pools. “Talk to your risk manager and loss prevention specialists, your risk pool, your entity’s attorney, insurance broker or agent, OSHA contacts, and others. Start thinking about where you may be particularly vulnerable to risk and ways to reduce the exposure. And benchmark your own year-over-year data to measure improvement.”

Focus on What You Know

Clearly, you cannot control the weather, prevent all accidents or eliminate all misconduct, but you can invest to reduce those risks. Focus on where you know you can make an impact. That might involve analyzing data and identifying preventable accidents and vulnerabilities, or investing in staff training to reduce the risk of cyber breaches or harassment lawsuits.

As the saying goes, an ounce of prevention is worth a pound of cure. Nevertheless, it’s preventive measures that are often perceived as “nice-to-haves” rather than essential and are first on the chopping block when budgets are cut. But if you do the math and evaluate which interventions would have the greatest return on investment, it will help you prioritize and make the argument to policymakers and the public to take preventive measures.

One thing that the increased severity and frequency of natural hazards has shown is that mitigation is a wise investment that can save money, property and, most importantly, lives.

And it can have positive benefits. According to a 2017 FEMA study, “Activities designed to reduce disaster losses also may spur job growth and other forms of economic development. Mitigation represents a sound financial investment. … Society saves $6 for every $1 spent through mitigation grants … and a corresponding benefit-cost ratio of 4:1 for investments [meeting building code standards].”

Over a 20-year period, municipalities with modern building codes would save $32 billion in losses from natural disasters compared to jurisdictions without modern codes, according to another FEMA study, which concluded that the adoption of modern building codes can have even more significant benefits in areas prone to floods, earthquakes and hurricane-force winds. Using flood and hazard mapping data to inform modifications to zoning and building codes is a cost-effective method to help reduce the damage and improve local resilience.

Left and Right of “Boom”

Managing risk in a world that’s increasingly volatile, uncertain and multifaceted demands that leaders think of risk on a continuum. It’s not so much a question of if disaster will strike, but how ready you will be when it does. As Juliette Kayyem describes in her book The Devil Never Sleeps: Learning to Live in an Age of Disasters, it’s the difference between making decisions “left of boom,” in anticipation of the risk, or “right of boom,” dealing after the fact with an event’s costs and impacts. While the cost of prevention can be deferred, the cost of disaster cannot.

Cybersecurity is one example of where being “right of boom” can have crippling consequences. The Center for Internet Security reported recently that from 2022 to 2023 the number of malware attacks against state and local governments increased by 148%, while ransomware attacks rose by 51%. “Endpoint security services incidents” such as data breaches, unauthorized access and insider threats skyrocketed by 313%.

Training employees to practice cyber hygiene is one significant step your organization can take “left of boom.” And it’s probably prudent to assume that attacks will come at the worst time: A few weeks ago, the New York Legislature’s bill drafting operation was hit with a cyberattack just as lawmakers were trying to pass an overdue budget.

Maintaining Municipal Services

Grappling with TCOR and managing risk are crucial to a local government’s ability to provide vital public services— police and fire protection, water and power, and so much more. Yet, it’s difficult for leaders to act “left of boom,” making long-term, costly decisions and sticking with them because the payoffs often don’t manifest until much later down the road. It’s not politically expedient if you’re not going to get credit for it.

That said, you have to take care of the money to take care of people. Ultimately, the point of the money is maintaining or improving constituents’ quality of life.

Incidents like the Baltimore bridge collapse, and how it could have been prevented, should motivate local leaders to think carefully about risk management, prevention and mitigation. To raise these issues to elected officials and get community support, city managers and other municipal executives must pay closer attention to the total cost of risk and its drivers.