Resilience

 

 

https://sm.asisonline.org/Pages/Ramping-Up-Resilience.aspxRamping Up ResilienceGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-03-01T05:00:00Zhttps://adminsm.asisonline.org/pages/mark-tarallo.aspx, Mark Tarallo<p>​America’s national defense has many components. Some of the lesser known pieces are utilities—the nearly 2,000 electric, water, wastewater, and natural gas systems that help the U.S. Department of Defense (DoD) accomplish its mission. When these systems fail, military operations can be disrupted, and national defense can become a bit weaker. </p><p>In recent years, these systems have failed thousands of times, according to a recent study conducted by the U.S. Government Accountability Office (GAO), which examined a representative sample of 453 DoD-owned utilities. The survey found that 4,393 instances of disruption occurred in fiscal years 2009 through 2015, resulting in a financial impact of $29 million. </p><p>These disruptions take many forms. At Joint Base McGuire-Dix-Lakehurst in New Jersey, operations were shut down for an entire week after a power line exploded. The power line had been installed in 1945, and was past its expected service life, base officials explained to GAO researchers. After the shutdown, the facility ran on generator power for the next three weeks while repairs to the line were completed.</p><p>At Naval Auxiliary Landing Field San Clemente Island in California, seven utility poles caught fire and caused an eight-hour islandwide electrical disruption. The fire occurred because the poles’ insulators, which are used to attach lines to the pole so that the electricity will not flow through the pole itself, were corroded and covered with salt, dust, and debris, the report found. This debris formed a conductive layer on the insulator that created an electricity flashpoint that resulted in a fire. </p><p>And there are disruptions due to weather. At Naval Weapons Station Earle in New Jersey, Hurricane Sandy’s storm surge in 2012 destroyed utility infrastructure, disrupting potable and wastewater service and resulting in almost $26 million in estimated repair costs.</p><p>Of those 4,393 disruptions, 1,942 involved water utility systems, 1,838 involved electric utility systems, 343 involved wastewater systems, and 270 involved natural gas utility systems. The Air Force suffered the most frequent disruptions, with 2,036. Next came the Navy (1,487), the Army (784), and the Marines (86). </p><p>The equipment failures that led to the disruptions were often caused by one of three main factors, the study found: the equipment was operating beyond its intended lifespan; the equipment was within its lifespan, but still in generally poor condition; or the equipment’s performance suffered because it had not been properly maintained. </p><p>This finding points to a fundamental challenge for DoD and other federal agencies: real-world budget constraints mean that DoD does not have the funding to upgrade every single system that has outdated equipment. Building resilience under such circumstances is not easy, and it sometimes requires a strategic plan with an achievable baseline goal, says Jason Black, director of analytic insights for Huntington National Bank and a utility policy expert who is also a former U.S. military officer. </p><p>A strategic plan with a goal of sustaining round-the-clock operations every day of the year would be difficult to achieve. A more realistic plan, however, could allow for some disruptions, with a goal of limiting them. For example, the goal could be to limit disruptions to 10 times a year, with each disruption lasting no more than an hour, Black says.</p><p>In striving for this goal, the plan may sketch out how older and more vulnerable utilities would be supported by back-up systems or localized generators, and other special configurations that would be needed to deal with different scenarios. “It’s one thing if a whole base goes out. It’s another thing if just one maintenance facility goes out,” Black says.</p><p>This type of strategic resilience plan could be designed across DoD’s entire fleet of utilities. Some systems only play a crucial role a few times a year, when certain situations are occurring. System resources can also be pooled; if there are four airfields located in one state, it might not be necessary for disruptions on one field to be immediately rectified. “It doesn’t have to be the case that every base has to be sustained all the time,” Black says. “In some cases, it may be cheaper and easier to move people.” </p><p>Instead of simply being reactive and replacing equipment as it breaks, officials could also incorporate utility equipment updates into the strategic plan, to best support operational goals. Incorporating an equipment plan can also serve as an incentive for investment when funding is limited: it illustrates how small investments in certain key systems will put operations in a better position over time, Black says.   </p><p>However, a strategic resilience plan must be based on good information about where disruptions are occurring, their frequencies and patterns, and other data that could be analyzed. In this area, DoD is falling down, the GAO found. Specifically, 151 out of 364 survey respondents in GAO’s study said they did not have information on utility disruptions during the 2009–2015 time period of the study. </p><p>The reason for this lack of in­formation, GAO found, is that the military services are inconsistent in issuing guidance on collecting and retaining utility disruption data. The study found that the Air Force and Marine Corps did not have current guidance on tracking utility disruption information; the Army had some guidance, but it was not available at all installations. </p><p>“Without guidance directing installations to collect information about all types of utility disruptions, service officials may not have the information needed to make informed decisions or to compete effectively for limited repair funds,” the study found. The exception among the services was the Navy, which had recently issued new guidance, auguring well for future data collection within that service, the study found.   </p><p>Given this, the GAO recommended that the Army, Air Force, and Marine Corps take steps to consistently collect disruption information, and issue better guidance on doing so. DoD concurred with these recommendations. </p><p>Finally, Black says there is another tool that DoD may use to boost its utility resilience–partnerships with the private sector. Here, DoD has some advantages at its disposal; some of its sites include significant amounts of land, and they have more zoning and use flexibility because they are government owned. Given these resources, DoD may be able to partner with private sector companies on utility projects, ranging from wind turbines to solar panels. “They may have the room, and they may not have zoning concerns,” Black says. </p><p>Shared resources could also be leveraged in such partnerships, he adds. For example, a generator could be built on a DoD site that would power the local area, but could also be used as a backup in case of power failure at the DoD facility.   ​ ​</p>

Resilience

 

 

https://sm.asisonline.org/Pages/Ramping-Up-Resilience.aspx2017-03-01T05:00:00ZRamping Up Resilience
https://sm.asisonline.org/Pages/The-Road-to-Resilience.aspx2017-02-01T05:00:00ZThe Road to Resilience
https://sm.asisonline.org/Pages/World-Water-Woes.aspx2017-01-01T05:00:00ZWorld Water Woes
https://sm.asisonline.org/Pages/Reducción-de-la-Violencia-en-América-Latina.aspx2016-10-11T04:00:00ZReducción de la Violencia en América Latina
https://sm.asisonline.org/Pages/A-Hospital’s-Life-Safety-Lessons.aspx2016-10-01T04:00:00ZA Hospital’s Life Safety Lessons
https://sm.asisonline.org/Pages/Five-Post-Incident-Concerns.aspx2016-09-01T04:00:00ZFive Post-Incident Concerns
https://sm.asisonline.org/Pages/Resilience-Trends.aspx2016-09-01T04:00:00ZResilience Trends
https://sm.asisonline.org/Pages/A-Strategic-Response.aspx2016-08-01T04:00:00ZA Strategic Response
https://sm.asisonline.org/Pages/Book-Review---Crowd-Science.aspx2016-07-01T04:00:00ZBook Review: Crowd Science
https://sm.asisonline.org/Pages/The-Calculus-of-Catastrophe.aspx2016-06-01T04:00:00ZThe Calculus of Catastrophe
https://sm.asisonline.org/Pages/Planning-After-Paris.aspx2016-03-01T05:00:00ZPlanning After Paris
https://sm.asisonline.org/Pages/Smart-and-Secure.aspx2016-01-19T05:00:00ZSmart and Secure
https://sm.asisonline.org/Pages/Resilience-After-Katrina.aspx2016-01-11T05:00:00ZResilience After Katrina
https://sm.asisonline.org/Pages/Extreme-Resilience.aspx2016-01-07T05:00:00ZExtreme Resilience
https://sm.asisonline.org/Pages/The-FEMA-Five.aspx2016-01-06T05:00:00ZThe FEMA Five
https://sm.asisonline.org/Pages/Constructing-Resilience.aspx2015-11-01T04:00:00ZConstructing Resilience
https://sm.asisonline.org/Pages/Travel-Safety-Goes-Global.aspx2015-10-13T04:00:00ZTravel Safety Goes Global
https://sm.asisonline.org/Pages/Book-Review---Long-Term-Community-Recovery-from-Natural-Disasters.aspx2015-10-01T04:00:00ZBook Review: Long-Term Community Recovery from Natural Disasters
https://sm.asisonline.org/Pages/Preparing-for-Protests.aspx2015-09-11T04:00:00ZPreparing for Protests
https://sm.asisonline.org/Pages/Revisiting-Response.aspx2015-07-21T04:00:00ZRevisiting Response

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Seeing-the-Risk-Through-the-Trees.aspxSeeing the Risk Through the Trees<p>​</p><p>THE FIRST STEP TOWARD SOLVING—or preventing—any crime is to think like the criminals, beginning with what motivates them. When it comes to common thieves, that’s easy; they are motivated by the desire for money. But for violent nonfinancial crimes, understanding the motivation can be far more challenging.</p><p>I experienced this firsthand in the early 1990s, while running the Special Investigations Unit for the Ohio Bureau of Criminal Investigation. My team and I were tracking a serial rapist with a fetish for elderly women. He haunted small towns in rural areas, and during more than eight months he claimed 13 victims. We needed to understand our attacker if we wanted to anticipate his next move. To that end, an 18-page questionnaire was developed looking for anything the victims had in common: where they shopped and banked; who provided their lawn service; what clubs they frequented; who their family doctors were.</p><p>We used the answers to build an investigative “attack tree” that revealed the commonalities shared by the victims, and provided clues to the attacker’s goal and his modus operandi. Through this process, we were able to solve the case.</p><p>Any company can use the same attack tree methodology to mitigate risks, such as a terrorist attack, by thinking like the would-be attacker and anticipating what he or she might do. That information can be used to develop the appropriate countermeasures.</p><p>Attack trees are simply a visual display of the answer to the question: How would the criminal commit a crime—whether it’s a theft, a rape, a hack into a computer system, or the planting of a bomb. The branches of the tree illustrate the different scenarios and the steps physically taken to accomplish the task.</p><p>Filling Out the Branches<br>In laying out an attack tree, the overall goal of the attacker is considered the trunk and the steps that he or she would take become the branches. Once a security director has thought of the overall threat and laid out the possible ways it could be carried out, the next step is to assess the probability that it might occur—the level of risk. Ultimately, the risk may be handled in four different ways: accepted, transferred, eliminated, or reduced.</p><p>A security professional may determine that the risk is low, and the company may decide to accept it. But a corollary consideration is the consequence of an act; if the act is low probability but high consequence, as is the case with terrorism, that will affect the calculation of whether accepting the risk is a reasonable course of action. Calculating the risk of a terrorist attack is further complicated by the difficulty of obtaining reliable intelligence.</p><p>Using attack tree methodologies, our security team at a major utility looked at our potential adversaries with the limited intelligence provided by the U.S. Coast Guard and our own staff. The trunk of the tree—the attackers’ goal—was assumed to be to disrupt power. We then explored methods of attack that could be used against our critical areas to achieve that goal, such as ramming a gate with a vehicle; cutting a fence; approaching by a boat on the river; or posing as a delivery driver to place a vehicle borne improvised explosive device (VBIED) near a critical asset.</p><p>We then “pruned” our trees by factoring in the already existing risk-reducing measures, such as intrusion detection systems, lighting, perimeter fencing, and signs. In consultation with government agencies, we assessed the extent to which our measures had sufficiently reduced the risk and whether additional measures were needed.</p><p>The pruning process took into account that the trunk, or goal, is to disrupt power. If we look at the branch exploiting a vulnerability of approaching by boat from the water and gaining access to our facility, the next leaf would involve damaging a critical piece of equipment to obtain the result. In order to prune this branch, we installed fencing along the waterway with intrusion detection to alarm to our guard posts in an effort to detect an intrusion along several miles of the channel.</p><p>Planting Your Tree<br>While there are several models and even some software that you can use to help you in the attack tree process, in the beginning, you might want to follow this general rule: the simpler, the better. Start by assembling several members of your team in a room with a whiteboard or flip chart. At the bottom center, draw a box and insert what the goal of a terrorist attack against your company’s facilities might be. For a mall or other public venue, it might simply be to terrorize the population. For a strategic facility, it may be to disrupt services, to contaminate food or water supplies, or to cause economic damage.</p><p>Once you have placed the ultimate objective in the bottom box, ask your team the oldest security question known to man: “How would I do that?” For example, if terrorists are the adversary, the overall goal is to kill as many people as possible. As the security director for a mass transit subway, you have to place yourself in the terrorists’ shoes, and build your tree accordingly. If you were the terror cell, how would you accomplish your goal?</p><p>In answering the question, you would look at the recent history of events. For example, history has shown that terrorists may choose backpack bombs with cellphone detonators or timing devices; or they might pick suicide bombers, or chemical agents, or perhaps other methods that you and your team could visualize.</p><p>Each method becomes a branch. Place those in individual boxes connected to the bottom box and you have begun the formation of your tree. Repeat the steps of asking “how would I do that” over again for each “branch” of your tree, and continue to expand the possibilities. Once you have exhausted your avenues of attack, your tree is completed. You can then create another tree simply by changing the ultimate goal in the bottom box.</p><p>Leaves. As one becomes more proficient with the trees, there are several complex formulas, or “leaves,” that can add value. One leaf is the risk tolerance of the attacker. Another is his or her financial capability. These additions play a valuable role as a security team contemplates risk-reduction measures. For example, signs warning of surveillance might give pause to a terrorist who wants to case a utility plant without being detected; they would not deter a suicide bomber.</p><p>Pruning the Tree<br>A completed tree needs “pruning,” or an examination of the potential threats that have been identified and how they might be mitigated by existing or new protective measures. Each branch that starts in row two above the bottom box can be pruned. The thought here is to find logical places on that branch where you could apply—or where you have already put in place—security measures to reduce that risk.</p><p>When considering items to prune your tree, look into the box and determine which system makes the most sense from the perspective of cost and applicability.</p><p>Cost-effectiveness. Your team should scrutinize whether the deployment of one system could prune several branches of the tree, thus improving the cost-effectiveness of the countermeasures. In the example of the utility facility, our team identified seven ways to gain entry to a site and then complete the overall goal of service disruption. In examining our tree, four of the seven ways to gain entry involved breaching our perimeter fence, by cutting the fence, ramming the gate, cutting the lock at the gate, or climbing over the fence and barbed wire.</p><p>By placing an intrusion alarm system on the fence, we were able to effectively mitigate all four possible branches. Similarly, if you are working on multiple attack trees simultaneously, you may gain a significant benefit to several trees from deploying a single appropriate system. In deterring terrorist attacks by hardening an asset, you also make it much more difficult for a burglar to gain entry, for example. In the utility sector, the installation of an intrusion detection system at some substations to prevent terrorist attacks also helps prevent copper thieves and vandals from entering the property undetected.</p><p>Group think. As you experiment with the use of the attack tree methodology, try breaking your team into several subgroups and assigning each subgroup a different goal for the trunk of each tree. After building out the branches, bring the whole group back together, have each subgroup present its tree, then work on strategies to collectively prune the attack paths by deploying a similar strategy or system.</p><p>The value added in these exercises is derived from an enterprise-wide security approach that can be helpful in solidifying objectives—especially in a convergence model where pockets of isolationism and standalone mentalities can exist.</p><p>Mature Trees<br>Once you have completed several attack trees with your team and feel comfortable with the process of deploying effective strategies to prune the branches, you may wish to expand your knowledge base and experiment with advanced methodologies.</p><p>In traditional risk modeling, consequence and probability are core elements. One can use the same principles to enhance attack tree modeling. Start by examining the overall goal at the trunk and use a standard model to evaluate probability of the event occurring. Use a numeric scale from 1 (very low) to 10 (very high) to estimate the possibility that the mode of attack against an asset will occur in the foreseeable future.</p><p>The consequence axis requires a definition as to which score you will apply. It is typical to view consequence in terms of dollars to replace stolen property, lost revenue, capital replacement costs, loss of life, or loss of reputation. If your consequence model is based solely on loss of life and your event is a large theft, your consequence rating may be zero. Conversely, if your model is based on capital replacement costs and your scenario is workplace violence, your score will be very low.</p><p>A blended model that factors in both loss of life and a cost estimate for revenue is more useful. Once you have chosen your consequence variable, you can assign it a numeric rating similar to the probability scale. Next, you should go to each box on your tree and label it with the scores for probability (P) and consequence (C). This process will highlight the most probable and severe attacks and will aid you in applying risk reduction strategies in a priority order.</p><p>To work with the mature tree further, look at adversaries and attempt to understand their relation to the model. A utility has to protect against sabotage from disgruntled workers and theft of assets for monetary gain, for example, in addition to terrorist attacks. This becomes important as we look at which security systems to deploy and their potential effectiveness.</p><p>On several occasions, we were faced with the theft of high-dollar computer equipment stolen from unstaffed remote facilities. By examining the crime scene, a lot can be learned about the thief. How was entry gained? Was a key used at the gate, was the lock cut, or was a chain used to pull the gate off the hinges? How was entry into the building achieved? Was the lock picked or was the door beaten in with a sledgehammer?</p><p>After examining these traits, effective strategies can be developed that match the skills of the adversary. A loud alarm might be enough to deter someone who uses a chain and a sledgehammer, while a more sophisticated system may be needed to deter someone with the skills to pick locks.</p><p>Based on these details, one can flesh out the attack tree by marking different paths that different adversaries may take, and then deploying tailored strategies to stop them. A simple scenario illustrating this methodology is a company-owned warehouse in an area that has suffered several break-ins. The particular warehouse, which houses electronic components that could be used to make bomb detonators, has not been hit yet, but the company is aware of the threat, and security personnel are debating how to protect against it.</p><p>Local police and other security directors representing victimized area businesses have been consulted about any previous crimes in the locale. Important information has been gleaned: There have been three burglaries inside of a month within five miles of the still-virgin warehouse. Each theft involved high-value small electronic devices similar to those in the company’s warehouse. In two instances, the thieves used a torch to cut the hinges on a roof hatch to gain entry, and in one case, they picked the lock on the front door. Each time they exited from the loading dock in the rear.</p><p>An attack tree grows rapidly out of such details. The trunk (showing the thief’s goal) is the acquisition of pricey electronic units. Due to the number of incidents in the area, there is a high probability of the warehouse being targeted. The consequence score is up because of the potential dollar loss. Risk is, therefore, red hot.</p><p>The tree can be filled out by adding different attack strategies. The thieves are not garden-variety; they used tools to cut their way in from the roof and picked locks, suggesting a certain amount of professional skill.</p><p>Other scenarios can be added, such as rocks being thrown through the glass doors in front, or a chain being tied to the bumper of a truck and the door being ripped from its hinges.</p><p>Then prune the tree with the necessary risk-reducing measures, such as alarm systems, surveillance cameras, or maybe security guards. The warehouse is now set to be safeguarded, and potential thieves tracked should an incident occur.</p><p>A Weakness in the Tree<br>Looking at attack trees from a homeland security perspective reveals a weakness in the methodology. Sweeping terrorist goals, such as the destruction of the U.S. economy, produce very large trees. More specific and credible scenarios need to be imagined. That can be difficult but it doesn’t mean that the attack tree methodology cannot be adapted to this task. The Nuclear Regulatory Commission, for example, has used scenario-based attack trees for years.</p><p>The use of attack trees is by no means the single solution for today’s security environment. However, in the never-ending attempt to manage risk, the use of attack trees can help companies to weed out vulnerabilities and ensure that countermeasures are rooted in solid ground.</p><p>Ted Almay is assistant vice president of corporate security at the United Services Automobile Association (USAA). His previous posts included stints as the managing director of security for American Electric Power (AEP), America’s largest electric producer, and superintendent of the Ohio Bureau of Criminal Investigation. He is a member of ASIS.<br></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Five-Post-Incident-Concerns.aspxFive Post-Incident Concerns<p>​<span style="line-height:1.5em;">On June 12, 2016, a gunman shot 102 people in an Orlando, Florida, nightclub, killing 49. Agencies, both government and private, must be prepared to recover from such major incidents. Following are five issues that should be considered when crafting post-incident plans.</span></p><p><strong>1. COUNSELING.</strong> Identify a list of counselors for the living victims, family members of the deceased, and other persons who were directly or indirectly involved with the incident. This includes first responders. (In this case, where the gay community was targeted, special emphasis was placed on their needs.) Counselors can include certified therapy animals and their trained handlers. Providing privacy and personal time for the families and friends of the victims in their time of grief is crucial. It is also important to shield those who ask for privacy from the media.  </p><p><strong>2. BUSINESSES. </strong>Access must be granted to the area surrounding the incident so that local businesses can resume operation as soon as possible. The crime scene should be processed in a timely manner to allow the community to return to a feeling of normalcy and business as usual.</p><p><strong>3. COMMUNITY AWARENESS.</strong> The use of the friendly and concerned media can help keep the community informed and involved. Holding frequent press conferences and meetings with the community and its leaders conveys that agencies plan to be open about the incident and the follow-up.</p><p><strong> 4. DEBRIEFING.</strong> Ensure that all victims, witnesses, and responders are fully interviewed in a humane and caring way. This will assist the lead agency in trying to reconstruct the incident and come to a fuller understanding of its causes and outcomes.</p><p><strong>5. PLANNING.</strong> Continue to work within the community to plan for possible future incidents, identify possible soft targets, educate the public on the appropriate response to such an attack, work with the public on developing strategic response plans, and communicate openly with all involved.</p><p>--<br></p><p><em><strong>H.R. "Hank" Nolin, CPP,</strong> is a retired U.S. Army Master Sergeant who has owned various security agencies in Central Florida. He is an active member of the ASIS Military Liaison Council.</em></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Resilience-Trends.aspxResilience Trends<p>​<span style="line-height:1.5em;">“Thousands have lived without love, not one without water,” poet W.H. Auden famously said. In many countries, enjoying a safe and secure water supply is something most take for granted. The United States, for example, has had an “unrivalled tradition” of low-cost, universal access to drinking water, says Robert Glennon, a water policy expert at the University of Arizona and author of Unquenchable: America’s Water Crisis and What to Do About It. In actuality, a safe and secure water supply is never a given, and there are signs that the recent water crisis in Flint, Michigan (covered in Security Management’s May issue), may be a canary in the coal mine for the future of America’s water. The U.S. water and wastewater system is in urgent need of repair and replacement; some of the piping dates back to the Civil War era, experts say. But federal and state funding appropriations have been insufficient for keeping water supply infrastructure in good repair.</span></p><p>“For years, there’s been a general inadequacy in funding,” Glennon says.  As recent proof, Glennon cites the American Recovery and Reinvestment Act of 2009, commonly known as President Barack Obama’s $787 billion stimulus package. “A small fraction of that, less than 1 percent, was devoted to water and wastewater,” he explains.</p><p>The American Water Works Association has estimated that repairing the million-plus miles of water mains across the country, and expanding that infrastructure so that it can adequately serve the country’s growing population, could cost up to $1 trillion over the next 25 years. The U.S. Environmental Protection Agency (EPA) has a lower estimate: roughly $330 billion over 20 years.</p><p>Both of these estimates dwarf the existing $1.38 billion that state and local governments are spending annually on drinking water and wastewater infrastructure, according to statistics from the American Society of Civil Engineers (ASCE). (Using a comparable 20-year time frame, the ASCE estimate comes to roughly $28 billion, or only about 8 percent of the EPA’s estimate of needed funding.) </p><p> Besides inadequate funding for repair, demand is growing, not only from an increasing population but from high-tech industries. Large corporations with cloud computing operations occupy enormous industrial facilities that are air conditioned. “This requires a heck of a lot of water,” Glennon says. </p><p>In addition, environmental factors pose challenges to a secure U.S. water supply. In states like Florida, rising sea levels are pushing into coastal aquifers and causing saltwater intrusion, making the aquifers more saline and problematic for human consumption. </p><p>Worldwide, a possible future water crisis is a problem alarming many, in part because of its potentially disastrous cascading effects on the global economy. A survey released by the 2016 Global Economic Forum found that a water crisis is the top concern for business leaders over the next 10 years. Further in the future, the global water situation continues to look grim, by several measures. By 2030, a stable supply of good quality fresh water can no longer be guaranteed in many regions, and a 40 percent global shortfall in supply is expected, according to the Carbon Disclosure Program’s (CDP) Water Program.</p><p>By 2050, an inadequate supply of water could reduce economic growth in some countries by as much as 6 percent of GDP, “sending them into sustained negative growth,” says a recent World Bank report, High and Dry: Climate Change, Water, and the Economy. Regions facing this risk include India, China, the Middle East, and much of Africa. Water insecurity could also ramp up the risk of conflict and instability—droughts can spur a spike in food prices, which can in turn cause civil unrest and increase migration. While 2050 might seem quite far in the future, water-related challenges are happening right now. The World Bank report also found that 1.6 billion people currently live in nations that are subject to water scarcity, and that number could double over the next two decades.</p><p>Moreover, a water crisis can have a devastating effect on the global economy. The CDP’s Water Program estimates that, if current status quo water management policies are sustained worldwide, $63 trillion in assets will be put at risk. Such economic challenges are highlighting the importance of improved water governance, which includes an emphasis on positioning the water supply so that it is more resilient in the face of challenges due to demand, the environment, and other factors, says Hart Brown, who leads the organizational resilience practice at HUB International and is a member of the ASIS International Crisis Management and Business Continuity Council.</p><p>“In light of the case in Flint, as well as droughts, floods, and the potential competition for water resources, improved water governance is being brought to the forefront of many conversations,” Brown says. When resilience enters the conversation, the challenge becomes creating an “adaptive capacity,” or “diversification of the water and sanitation systems.” </p><p>However, there is no one resilience model that can be successfully replicated for all water supply and treatment plants, because each system is a unique combination of human, technological, and environmental factors, Brown explains. In the United States, a wide range of water systems could potentially benefit from resiliency upgrades, he says. Those include conventional utility piped water supply systems; dug wells and tube wells (wells in which a long pipe is bored into an underground aquifer); rainwater harvesting operations; unprotected water sources such as rivers and streams; and cooperative developments in areas that share transboundary water resources.</p><p> Improving the resiliency of any water system takes investment, but just as important, it takes sound science, Brown says. </p><p>“Water managers need access to the best available scientific information and water risk assessments to support these long-term water-related decisions, including the ability to forecast and plan for important capital expenditures,” he explains.  Businesses also have a role to play, especially those that rely on water for production, manufacturing, agriculture, and power generation purposes, he adds. Some businesses are already being strategic in this area; they consider shared responsibility and sustainability of water systems a core function. </p><p>“Partnerships with local communities are important in the ability to overcome shared water risks,” Brown says. </p><p>Globally, improved resiliency and water management practices, if given sufficient investment, have the potential to pay tremendous dividends, the World Bank report argues. It calls for a three-point approach: improving resiliency to extreme weather events by improving storage capacities, reusing facilities, and other tools; optimizing the use of water through better planning and incentives; and expansion of the water supply, where appropriate, through recycling, desalination, and damns.</p><p>“While adopting policy reforms and investments will be demanding, the costs of inaction are far higher. The future will be thirsty and uncertain,” the report says.</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465