Many HILF risks fall into two primary categories: natural disasters and deliberate attacks or acts of war. These risks have the potential to cause catastrophic impacts, but either rarely occur, or, in some cases, have never occurred. HILF risks present unique challenges to risk managers. They fall into a category of macro-prudential risk, which behaves differently than most forms of business risk.
As HILF risks occur very infrequently, the success or failure of a response is more dependent on thorough planning and preparation than on operational experience. The ability to effectively respond to a changing threat environment — especially in the case of an adaptive attack — will be measured by the efficacy of the system operator’s initial response. The operator will rely on the sophistication of the tools under his immediate control and his training in those circumstances, neither of which can be provided in the minutes preceding an event. These tools and the training needed to ensure an appropriate response must be developed and deployed well in advance of the event.
Like other risks, HILF risks generally have three components: threat, vulnerability, and consequence. The threat is the external act itself; vulnerability, the portions or characteristics of the system that could be affected by the act; and consequence, the outcome of exploiting such vulnerability. Consideration must be given to each of these areas to ensure a full understanding of the risk is obtained.