One of the interesting things I found, while doing research for the book, “Risk Based Thinking For Government”, is that Risk-Based Thinking (RBT) has permeated so many activities in government. RBT is a two-step process. The first step is to recognize that risks exist and to assess and prioritize them. The second step is utilizing the prioritized information to make decisions.
RBT became an internationally identifiable process, when the International Organization for Standards (ISO) included RBT in its quality management system certification, ISO 9001:2015. Because of its international prominence in quality management systems, it is seldom recognized how much RBT has seeped into to other government activities. One such activity, is the development of Smart Cities.
Smart Cities
Smart Cities are urban centers that integrate internet and physical technologies with infrastructure to improve environmental quality and enhance economic efficiency. The combination of internet and physical technologies does, however, create risk. While the risks to physical technology and infrastructure are known, as are the risks associated with cyber- attacks, the risks resulting from the combination of the two are not fully understood. The United States Department of Homeland Security (DHS) notes, the combination of the two increases the number of system access points. This gives attackers multiple ways to attack the system. Other combined effects are:
- Loss of visibility into all the parts of the system
- Cascading failures: humans will not be presence in areas of the system they once were.
- Unanticipated permutations of automated functions.
- Unintentional elimination of manual overrides.
What makes these risks important is the fact that the inclusion of smart technology in traffic signals, water and sewage treatment plants and electric utilities, means that attackers can not only disrupt operations, but cost lives and do signification economic damage. These are important risks, but not unexpected in terms of requiring RBT. What was unexpected, appeared in India’s The Smart City Challenge Application.
Indian Smart Cities
On January 28, 2016, the Indian government announced the first 20 of eventually 98 cities, to receive monies under their smart cities initiative. The initiative is to provide funds to help kickstart the city’s smart city development. The expectation is that in five years these cities will become recognized as Smart Cities. The 98 cities include, capital cities, business and industrial centers, cultural centers, ports and education and health care hubs. What is surprising is not that India has a smart city initiative, but that in its application process it required the applicant to not only present a Strengths, Weakness, Opportunity, and Threat analysis, but to identify potential risks and detail mitigation efforts. The table below shows the risks and mitigation efforts included in the New Delhi Municipal Council (NDMC) Smart City Challenge Stage 2 submission.
| Risk | Likelihood | Impact | Mitigation
|
| Behavioral Risk:
Internal to NDMC Citizen Stakeholder |
High | Medium | Organizational realignment
Capacity building within NDMC Implementation of ICT based monitoring Structured dialogue process with citizens for conflict resolution Involving Senior Leaders and Personalities in crafting constructive citizens participation |
| Technological Risk
Readiness of NDMC Gateway constraints for managing the required bandwidth Cyber Security |
Medium | Medium | Ensure redundant connectivity such as fiber, wireless, RF, ultra-narrow band, power, line communication.
Upgradation of existing communication infrastructure to work with proposed smart solution. Stand-by arrangement for bandwidth from alternate ISPs. Training citizens and NDMC employees on social engineering based cyber-security attacks. Adopting strong cyber-security measures. |
| Project delay due to:
Change in key individuals managing the projects. Delay by vendors. Litigation by unsuccessful vendors. Technological obsolescence during implementation
|
Medium | High | Fixed tenure for key champions.
Impose high deterrent penalties on vendors. Strong procurement management through external consultants. Detailed consultation with cutting edge technologists to limit obsolescence.
|
While many of the risks are like those associated with project implementation, the inclusion of RBT in the application process did three things. First, it signaled to the applicant that there are risks associated with smart city development and these risks need to be identified at the outset. Second, RBT became part of the evaluation and scoring process. Third, RBT became part of smart city development administrative process. This is because, there is the expectation, the stated mitigation actions will be implemented, and the smart city project develops.
Conclusion
With the inclusion of RBT in ISO 9001:2015, it has become part of the international quality systems management landscape. The influence and use of RBT, however, goes beyond quality systems. It has become a standardized management practice. In fact, it often shows up in surprising ways. This can be seen in the Indian national government’s inclusion of risk mitigation as part of The Smart City Challenge. The application requires the city to identify risks that could impact the development of the smart city project and their mitigation efforts. The inclusion of risk mitigation accomplishes three things. First, it signals that RBT should part of the smart city project development from the outset. Second, RBT is to be part of the scoring for funding. Lastly, it signals that there are substantive risks that can inhibit the development of the smart cities. Consequently, for the project to be successful and to help ensure that funds are not wasted, these risks and mitigations need to be not only identified at the outset but implemented.
Bio:
James J. Kline is a Senior Member of ASQ, a Six Sigma Green Belt, a Manager of Quality/Organizational Excellence and a Certified Enterprise Risk Manager. He has over ten year’s supervisory and managerial experience in both the public and private sector. He has consulted on economic, quality and workforce development issues for state and local governments. He has authored numerous articles on quality in government and risk analysis. jeffreyk12011@live.com