Now I don’t know about you but, after months of Covid restrictions, there is now little left to watch. Having whistled my way through the entire MCU and the Star Wars nonet during lockdown I found myself flicking through the documentaries looking for something new to watch to decompress after a long day. I’ve avoided the documentaries during the pandemic as it reminds me too much of places that I would love to visit…but can’t. Anyway, I could resist no longer and found myself immersed in the story of Angkor Wat. Watching through the lens of a Risk Management professional I found myself analysing how the city came to fall and how such situations still occur today. How trying to fix one problem exposes organisations to a whole new set of problems, when the environment suddenly changes…here’s how to avoid the impact of one risk event causing a cascade of events that ultimately leads to catastrophe!
What is Angkor Wat?
According to History,com Angkor Wat “is an enormous Buddhist temple complex located in northern Cambodia. It was originally built in the first half of the 12th century as a Hindu temple. Spread across more than 400 acres, Angkor Wat is said to be the largest religious monument in the world. Its name, which translates to “temple city” in the Khmer language of the region, references the fact it was built by Emperor Suryavarman II, who ruled the region from 1113 to 1150, as the state temple and political centre of his empire.“
What happened?
Angkor Wat has been dubbed a “hydraulic city“. The city was powered by water and the engineering employed was second-to-none at the time. Rains fell over the Kulen mountains, far above the city, and a series of tributaries sent this precious water downhill. The civil engineers built dams, irrigation channels and other complex water management systems to get the water exactly where it was needed. The system was originally designed to cope with flooding from the annual monsoon. Surplus water was redirected back out of the city or bypassed entirely to a lake in the south. For hundreds of years the city flourished…but then the climate changed!
From the middle of the 1300s, the climate turned an abundance of water into a persevering drought. The archaeological record appears to show the engineers then hurriedly adapting to the change in climate that now needed to get the maximum out of a now limited flow of water. They blocked bypasses, created dams, and narrowed channels. All the thought that went into the original water management system went out of the window as the firefighting mentality kicked in. For a while the city managed to limp by…but then the climate changed…again!
The monsoon rains returned and the floodwaters were now allowed to run rampant. Natural watercourses were cut off, canals became blocked with sediment and bypasses, that were no longer maintained were useless in stemming the excess water. The ensuing floods savaged the city’s infrastructure and ultimately, so is hypothesised, is a major factor leading to the city’s collapse.
Cascading risk
Cascading risk is a concept that has been around since at least the 1980s. In layman’s terms it’s the principle that, often, risks are linked and failing to manage one risk could lead to impacts downstream. In the case of Angkor Wat, the management of drought risk failed to consider the impact of the original flood risk returning. In both cases, the cascade effect was the manifestation of the city’s economic risks…ultimately leading to full collapse.
If we use some more recent examples, national government’s attempting to manage the risk of the covid pandemic on the economy has led to a significant increase in the health risk…leading to the need for a second lockdown (in the case of the UK) and ultimately leading to a bigger hit to the economy had the original health risk been managed properly.
Outside the pandemic, a good example of cascade risk in technology is where a critical server is having a meltdown and can’t be accessed. The engineer opens up the firewall so that all traffic comes through quickly solving the problem…but ultimately exposing that same firewall (and others) to a significantly increased risk of becoming taken over by a hacker!
Another good example, again in technology, is in change management. Often “little” systems, in of themselves, don’t score highly in the “criticality” scoring system. They then get ignored in terms of configuration, security, maintenance, and upgrades. That little system connects two critical systems together and when it falls down, those two larger systems are going to fall down too!
What can we do to manage cascading risk?
The first thing you can do is stop thinking about risk in a one-dimensional way. Map out your risks and how they join together. Map out your assets and how they join together. It is highly unlikely that anyone risk in your organisation stands alone. If you find a risk that does stand-alone, then there is probably a risk you have yet to identify. Find out what that risk is – it’s a blind spot! Once you understand how your risks are interconnected, then apply appropriate controls to manage that risk. For example, in change, all systems in the data flow should be assessed, not just the start and end…
…and if you need any help assessing and managing your cascading risks, get in touch!
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing control frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
