Skip to Content

​6 Risk Management Lessons I Learned From Hurricane Dorian

Blogs Richard F. Chambers, CIA, QIAL, CGAP, CCSA​, CRMA Sep 09, 2019

​The recent storm provided several risk management lessons both at the organizational level and on a personal level that deserve sharing.

In the following blog post, I examine what risk management lessons we can learn from the recent impact of Hurricane Dorian on the Bahamas and the U.S. East Coast. I cannot do so without acknowledging the significant destruction and loss of life the storm caused in the Bahamas. I encourage my readers to look for opportunities to support relief efforts for the islands. This article provides a list of legitimate relief organizations readers may wish to consider.

The Bahamas and U.S. East Coast were battered by Hurricane Dorian, bringing significant destruction and loss of life to some areas while sparing others. The approach of the powerful and destructive storm toward Central Florida triggered implementation of The IIA Global Headquarters' emergency management plan. Fortunately, the storm's impact on our global headquarters ended up being minimal for The IIA and its staff.

However, Hurricane Dorian provided several risk management lessons both at the organizational level and on a personal level that deserve sharing.

Assessing Dorian's Risk. Weather forecasters identified the potential for Dorian to build into a major hurricane with Florida squarely in its path more than a week ahead of its actual arrival. While the likelihood of a direct impact was still uncertain, the potential for significant damage was quite clear.

Identifying the risks and likelihood well ahead of the actual impact provided the time to assess varied options on how best to prepare. Additionally, I was able to tap into my experience with a very similar hurricane path just two years earlier.

Lesson 1: Act decisively to leverage the gifts of time and experience to assess emerging risks and potential mitigation strategies.

Preparing for Dorian. When forecasters first began discussing the potential for the storm to develop into a hurricane, I was in Africa nearing the end of an extended visit to IIA affiliates. I took some comfort in knowing The IIA has in place a crisis management plan for significant weather events, and I was in constant contact with IIA staff about executing the plan if and when Dorian might pose a direct threat to headquarters. On a personal level, I had to decide how best to address the risk to my home, located just a block from the Atlantic Ocean.

One consideration was the costs associated with initiating plans to mitigate the risks, both at The IIA and at my home. For example, I had to weigh the costs associated with closing the headquarters building in terms of potential lost productivity against the well-being of more than 200 IIA employees and their families. I also had to consider whether to pay someone to put up hurricane shutters at my home, because I was not there to do it myself. The storm's predicted path remained in question, with some potential tracks avoiding a strike on the U.S. mainland. Despite that, both decisions ultimately were easy. What could be viewed as costs of proactive mitigation were instead investments in minimizing Dorian's potential impact.

Lesson 2: Risk mitigation comes with a cost, but cost is just one factor when deciding strategies and actions based on the best available information.

Testing Emergency Plans. The IIA was among dozens of cities, thousands of companies, and millions of people who initiated plans to address the threat from Dorian. In many cases, this meant executing existing crisis or emergency management plans that had been developed and put away until they were needed. The IIA learned a valuable lesson about how such plans can be weakened or even rendered useless by forces outside of an organization's control.
In a crisis, communication is vital. You can imagine that keeping in touch with more than 200 employees during and after a major hurricane would be a significant challenge. Electric utilities could be interrupted, for example, but from experience we knew cellular telephone services would probably survive or quickly be restored. Our plan was to use an automated texting system to inform employees about when to return to work. However, unbeknownst to The IIA, some U.S. cellular service providers had adopted policies that blocked many mass texts, presumably to discourage scams or unwanted product solicitations. We quickly identified an alternative using an automated calling system, but had we not tested the system, we would not have been able to communicate with a large percentage of our staff.

Lesson 3: It's not easy to mitigate risks. Just like crisis management plans, all mitigation strategies should be tested and updated on a regular basis.

Investing for the Future. I mentioned earlier the benefits of relying on my experience in dealing with a previous hurricane. In 2017, Central Florida was hit by Hurricane Irma, which caused substantial damage to the area, including knocking out power for weeks in some of the worse-hit areas. At that time, I bought a generator for my home to mitigate the impact of losing power.

After the storm, power was quickly restored to my area, so I was happy to pass the generator on to an acquaintance, whose home remained without power for much longer. Two years later, as Dorian, now a major Category 4 or 5 storm, was devastating the Bahamas, and a track along Florida's East Coast remained a real possibility, I found the need to open my wallet again to pay for a second generator.

Lesson 4: Risks can ebb, but they never fully disappear. Decisions to remove or ease risk management controls and processes should be carefully weighed against the potential for a recurrence of the risk.

Preparing for Dorian's Aftermath — Ahead of Time. One of the biggest challenges organizations face after a hurricane strikes is minimizing disruption to services. Getting a business up and running as soon as possible could mean the difference between recovery and permanent closure. Indeed, according to the U.S. Federal Emergency Management Agency, almost 40 percent of small businesses never reopen their doors after a disaster.

One key to quickly rebounding after a hurricane is to line up services to deal with the aftermath — before the hurricane strikes. I made similar arrangements with the service that put up the shutters on my home to return after the storm to assess and mitigate any damage.

Lesson 5: Risk management strategies must include scenarios for a post-risk event.

Forecasting Dorian's Destructive Path. Loyal readers of my blog know that I am fascinated by meteorology and often use weather analogies to explain internal audit and risk management. With Hurricane Dorian, I was struck not only by the ample warning meteorologists provided, but by the ultimate accuracy of their forecasts.

As the storm approached, sophisticated tracking models that rely on input from weather satellites, up-to-the-minute information from Hurricane Hunter aircraft sent into storms, and other data predicted the storm would stall over the Bahamas, then turn away from Florida. As little as 20 years ago, forecasts could not have provided that level of precision on a path. Faced with such uncertainty, government officials might have ordered mandatory evacuations for much of the state.

Lesson 6: Leverage the latest available technology to identify, mitigate, and manage risk.

I could probably make similar risk management observations after any natural disaster, but the difference between Dorian's impact on the Bahamas versus Florida truly showed how dynamic risks can be. It provides a valuable reminder that risk management is as much art as it is science.

Richard F. Chambers, CIA, QIAL, CGAP, CCSA​, CRMA

Richard F. Chambers is president and CEO of The IIA. In Chambers on the Profession, he shares his personal reflections and insights based on his more than 40 years of experience in the internal audit profession.