Risk analysis, risk management, risk mitigation
This brings us to the second main aspect: Risk analysis, risk management, risk mitigation. But what is the risk of COVID-19? Deaths, obviously. But it is not so easy. A risk has a probability and an impact. The probability to get infected and then the course of the sickness. That’s it! Then the response to COVID-19 is clear: Reduce infections, because life is the highest value at all. Complete lock down! That’s what many political decision makers are executing now.
But risk management professionals like us know that it’s much, much more complex. Most people don’t understand risks, and are not able to assess risks, At ObjectSecurity, we are working on risks in complex IT systems for many years. We have learned how to model systems, and how to automatically assess and mitigate cybersecurity risks. We have learned how to analyze risks in complex supply chains. If I now apply the lessons, we have learned to the current COVID-19 crisis, I get very nervous. First of all, we have learned that risk assessment has to be based on facts, not on rumors or opinions or more or less educated guesses. There is often a huge gap between what people think about their systems and the reality. You only see a problem if you look for it. In the COVID-19 case, this means that testing is most important. You need to know all the data for epidemic modeling, like incidence and incidence rate, basic reproduction number or lethality. You also need a lot of fine-grained data of your health system, e.g. numbers of ICU, respirators, ECMO units and so on. Single figures, like the number of infections, are meaningless if not set in context. Based on these numbers, we could make realistic epidemiological predictions, e.g. using the SEIR model.