Emergent Endogenous Risk in System-Based Industries

The type of catastrophe that emerged within the global finance system will emerge there again, in different ways, and will also emerge within other critical systems like food, energy, communications, and information technology.

The subprime mortgage crisis of 2008 showcases a new category of system-wide risks that emerge from the collective behavior of individual institutions.  This new category of threats should be included within national infrastructure assurance plans.

A key response to the subprime contagion within the banking sector is in the form of macroprudential policy: policy seeking to improve resilience of the entire system, not just the institutions within that system. The need for macroprudential policy is not confined to banking and finance however; it applies to all system-based infrastructure sectors including communications, energy, food and agriculture, and information technology.  This paper demonstrates the existence of systemic risks to information technology to justify extension of macroprudential policy approaches to this sector.

This policy/risk mismatch summarized here arises from an aggregate decline in backup power capacity across U.S. data centers, yielding increased vulnerability year-on-year to sustained power outages.  A service failure within the energy/electricity sector may exceed in duration the threshold of tolerance of numerous data centers simultaneously as a result of the annual decline in backup power capacity.  This simultaneous trend across numerous individual actors creates an emergent endogenous risk to the system overall. This risk category that ‘emerges from within’ stands in stark contrast with the prevailing cybersecurity focus upon deterring exogenous risk.

Doing nothing has the lowest explicit cost in the short-term but will eventually result in a massive negative economic impact in the long term.  Innovative tactical regulatory approaches, such as policy for green data centers, can reduce exposure to this specific systemic risk while delivering other public benefits (e.g. lower carbon footprint), but fail to address the broader issue of other emergent endogenous risks.  The most effective approach is to nurture enterprise adaptive capacity, also known as enterprise resilience, through macroprudential policy approaches.  Borrowing innovation discovered through urban and environmental policy such as those epitomized within the Stockholm Resilience Centre, would be a good place to start.

Government Procurement of Green Data Centers

Information technology data centers are facilities that house a vast array of computer systems and equipment. Data centers are pervasive throughout the United States (U.S.) government, and are required to effectively manage the scale and complexity of information technology processes required to deliver various government services. Data centers support a multitude of critical business operations and information processing services for the federal government.

A significant amount of energy is required to power and cool the servers that compose a atypical data center. Since 2000, the overall rate of energy consumption for U.S. data centers, sourced primarily from polluting energy, has grown at an average of 14 percent per year. This trend is projected to continue as information technology services become ubiquitous. Moreover, research suggests that government dependency on scarce/vulnerable energy resources may have adverse consequences (i.e., security and aggregate cost concerns). However, a federal procurement guideline for green data center energy is still absent. This is an issue that must be remedied.

This report, “Green Data Center Federal Procurement Options,” compares alternatives to current data center service procurement trends based on: (1) total emissions, (2) relative cost, (3) performance, and (4) feasibility. Overall, the research herein suggests that, due to the complexity and variety of data center technology needs, a transformative green policy option is not currently available for data center services. However, it is recommended that the Office of Federal Procurement Policy (OFPP) mandate energy measurement standards and encourage agency procurement officers to incorporate the Energy Star® Program guidance into future data center procurements.

How does one achieve Enterprise Resilience?

Resilient enterprises emphasize the strategic management of risk through the reduction of negative consequences rather than the reduction of probability. Yossi Sheffi of MIT asserts that strategic resileince yields competitive advantage over time. We agree, but how does one effectively manage for resilience, or for that matter how can we improve enterprise security overall?

One key approach is to establish an effective enterprise architecture process within the investment planning cycles, to continously align the design of new investments to the organizational strategy. If resilience is a part of this strategy, then enterprise architecture will incorporate resilient approaches into each iterative change to an organization.