Poor application of risk assessment

I am cleaning out some old email and found a note I sent to our campus office of risk assessment a few years ago.   What prompted the letter was being told that my grant account was automatically being charged for university overseas travel insurance — despite the fact that I already had automatic, free comprehensive insurance through my credit card issuer.

I wrote to complain about the apparent lack of actual thinking about risk that went into the decision:

I want to point out that your insurance policy is actually rather silly, especially considering that I already have travel insurance through my credit card company at a level higher than your mandatory university insurance.

I am not a candidate for suicide or extreme alcohol abuse, and don’t participate in amateur events where I would sprain more than my brain. Because of my advisory positions, I actually have better coverage in war zones under the Geneva conventions than any insurance can provide, if taken prisoner. I am unsure about the AmEx coverage for civil unrest and unlawful acts (which I hope you have covered in the US at a similar level, as it is more likely here than at some overseas locations).

My chief concern is that I have at least partial (if not equivalent) coverage, and I assume many other Purdue faculty do as well. From a risk management point of view, the incident of significant loss for travel to most countries is extremely low, and the overall expected cost for aggregated insurance premiums would seem to be much greater than any anticipated loss where coverage is really needed.

For example, I am currently at Oxford University in the UK — not quite the “Mos Eisley” of world locations (“A wretched hive of scum and villainy”). Coverage for acts of war and natural disasters is really a rather questionable use of funds for this visit, especially given current budgets. Were I to head to Italy or Greece (active earthquake zones), or Russia or Mexico (significant crime problems) or to participate in the running of the bulls in Pamplona, then I could understand the need for additional coverage.

I appreciate that Purdue cares about evacuating my pitiful remains in the event of a disaster, or might possibly intercede if I was thrown into a Turkish prison on trumped-up charges (although please don’t ask my department head or colleagues for their endorsement of that action), but it seems to be an overall waste of my funds to compel blanket hazard insurance for all foreign travel when the risks are either partially covered, or not likely for every destination and traveller. Blanket decisions are usually in response to prior unanticipated, unusual instances and address risk perception rather than actual risk — and I know because I study this area (risk and security).

I encourage you to re-examine the policy.

Sadly, the policy was not changed, and I never got a good response to my email.

Too much security is based on faulty ideas about risk. Bob Courtney recognized this decades ago with his first two laws:

  • Courtney’s first law: You cannot say anything interesting
    (i.e., significant) about the security of a system except in
    the context of a particular application and environment.
  • Courtney’s second law: Never spend more money eliminating a
    security exposure than tolerating it will cost you. (See:
    acceptable risk, risk analysis.)

It is worth listening to Bill Murray explicate all 3 of Bob’s laws in one of his podcasts.

3 Responses to “Poor application of risk assessment”

  1. adeta00 Says:

    Darn it! I clicked that link expecting to see Bill Murray and instead I got William Murray?!?


  2. Michael Rowan Says:

    It’s funny Spaf, I have this conversation all the time but not about computers. As a skydiver and BASE jumper, I’m constantly having people (in technology) question my skills at risk assessment (assuming that I suck at it). My contention is that because of the obvious potential costs of the risks I take, I’m actually *much* better at risk assessment than most of my peers. I’m not wondering if these are skills I picked up while your student?!?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: