A group of Chicago tourists returned from China carrying a novel influenza virus. Virulent and transmitted through human contact, the disease quickly spread across the country. Hospitals were overrun with patients. Medical supply chains failed. First responders and their families soon became the second wave of victims. And the U.S. federal government, lacking both funding and a plan, floundered in its response.

All told, the disease infected 110 million Americans — more than 580,000 died.

Sound familiar? If not for a few noticeably off details, this story could be a recounting of the COVID-19 pandemic. But it’s actually a summary of Crimson Contagion, a simulation exercise run by the U.S. Department of Health and Human Services (HHS) in 2019.

The exercise aimed to measure the federal government’s capacity to respond to a viral pandemic, and its findings showed that the U.S. was woefully unprepared. It lacked sufficient funding, production capacity, and clarity on the roles of different agencies. Nor were these frailties unanticipated; they stood in line with two decades of similar analyses.

The risk was clear: When a pandemic hit, not if, the government would be unable to muster the U.S. health system to meet the threat. 

The government’s response to HHS’s warnings and recommendations? Nothing. A year prior, the White House had dismantled a National Security Council directorate for pandemic preparedness. Nothing substantial replaced it.

It’s an anecdote that wouldn’t be newsworthy if not for the timing. A few months after the report, the COVID-19 pandemic hit. Then-President Donald Trump would later claim coronavirus “blindsided the world.”

A hospital in Santo Andre at the peak of the COVID-19 pandemic in 2021. (Credit: Gustavo Basso / Wikimedia Commons)

Risky business

Retired U.S. Army General Stanley McChrystal opens his book Risk: A User’s Guide (co-authored with Anna Butrico) with the story of Crimson Contagion because it points to an important fact: We are lousy at assessing risk. 

Whether as nations, organizations, or individuals, we tend to overestimate our vulnerability to improbable threats, underestimate the likelihood of credible ones, and assume we have far less agency than we do.

“In retrospect, Crimson Contagion was a diagnosis whose illness went untreated,” McChrystal writes. “The simulation accurately predicted our unpreparedness, and the subsequent outbreak of COVID-19 revealed failures across a range of factors that were ultimately in our control — factors we must learn to understand and influence if we are to effectively manage risk.”

And the pandemic was hardly a solitary misjudgment. As McChrystal noted in an interview with Big Think+, the last few decades have seen several high-profile risks come to realization. The 9/11 attacks and the Great Recession are two prominent examples.

Not a prediction. Just predictable.

Of course, it’s easy to look to the past and argue that any disaster could have been averted had only this or that person gone with plan B instead of plan A. Such backward forecasting isn’t McChrystal’s project, though. Misfortune happens, and some risks are inescapable.

His point is that none of these threats “blindsided the world.” The risks were known in advance. Precedent alone forewarned their potential as history has been plagued by not only pandemics but terrorist attacks and unregulated bubbles that went pop.

Yet, those in charge of managing these risks took a blasé attitude to the system’s vulnerabilities instead of proactively controlling what they could. Had they done so, yesterday’s leaders might have reduced the damage done.

“If you go across any number of crises that come, in many cases those risks were actually very predictable — not in an exact time or form — but in the fact that they would arise,” McChrystal said.

A child receives a polio vaccine drop in Gwalior, India, to reduce the risk of contracting and spreading the disease. (Credit: Shobhit Gosain / Wikimedia Commons)

The risk equation

To help people better think about risk, McChrystal has created a simple equation: Threat × Vulnerability = Risk. 

This equation isn’t meant to be an exact science. McChrystal doesn’t advocate for calculating risk to the nth decimal before taking action. Rather, his aim is to provide a shorthand for adjusting our attitude toward risk. He wants us to better conceive of and anticipate risk by assessing the relationship between the external threat and our internal vulnerability.

Polio offers an applicable example. This frightful disease can cause fatal paralysis if it affects the muscles used for breathing. It’s also very threatening due to its high infection rate, especially for children in poor or marginalized communities where medical resources are sparse. Because polio is so threatening and children so vulnerable, the risk for such communities multiplies.

However, people aren’t without recourse. The polio vaccine is 99-100% effective, and while there’s no cure, the vaccine can prevent infection in children who receive a full four-dose regimen.

Using McChrystal’s equation, we see that no matter how threatening polio may be, the risk is effectively zero as long as the vulnerability remains so low. (Any number multiplied by zero is zero, after all.) And the last few decades have witnessed that calculation play out in real-time.

The World Health Organization, the Global Polio Eradication Initiative, and their partners have set out to immunize children across the world. Thanks to such efforts, polio cases worldwide have shrunk from an estimated 350,000 in the early 1980s to a reported 33 in 2016. Today, the risk of polio in much of the world is zero, and the number of communities that remain vulnerable is shrinking.In time, hopefully, polio will join smallpox as a disease that no longer threatens anyone.

A graph showing the decrease in reported cases of paralytic polio in high-risk countries. (Credit: Our World in Data)

A defense-oriented mindset

While ‘risk zero’ isn’t always a possibility, we can still reduce risk by managing those variables within our control.

“So, what do we have control over? Our vulnerabilities,” McChrystal said. “Not complete control, but we have a lot of agency there. We can make ourselves stronger. We can make ourselves more able to withstand threats that arise.”

This was the HHS’s hope with Crimson Contagion.

Novel diseases are an external threat that we will never dominate. They spring up as evolution does its thing, and some microbe will eventually find humans a fitting host. We will always be at risk, but any step taken to reduce vulnerability simultaneously reduces that risk and, if we’re thoughtful, the fallout.

Had the federal government taken the HHS’s recommendations, it would have shored up production capacity, clarified the roles of federal agencies, and developed communication channels between those agencies and the public. None of which would have prevented the pandemic, but any one of which may have helped us navigate it with less confusion, waste, and loss of life.

Strengthening our risk immune systems

By changing our attitude toward risk, we can begin the work of strengthening what McChrystal calls our “risk immune system.” Like a body’s natural immune system, a risk immune system can’t eliminate external threats. But once it detects them, it can assess, respond to, and learn about them to limit vulnerabilities and the risk of future exposure. 

Like its bodily counterpart, the risk immune system is only as strong as the habits and routines that maintain it. In place of exercise and diet, McChrystal recommends strengthening a risk immune system through what he calls “risk control factors.” 

In his book, he recognizes and discusses ten such factors: communication, narrative, structure, technology, diversity, bias, action, timing, adaptability, and leadership. Each one of these scales from assessing personal risk up to the risks faced by organizations and societies. For this article, we’ll preview biases and assumptions.

Biases and assumptions are rooted in our experiences and knowledge. While unavoidable, left unexamined, they can degrade our risk immune system by affecting our judgment. That’s because, as McChrystal writes, they have the power to “refract facts and realities in a way that can prevent the accurate identification, assessment, and mitigation of risks.”

Thinking about risk

Some historic examples of assumptions leading to people exposing themselves or others to unnecessary risks:

• Many banks, investors, and even the SEC failed to perform their due diligence in questioning Bernie Madoff’s investments. They assumed past performance guaranteed future credibility. In reality, Madoff was running a multi-million dollar Ponzi scheme. 
• Multi-level marketing companies, such as Amway,  use “imperfect disclosure” during recruitment pitches to prey on people’s biases by focusing on outlier successes instead of typical cases. Once they’ve joined, people often have difficulty leaving thanks to the inertia bias — the tendency to stick to a chosen course of action.
• Many people have chosen not to be vaccinated against COVID-19 because of the extremely rare side effects, such as inflammation of the heart muscles (myocarditis). They may assume that inaction is less risky, yet myocarditis and a host of other risks are much more severe in those infected with COVID-19.

These show that while external threats exist, the risk multiplies only after a poorly considered action on our part. As McChrystal said, “It all comes back to the idea that the greatest risk to us is us.” McChrystal said. “[But] if you strengthen your risk immune system, when the unexpected happens — which you should expect — you’re going to be more resilient.”

Learn more on Big Think+

With a diverse library of lessons from the world’s biggest thinkers, Big Think+ helps businesses get smarter, faster. To access Stanley McChrystal’s expert class for your organization, request a demo.

Sometimes we are reminded that the greatest risk to us is actually us.

If you go across any number of crises that come, in many cases those risks were actually very predictable, not in exact time or form but in the fact that they would arise. Before the 9/11 attacks that hit the World Trade Center in New York, all of the information necessary to stop the plot existed within the United States government. With the 2008 financial crisis, many of the causes of that were both set in place by action inside Wall Street, but they were also recognizable. Of course COVID-19, we've seen pandemics regularly for centuries, and we have a great understanding of public health. So we should've had the capacity to deal with it.

And so the question is, why don't we get it right? Why do we drop the ball so often?

I'm Stan McChrystal. And the most recent book that I've been a part of, I co-authored with Anna Butrico, is Risk: A User's Guide.

I've really come to have a different way of thinking about risk. I now think about it almost like a mathematical equation: threat times vulnerability equals risk. There are many threats out there in the world. If we were able to do away with them, to drive them to zero, our risk would be zero no matter how vulnerable we were because anything times zero is zero.

But none of us live in that world. We just don't have control over threats like that. So what do we have control over? Our vulnerabilities. Not complete control, but we have a lot of agency there. We can make ourselves stronger. We can make ourselves more able to withstand different threats that can arise.

We are all blessed with a human immune system. It detects threats to us, assesses those threats. It responds to them, normally kills them, and then it learns from it. I would argue that organizations and societies have the equivalent. They've got a risk immune system, factors that work together to allow us to detect threats, assess them, respond, and then learn in that process.

And so just as we have to keep our human immune system healthy, we have to build and keep healthy our risk immune system. If we don't tend to our risk immune system, we essentially become vulnerable to anything. No one ever died from HIV/AIDS. They died because their immune system was weakened, and then some smaller disease killed them which normally wouldn't. That can happen with any threat if you're not strong.

I'm often asked what do I think the greatest risks in the world are, or what keeps you up at night? In a geopolitical sense, of course, Vladimir Putin and Russia, but also the potential conflict or competition between China and the United States. The rise of North Korea as a nuclear power.

And then, of course, much more broadly, we have things like climate change. It's a slow-moving crisis. It doesn't happen overnight. So sometimes we're lulled into thinking, "Well, we can get to it tomorrow." Or something like education in America — in my country, education is not as strong as it needs to be. We don't produce enough qualified people for the kind of workforce we're going to need in tomorrow's economy.

And then, our own inability to get things done. Political partisanship has gotten to the point where it makes it difficult to do routine things, to vote routine legislation through, to do all the things that a government and a society has to do almost automatically or reflexively. And when we struggle to do those things, then external risks, like COVID-19, or God forbid, a conflict or economic challenge, have much greater impact on us. And it comes back to the idea that the greatest risk to us is us because we don't do those things to strengthen our own defenses.

So how do you build that resilience? How do you make the risk immune system work? If you're trying to strengthen an organization, you have several risk control factors, which will never be perfect. They'll never be all as strong as you'd like them to be, but they work together.

So for example, one of the ways we can check our strategy or our plan is to check our assumptions. We have certain facts, things that don't change, and we can accept those as facts for our planning. And then we have things we're just not sure of, things in the future, typically. What will be market conditions? What will interest rates be? What will the availability of certain people to hire be? And we have to make assumptions because you have to have something to work with to develop your plan. But the danger is those assumptions could be wrong.

So do an assumptions check. Go back to your plan, pull out all of the key assumptions you based it on. Because often you make the assumptions under some conditions, and things change over time. And those assumptions now are much less valid. They may have changed, or you just may know more. In military operations, that's one of the most dangerous things is to have misleading assumptions or invalid assumptions, and the same is true in business.

If you strengthen your risk immune system, when the unexpected happens — which you should expect — you're going to be more resilient. Your people will be more mentally and physically prepared to respond to that, and that's the payoff.