When control operators and their managers in large critical infrastructures know that some events must never happen—the nuclear reactor shouldn’t blow up, the urban supply shouldn’t get cryptosporidium, the electricity grid shouldn’t island—and we know that they know because they behave accordingly—then better practices emerge for ensuring so.
Mandates to reliably preclude certain events put enormous pressure to focus on and adapt practices that are working to meet the mandates. Where better practices do emerge, you know that others too face political, economic and social constraints and nonetheless have jumped a bar higher than we yourselves are currently facing under the very similar constraints.
If so, then conventional risk analysis gets its questions only half right by stopping short of the other questions to be asked beforehand. The conventional questions, “What could go wrong?” “How likely is that?” and “What are the consequences if that were to happen?” should be preceded by: “What’s working?” “What’s even better?” “How can we get there?” and only then do we ask: “What could go wrong in trying to get there?” “How likely is that?” and “What are the consequences if that were to happen?