November 2019: Sunshine Coast Hailstorm

by Salomé Hussein, Foster Langbein, Jacob Evans

On the afternoon of November 17th, 2019, the Bureau of Meteorology (BoM) issued a warning that Queensland would experience severe wind and giant hail. Multiple news sources reported cricket-ball sized hail in the greater Sunshine Coast region. Accompanying videos and images from social media, both during and after the event, often depicted the damage wrought by the deluge, with shattered car windscreens being a common sight. The Insurance Council of Australia (ICA) declared the Sunshine Coast storm a catastrophe two days later. The majority of claims lodged thus far have been for motor vehicle. The current estimated loss value is $115M as reported by the ICA. For comparison, the current bushfires (declared a catastrophe from November 8th) have an estimated loss of $165M.

Risk Frontiers implemented the same approach for this storm as for the December 20th, 2018 Sydney hail catastrophe[1]. To determine storm footprints and estimate damage extents, the Maximum Estimated Size of Hail (MESH) algorithm ((originally due to Witt et al. (1998) )[2] was applied to radar volumes from the Australian Open Radar Dataset (AORD). The Marburg and Mt. Stapylton radars near Brisbane were chosen, over the time period from 10:00AM to 4:00PM AEST. Location of radars and the MESH results are shown in Figure 1. Image processing is applied to the cumulative MESH grid over the time period to extract the boundaries of the storm (using a threshold of 20mm, the criterion for a severe hail event in the BoM Severe Storms Archive). An ellipse is fit to that contour to compare against HailAUS, our detailed catastrophe loss model for hail, in order to estimate losses for the event.

Figure 1. Cumulative MESH grid over the event period, with radar locations indicated. The maximum hail size, using the PyHAIL package and the Marburg radar, was 7.7cm.
Figure 2. Multiple spatially separate footprints, outlined in red, may be extracted from a single event. The largest and most severe is normally selected for simplicity. Ellipses overlain in transparent blue indicate a qualitative goodness of fit to the extracted storm contours. Postcode boundaries are indicated in grey. The December 20th, 2018 storm had two distinct cells, one in the Berowra/Hornsby area, the other near Liverpool, which was consistent with SES callouts and news reports following the event.

Using the 20mm threshold ellipse fit and a range of hail sizes around the absolute maximum size detected of 7.7cm gives estimated damages of $150M +/- $40M using the HailAUS7.1 damage module against the PERILS 2018 Hail Industry Exposure Database. It is worth noting that the apparent storm footprint obtained from radar may not be equivalent to the ultimate damage footprint. The hail trajectories as they fall from the stormcell will be influenced by ambient wind. There is also a discrepancy in the location of max hail size relative to the ellipse centroid (the ellipse is fitted to an outer contour, but the 3D shape of that geometry is asymmetric along the ellipse axis).

Following the above event, on November 26th, the North Shore and Northern Beaches of Sydney experienced severe winds and pea-sized hail over a relatively short time window. The hail from this event is not expected to have generated much damage given the size. However, fallen trees from the wind disrupted transport and damaged structures and vehicles. The event caused multiple power outages in those areas, affecting 52,000 addresses at the peak of the storm with 13,000 addresses still without power 4 days later. The loss from this single event would be relatively small, but similar events could accrue substantial costs over the course of one season (hail is most frequent in the summer months).

[1]  Risk Frontiers, March 2019 Newsletter

[2] An Enhanced Hail Detection Algorithm for the WSR-88D, Witt et al, 1998

Australia’s 2020 Cyber Security Strategy

Tahiry Rabehaja[1], Denny Wan[2] and Ryan Springall[1]

The Australian Government, through the Department of Home Affairs, has called for views regarding the cyber security strategy that Australia should adopt from 2020. This strategy will be the successor to the 2016 initiative which the Government accompanied with an investment of $230 million in cyber security. The call for views consists of a series of 26 questions ranging from technical solutions to legislative discussion. Few questions in the call for views were directly related to regulation and cyber insurance. In the response that Risk Frontiers submitted to the call, we stressed that Cyber Security is a risk and thus should be managed as such. This means that whilst mitigation and deterrence are important components in risk management, insurance has a role to play as a mechanism for risk transfer and for reinforcing robust cyber security practices through pricing and policy signals. Here is a summary of the top five questions that Risk Frontiers addressed.

4. What role should the government play in addressing the most serious threats to institutions and businesses located in Australia?

To accurately price risk, insurers require a robust quantitative understanding of frequency (how often) and severity (how much financial loss). These data are often obtained through years of claims data and experience dealing with natural catastrophes, for example. In the case of cyber-risk, this understanding is currently lacking. Overcoming this deficiency will require strong and pragmatic leadership from the government to ensure a cyber-risk resilient Australian economy.

The USA is amongst the countries with well-developed cyber security laws and regulations. In addition, the US government actively encourages US businesses to implement robust cyber risk management and, in particular, promotes the incorporation of cyber insurance into their Enterprise Risk Management strategy. According to a 2018 Aon report[i], the current global cyber insurance market premium is estimated to be between 4 and 5 billion US dollars with the US accounting for more than 80% of this market. Figure 1 shows the breakout of global cyber insurance premiums. The US market is considered to be maturing while the rest of the world is developing and expected to grow. In 2018, the Australian cyber insurance market premium was approximately $60 million US dollars, which was about 2% of the global market by premium volume.

Figure 1: Measured and estimated written premiums (source: Aon Cyber Insurance Market Insights 2018).

In Australia, the recent enforcement of the Notifiable Data Breach (NDB) scheme as well as the introduction of APRA’s CPS 234 regulation are positive steps towards improving the resilience of Australian businesses to cyber threats. However, more information on breach frequency and severity needs to be shared with the insurance industry to assist in understanding frequency/ severity relationships underpinning risk transfer policies and to educate businesses and the community on the value of taking up cyber insurance.

Such governmental regulations have already proven effective for other countries and regions. In the case of the US, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) and the Federal Information Security Management Act (FISMA) form the three pillars for digital security compliance for businesses and governmental institutions.

Corresponding regulations for Australia are framed through the Privacy Act 1988 and subsequent amendments such as the NDB in 2017. However, compliance alone does not ensure resilience as shown by high profile cases such as the Target breach. At the end of 2013, hackers exfiltrated more than 100 million records containing credit card details and other Personally Identifiable Information (PII) from Target’s internal network. Target was PCI compliant and deployed state-of-the-art security systems but the breach still occurred due to a third party weak link, poor network segmentation and other system misconfigurations[ii]. Target did have cyber insurance that proved useful in offsetting some of the financial losses incurred during the post-breach response period.  A well-planned response is an equally important defence strategy and cyber insurance will go a long way to providing a better incident response and business continuity.

10. Is the regulatory environment for cyber security appropriate? Why or why not?

Regulatory frameworks such as the NDB primarily focus on protection of privacy. In contrast, other regulation such as the CPS 234 is more balanced due to its focus on broader information security challenges beyond the protection of PII. While only currently enforced on APRA regulated entities, CPS 234 is applicable to other organisations and presents an encouraging point of departure to lift cyber security standards in the Australian economy. The standard is principle based and non-prescriptive, offering regulated entities scope to leverage their current investment in Information Security Management Systems (ISMS) to achieve compliance.

The 2019 update of CPG 234 (guidance for implementation of CPS 234) includes some concrete best practices such as information to be presented to the business board tabled in Appendix H. Implementation of the standard can be assisted by taking advantage of a standard cyber risk quantification framework such as Factor Analysis of Information Risk (FAIR).

The FAIR methodology is a quantitative approach that provides estimates on the frequency and severity of loss events using historical data, heuristics and expert opinions. FAIR is a comprehensive methodology that provides a framework for analysing tail losses through quantitative metrics such as Value at Risk. The quantification process provides a structured approach to prioritise risk and remediate efforts based on expected reduction in potential financial loss, enabling a prudent investment culture in cyber security based on established financial management principles.

15. Are there any barriers currently preventing the growth of the cyber insurance market in Australia? If so, how can these be addressed?

In the insurance industry, cyber-risk is broadly categorised either as affirmative (named as a risk) or as silent (covered without explicit recognition of the risk as it is not excluded). Increasingly, traditional commercial general liability and property insurance policies exclude cyber risk[iii] with insurers looking to provide explicit policies that are accompanied by robust risk management processes. However, there remains significant ambiguity, especially when it comes to attribution of a cyber-attack[iv][v]. This means that cyber insurance is emerging as a stand-alone coverage and insurance companies with “silent cyber” built into their products are exploring ways to isolate that component. Current cyber insurance policies are covering a relatively wide range of costs depending on the level of coverage. A comprehensive cover will typically include direct costs associated with a post-breach response. Figure 2 shows the classification of costs due to cyber-attacks[vi][vii]. Blue costs are direct first- or third-party losses and are usually explicitly attributed to the cyber event. Grey costs are less tangible and hard to measure. Costs with purple outlines are currently covered by various branded cyber insurance products. For instance, asset destruction is generally covered under silent cyber.

Figure 2: Costs of a cybersecurity breach (source: Risk Frontiers in-house analysis).

The first obvious observation here is that current coverage is generally restricted to direct costs and excludes intangible losses or long-term impacts such as reputational damage. One example is the 2017 Equifax data breach where losses in market share prices and subsequent security improvements were not covered by their insurance policy.

Another barrier for the growth of cyber insurance in Australia, and globally, is that cyber risk is not well understood. Brokers and underwriters lack the training and tools to quantify this emerging risk efficiently as the tools to assessing cyber risk (and hence pricing and policy construction) are different from traditional property and casualty insurance. In fact, current approaches to assessing cyber security risk rely heavily on manual assessments that greatly impede the scalability and application to small and medium enterprises. Unlike other mature risks such as those arising from natural catastrophes, cyber security risk is extremely hard to quantify due to its dynamic nature, the scale, the lack of physical boundaries upon which accumulations are analysed and the aggregate expertise required to produce a good model of the risk. This gap in cyber risk modelling has a major impact on pricing where premium prices becomes unsound or unaffordable for SMEs.

Another issue with current cyber insurance is regarding policy terms, which drives the lack of certainty in successful claims. Since cyber-insurance products are still young compared to P&C insurance, the policy terms are constantly being tested in court and usually contain explicit exclusion clauses for cases such as “act of war”[viii]. A recent example of a more subtle exclusion occurred in the court case confronting National Bank of Blacksburg to its insurer Everest National Insurance Company[ix].

The above issues and challenges can be addressed (at least partly) through:

  1. Governmental initiatives including the development of a compelling regulatory framework for cyber security risk as well as the promotion of the cyber risk management with particular emphasis on cyber insurance.
  2. The government should encourage and support collaboration between academia and the industry into paving the way towards better understanding and modelling of the cyber-security risk landscape as it pertains to Australian businesses. Without a proper understanding of the risk, there is only a small degree of price differentiation across different firms.
  3. The government also needs to work with insurers to assist in the “attribution” process (which is important for certain policy exclusions) and potentially consider establishing a cyber reinsurance pool.
  4. Finally, the government should increase awareness and provide platforms for SMEs to explore their alternatives in terms of cyber risk transfer.

16. How can high-volume, low sophistication malicious activity targeting Australia be reduced?

The first and foremost protection against high-volume and low sophistication threats is the adoption of good cyber hygiene. Credential management (password usage, multi-factor authentication for example), regular patching and employee training (resilience against phishing and frauds) are amongst the top low-cost but high return strategies to prevent attacks in this category. These types of attacks are most prevalent for lower-tier enterprises, which should be encouraged and made aware of the impact of good cyber hygiene. This cyber security strategy mirrors the public health management strategy in encouraging hand sanitation to minimise the spread of the common cold and flu viruses that help to prevent flu pandemics. Through insurance engagement, the insurance industry can provide the services as part of a broader product offering to increase cyber hygiene.

20. What funding models should Government explore for any additional protections provided to the community?

A cyber reinsurance pool is one form of funding that the Government should explore to improve confidence in the cyber insurance market, increase the resilience of the economy and community to cyber-attacks and, more generally, as a signal to build market confidence. For instance, in the UK, Pool Re was established by the insurance industry and the government as a reinsurance pool to protect insurance companies against large claims originating from terrorist incidents. Since 2018, Pool Re also covers cyber-terrorism14. Thus, similar extension or more innovative approaches, such as Hiscox’s cyber Insurance-Linked Securities[x], can be explored through the ARPC to cover cyber-attacks on critical infrastructures. Risk Frontiers can provide more detail on these schemes if required.

About Risk Frontiers

Risk Frontiers specialises in the assessment and management of risk across the Asia-Pacific region. We help organisations ranging from the global insurance industry and infrastructure operators to government departments and emergency services.

Our research and expertise cover major hazards affecting the region including floods, tropical cyclones, storms, bushfires, heatwaves, coastal erosion and earthquakes. We also continue the development of a cyber risk model in partnership with the Optus Macquarie University Cyber Security Hub.

Our work with government encompasses a diversity of projects including understanding community risk perception, evaluation of resilience and recovery programs, research into catastrophic disasters and the development of resilience frameworks.

As a partner of the Australian Research Council Centre of Excellence for Climate Extremes, Risk Frontiers is well positioned to deliver the latest in climate change solutions to enhance our clients’ decision making.

Rigorous, independent and data-driven, Risk Frontiers is one of Asia- Pacific’s leading providers of risk management and catastrophe modelling solutions.

[1] Risk Frontiers

[2] Security Express

[i] Aon. Cyber Insurance Market Insights, 2018.

[ii] Xiaokui Shu et al. Breaking the Target: An Analysis of Target Data Breach and Lessons Learned, 2017

[iii] Sasha Romanosky et al. Content analysis of cyber insurance policies: how do carriers price cyber risk?, 2019

[iv] Mondelez International Inc. v Zurich American Insurance Company. No. 2018L011008. Circuit Court of Illinois, October 10, 2018.

[v] Milton Mueller et al. Cyber Attribution: Can a New Institution Achieve Transnational Credibility?, 2019

[vi] The Council of Economic Advisers. The cost of Malicious Cyber Activity to the U.S. Economy, 2018

[vii] Deloitte. Beneath the surface of a cyberattack, 2016

[viii] Mondelez International Inc. v Zurich American Insurance Company. No. 2018L011008. Circuit Court of Illinois, October 10, 2018.


[x] Insurance Day. Hiscox plans dedicated cyber ILS fund, 2019


Our resilience group works with clients to build safer and more resilient communities. Services cover strategic policy, disaster management, research and evaluation and community engagement.

Learn more

Natural Catastrophe Modelling

Intelligently designed, location and portfolio level intelligence. For 25 years, Risk Frontiers has been leading the development of natural catastrophe models for the Asia-Pacific region. Learn more about our tools to quantify insurance and portfolio risk.

Our People

Complex enterprises require diverse and experienced teams. We recruit talented people who are experts in data-driven science, passionate learners and keen policy thinkers. This blend provides unique insights for our stakeholders. Meet the people solving the problems of the future.

Natural Catastrophes Greatest Risk for East Asia and the Pacific

by Andrew Gissing.

The World Economic Forum this month released their Regional Risks for Doing Business Report. The findings of the report are based on a survey of global business leaders on the state of business environments regionally.

Extreme weather events, natural catastrophes and failure of climate change adaptation were ranked in the top 10 risks for East Asia and the Pacific and North America, but not in other regions.

For East Asia and the Pacific natural catastrophes were rated as the highest risk and extreme weather events as number 5. Natural catastrophes were rated as the highest risk in Japan, New Zealand and China. Asia experienced some $55 bn USD in catastrophe losses in 2018, second only to the United States, but rated highest in terms of loss of life (Swiss Re, 2019).

In South Asia, water crises were rated as the top risk. Climate change through melting of glaciers and altering the frequency of extreme weather events will only worsen water stress in this region.

Globally, cyberattacks were rated as the world’s second most significant risk behind financial crisis. The report notes the rising cost of cyberattacks and the ever-evolving nature of the risk. In East Asia and the Pacific, the risk was also rated second.

Australian respondents rated energy price shock as their number one risk, followed by cyberattacks (2nd), asset bubble (3rd), failure of critical infrastructure (4th) and fiscal crises (5th).

The top ten risks for East Asia and the Pacific and globally are listed in Table 1 below.

The full report is available at:


Swiss Re (2019) Natural catastrophes and man-made disasters in 2018: “secondary perils on the frontline”. Sigma No.2

California Fire and Power

Paul Somerville, Risk Frontiers

Once again, wildfires have caused catastrophic property losses in the late Californian summer, but loss of life is much lower than last year, possibly because of radical mitigation measures including the widespread use of deliberate blackouts to avoid ignition by power lines and related equipment.

Causes of Fire Ignition

In the United States, about 84% of wildfires are caused by human activity or equipment, with the remaining 16% caused by lightning. 95% of the fires that the California Department of Forestry and Fire Protection (Cal Fire) responds to are caused by human activity.

The largest cause of wildfires is electric power lines and related equipment. Pacific Gas & Electric (PG&E) transmission lines caused the 2018 Camp fire in Northern California, which razed 90% of the town of Paradise, killed 86 people and destroyed more than 13,900 houses. This loss was the reason PG&E declared bankruptcy based on an estimated liability of $30 billion for fires in 2017 and 2018 (RF Briefing Note 372; see also Briefing Note 375). Sceptics have pointed out that, with stable revenue from electricity and gas subscribers, bankruptcy was declared to shield the company from its liabilities. California Governor Newsom implied on 1 November 2019 that the State may become involved in the restructuring of PG&E. Some of the largest fires in Southern California’s history were also caused by power lines: Southern California Edison (SCE) and San Diego Gas & Electric (SDG&E).

Other causes of fires are sparks from vehicles and other equipment.  The Carr fire in Trinity and Shasta counties, which killed 8 and destroyed more than 1,600 structures, was caused by sparks from a wheel rim exposed by a flat tyre. Failure to fully extinguish the Berkeley–Oakland  Hills fire in 1991 resulted in it blowing out of control, killing 25 people and destroying over 2,200 structures. Camp fires are another cause, and two small fires lit by a lost deer-hunting hiker in southern San Diego County resulted in 15 deaths and the loss of over 2,300 structures. Arson is a rare cause of large fires in California.

Changes in the Frequency and Size of Fires

All ten of the largest fires in California have occurred since 1991.  This is attributable, in part, to the increased numbers of houses located in regions of high fire hazard.  However, in the past few years the winter rains (from storms originating in the Gulf of Alaska), that used to begin in late September (Figure 1), have been delayed by a month or more, which may be attributable to climate change. This has extended the fire season into October and, this year, into early November. The headline in an opinion article in the New York Times (2019) warned that “It’s the end of California as we know it” and declared that “at the heart of California’s rot” is the “failure to live sustainably.” The Atlantic (2019) wrote that “California is becoming unliveable.”

Fires burning on 3rd November 2019 in California (Channel 4 TV) Temperature and rainfall for Sonoma County, California.  Source: LA Times and ChartFX.

Mobile Phone Outages

According to the San Francisco Examiner on 4 November 2019, “As the lights flickered out and wildfires flared, PG&E’s blackouts also cut off thousands of Californians from cell phone service, leaving them unable to get emergency alerts or call 911. It exposed a troubling gap in the state’s readiness for mass outages that could, according to PG&E, keep happening for a decade. And it’s left regulators scrambling to find a fix — though it will be difficult. Neither California nor the federal government requires cell phone towers to have backup power, even though network service is a critical part of modern life. Instead, maintaining service is left up to cell phone companies, which have generators lasting days at some sites but batteries which can survive just a few hours at others. When those run out, they must send trucks to refuel or install generators, at times when fires may cut off roads, blackouts darken traffic lights and their own outages hamper communication. Companies said their personnel worked around the clock to put in place hundreds of generators during PG&E’s unprecedented and fast-changing power outages, but in some cases they couldn’t access sites because of the location — on top of buildings or in fire evacuation zones. They’re pledging to prevent future problems. But regulators, politicians and emergency response agencies are pushing for stricter rules to protect public safety.”

Fire Mitigation by Electric Power Companies

Responding to the declaration of bankruptcy by PG&E in 2019 following the fires in 2018, the major public utilities have engaged in intentional blackouts, to varying degrees, as a means to reduce fire ignition.  These measures range from:

  • no blackouts (Los Angeles Department of Water and Power, which admits that a branch blown from a eucalyptus tree onto its power lines ignited the Getty Fire beside the iconic Getty Museum)
  • tightly targeted blackouts (in San Diego by SDG&E)
  • less targeted blackouts (in Los Angeles by SCE) and
  • large scale blackouts (in Northern California by PG&E instigating power outages for days and risked the health of people requiring power for medical support equipment)

The question of when to turn the power back on was highlighted by the outbreak of the Maria Fire 13 minutes after SCE turned the power back on in Ventura County on November 1.  SCE is not yet conceding its fault but has announced that its electrical equipment will probably be found to be associated with the Woolsey fire of 8 November 2018, which burned more than 1,500 structures in Los Angeles and Ventura Counties and killed 3 people.

Financial Management of Fire Losses

In its quarterly earnings report, SCE disclosed that various fire and mudslide events could result in a liability of $4.7 billion, of which $1.8 billion will be borne by shareholders after insurance and other offsets. But in the company’s third-quarter earnings call last week, Edison International President and Chief Executive Pedro J. Pizarro said it was adequately prepared for the blow, saying on 1st November 2019 that the company “understands this is a difficult time for the many people who are being impacted. The company’s top priority is the safety of customers, employees and communities, which is why we continue to enhance our wildfire mitigation efforts through grid hardening, situational awareness and enhanced operational practices.”

The protocols for shutting down power are outlined in SCE’s 2019 Wildfire Management Plan. Incident management teams, that include meteorologists, base the decision on wind speeds, humidity and temperature, fuel moisture and fuel loading. Other less prescriptive considerations may include the potential effect on customers and communities, alternative ways to reroute power, the progress of the customer notification process and situational awareness from weather stations. The length of time customers are without power is one factor that may be considered in the decision to restore power. The plan states that, “The order in which circuits are re-energized will depend on many factors including, but not limited to, customer safety and well-being, consideration of affected essential services, damage to electrical and other infrastructure, and circuit design/topology.” Before power is restored, field crews inspect the lines for “any condition that could potentially present a public safety hazard when re-energizing circuits.”

The duration of a power outage can matter in small and large ways. Food may last only four hours in a closed refrigerator, while frozen food could last a day or two (depending on how full the freezer is) as long as the door stays shut most of the time. For those dependent on medical equipment requiring rechargeable batteries, time can be critical. SCE’s plan says it maintains a list of those customers and contacts them individually before a shutdown. If unable to confirm the notification, field representatives go to the customer’s house.


The Atlantic (30 October 2019). California Is Becoming Unlivable

New York Times (30 October 2019). It’s the end of California as we know it.

Newsletter Volume 18, Issue 4 – October 2019

What areas of Australia are most at risk from natural perils?

by Andrew Gissing and Foster Langbein

The Commonwealth Government recently released a National Disaster Risk Reduction Framework. A key priority of the framework is accountable decision making which includes a strategy to identify highest priority disaster risks and mitigation opportunities. The strategy is based on the principle that it is not possible to reduce all identified risks and that investments must be targeted to minimise risks with the greatest potential impacts. The Australian Prudential Regulation Authority has also recently outlined the importance of mitigation investment in increasing insurance affordability across Northern Australia. The Commonwealth Government in October announced an additional $50 million dollars annually in mitigation funding.

Catastrophe loss models can be used to develop an understanding of the relative risk profile of Australia. Catastrophe loss models are decision support systems used extensively in the (re)insurance industry to assist in pricing risk and aggregate exposure management. Risk Frontiers has developed a suite of Australian probabilistic catastrophe loss models to quantify the impacts of flood, bushfire, hail, tropical cyclones and earthquake. These hazards contribute the majority of disaster losses in Australia as shown in Table 1. Risk Frontier’s catastrophe loss models have national coverage and are comprised of hazard, exposure and vulnerability modules (read more in Briefing Note 399). The models provide scientifically based damage estimates that can be used to rank the risk profiles of different communities nationally.

Table 1: Breakdown of normalised losses by peril based on ICA disaster list (1966-2017). (Source: (McAneney et al., 2019))

To identify what areas of Australia pose the greatest risk of financial loss to insurable assets such as residential and commercial property we have used the full suite of Risk Frontiers catastrophe models (hail, flood, tropical cyclone, earthquake and bushfire) to calculate average annual losses (AAL) for each Australian postcode based on exposure information derived from the NEXSIS database. The results of this analysis are illustrated in Figure 1 from which we can identify the top 20 priority postcodes nationwide as listed in Table 2.

Figure 1: National natural hazards relative risk profile.
Table 2: Postcodes ranked based on total average annual loss including damages from flood, bushfire, cyclone, earthquake and hail.

All the highest rated postcodes are in WA, QLD or NSW, with flood and cyclone being the most significant perils. Bundaberg (4670) is rated as the postcode with the highest AAL relative to other post codes, with its total AAL contributing 0.02% of the nation’s overall total AAL. The total AAL for Bundaberg is over twice that of the estimated AAL for 10th placed Townsville (4814) and over two hundred times greater than the lowest ranked postcode of Cooladdi (QLD) (4479). Such information about relative disaster risks is useful in determining national mitigation investment priorities.

Results can also be dissected by peril. Table 3 provides the highest rated postcode for each of the five modelled perils nationally.

Table 3: Top postcode for each peril.

Postcodes were chosen to best represent Australian towns and suburbs. Results will vary depending upon the loss metric utilised, for example a return period, AAL or probable maximum loss. They will also vary depending upon the geographic boundaries used for example post code, statistical area, local government area or electoral boundary. Using post codes ignores potential losses attributable to wider regional scenarios. For example, potential losses due to flooding in the Hawkesbury-Nepean Valley are greater than just the post code of Windsor and are said to be the greatest nationally by the insurance industry. Such comparison of wider scenarios could be considered in a future analysis.

Understanding Future Risk

Risks are likely to change into the future due to climate change and urban development and future mitigation investment decisions should consider this. Risk Frontiers’ catastrophe loss modelling framework is ideally suited to consider influences on future risk such as climate change, mitigation investment, increased development and changes to building codes. The Geneva Association, a peak insurance industry think tank, concluded that by combining catastrophe models with latest climate science an enhanced understanding of future weather-related risk impacts could be developed. Such use provides greater insights into the impacts of climate change on natural hazards not currently possible using Global Climate Models.

More information on Risk Frontiers catastrophe loss models can be found at


AUSTRALIAN PRUDENTIAL REGULATION AUTHORITY. 2019. Submission – Northern Australia Insurance Inquiry Second Update Report. Available: [Accessed 8/10/2019].

DEPARTMENT OF HOME AFFAIRS. 2018. National Disaster Risk Reduction Framework. Available:

MCANENEY, J., SANDERCOCK, B., CROMPTON, R., MORTLOCK, T., MUSULIN, R., PIELKE, R. & GISSING, A. 2019. Normalised insurance losses from Australian natural disasters: 1966–2017. Environmental Hazards, 1-20.

Bushfire and tropical cyclone activity for 2019/20

By Ryan Crompton

The most recent ENSO Wrap-Up was released by the Bureau of Meteorology (BoM) on 29 October 2019 under the headline ‘Strong positive Indian Ocean Dipole persists’. The wrap-up was summarised as:

The strong positive Indian Ocean Dipole (IOD) event continues while the El Niño–Southern Oscillation (ENSO) remains neutral.

As explained in Crompton et al. 2010 a positive IOD (pIOD) event is when the eastern Indian Ocean is cooler than normal and the western Indian Ocean is anomalously warmer and often associated with a more severe fire season for southeast Australia. Their analysis of building damage due to Australian bushfires concurred with this and interestingly, in terms of the current conditions, they found that the two most damaging combined IOD and ENSO phases were pIOD/neutral and pIOD/El Ninõ in terms of average annual normalised damage for years 1925-2008.

Compounding the bushfire risk for this season is another phenomenon called ‘sudden stratospheric warming’ which is when temperatures in the stratosphere high above the South Pole begin rapidly heating. (The stratosphere is the second layer above the Earth’s surface and is roughly 10-50km above the ground). In a Conversation article published at the beginning of September authors from the BoM discussed how this warming commenced in the last week of August and:

Record warm temperatures above Antarctica over the coming weeks are likely to bring above-average spring temperatures and below-average rainfall across large parts of New South Wales and southern Queensland.

At the time, the BoM was predicting the strongest Antarctic warming on record, likely to exceed the previous record of September 2002, with the impacts reaching the Earth’s surface during October and possibly extend through to January.

The increased risk of fire and heatwaves along eastern Australia has already been borne out with fires, at the time of writing, currently raging throughout the mid-north coast of NSW and northern NSW, including around my hometown of Forster-Tuncurry.

The ENSO phase also impacts tropical cyclone activity in the Australian region as discussed in the recently released BoM Australian Tropical Cyclone Outlook for 2019 to 2020. The outlook is ‘Fewer cyclones than average likely for Australia this season’ with this based on the historical relationships between the status of ENSO over the preceding July to September and the subsequent tropical cyclone season. The Outlook notes that indicators have been ENSO-neutral since April 2019 and the majority of climate models forecast neutral ENSO for the remainder of 2019 and into the first quarter of 2020.

The outlook of fewer cyclones than average not only applies to Australia but all other regions as shown in Figure 1. The Australian region has a 35% chance of more tropical cyclones than average, meaning a 65% chance of fewer tropical cyclones than average. The Outlook states that around four tropical cyclones cross the Australian coast in a season and the accuracy for the Australian region is high. Similar descriptions are presented in the Outlook for other regions.

Figure 1. Long-term average number of tropical cyclones, using data from the 1969–70 season to this (2019) season and the percentage chance of more tropical cyclones than average (Source: BoM).

WeatheX needs you, the citizen scientist, to watch and report severe weather events wherever you are using your smartphone.

Severe weather events are often missed by weather instruments and are difficult to capture. Your reports will vastly improve our ability to capture these events and contribute to better understanding.

WeatheX allows you to report the severity, location and timing of hail size, wind damage, flooding and tornadoes. You can also capture a photo or add a description of the event. This information will be used by weather and climate researchers, including the ARC Centre of Excellence for Climate Extremes, Monash University and Australian Bureau of Meteorology. All reports and photos will remain anonymous and no identifying information is collected.

The app also allows you to view the location and time of recent reports across Australia. Zoom, pan and investigate what’s happening locally or the other side of the country. You will also see your own report on the map immediately after reporting too!

To get started with reporting, download the WeatheX app from Google Play or the App Store.

The WeatheX app is funded by The Centre of Excellence for Climate Extremes (CLEX) and is managed by the School of Earth, Atmosphere and Environment at Monash University and is supported by Risk Frontiers.