Many organizations commit significant resources to forecast a market’s growth potential. Before investing in a company, it is likely we would review a summary prospectus of their potential earnings.
We also look to the National Weather Service for a forecast to determine our resource needs for a weather-dependent activity, days or possibly weeks, in advance. So why, given the need to conduct effective and efficient risk analysis beyond picking low-hanging fruit, is there such a limited effort to forecast risk? How can we gather the appropriate amount of information to forecast risk using minimal resources in today’s operating environment?
The operational environment
Global organization models are changing. Given the increasing frequency and severity of disruptive events, one aspect remains constant: safety and security are the number one concern. This observation was recently reinforced by a Global Business Travel Association (GBTA) poll which asked organizations whether their efforts toward safety and security had increased, remained the same, or decreased within the last six months. Sixty percent of the respondents reported an increase while the other 40 percent stated it remained the same.
Risk, and the way it is being assessed, is at a transition point. A large number of organizations are either unable or unwilling to commit the resources required to conduct and maintain a current risk assessment. For those who do, certain aspects can become outdated before the effort produces tangible results. What is the answer? Forego it? Rely solely on best practices or industry benchmarking? Continue to pick the “low-hanging fruit” and hope for the best?
One of the most cost effective solutions available to maintain a relevant forecast is through a risk needs assessment (RNA).
Why perform a risk needs assessment?
An RNA provides a snapshot of where potential risk currently resides. It focuses on the impact and consequence of losing an asset (or a combination of assets), the threats which pose a risk to those assets, and the effectiveness of current mitigations.
The RNA details the relative risk rankings of assets, gradated by region or operational subdivisions down to individual locations. It establishes the requisite level of risk information, maximizes the limited resources required while providing a foundation to build, restructure or update its security and risk management capabilities.
The RNA informs all levels of management where the relative risk lies by focusing on the degree of impact if an asset is lost, the disruptive scenarios posing a risk, and the effectiveness of risk-related programs. When compared to the time and materials required for an organization-wide risk or vulnerability assessment, the RNA provides a timelier and less resource intensive option to identify the organization’s risk profile.
Conducting a risk needs assessment
An RNA improves the organization’s awareness of where to allocate resources to maximize return. It analyzes the enterprise’s three factors of risk up to and including a global level. It delivers a quantitative analysis of key assets within the system that identifies any outliers beyond established levels of risk tolerance. Using the example below (Figure 1) and a table or spreadsheet, populate the headers and follow the RNA Rubric. Reference the Risk-Factors Reference Example (Figure 2) to define and score the assets, potential disruptors and mitigations.
The RNA (risk needs assessment) rubric
Process (e.g. Conduct quality control audits)
Location (e.g. in-travel and facility)
Assets Impacted (Assets with the potential to be impacted by location)
Consequence (C) (Score potential for life safety, economic loss and impact to the brand)
Potential Disruptor (D) (Incidents that disrupt the planned outcome through asset application)
Capability (C) (Score based on analysis of the Disruptor’s current ability to impact all or part of the assets present at each location)
Motivation (M) (Score based on analysis of previous attacks and degree of success)
Note: Value of D is the mean of C & M. (For hazards [e.g. weather] use intensity & probability)
Existing Mitigation (Actions taken to reduce the disruptor’s ability to exploit the Asset)
Vulnerability 1 (V1) (Score based on Disruptor’s remaining ability to exploit the Asset after applying Existing Mitigation)
Risk (R1) (Numerical representation of Risk (R) in applying Existing Mitigation. Color coded to quickly identify Risk potential. Score: C x D x V1 = R1)
Recommended Mitigation (Additional measure to further reduce the Disruptor’s ability to exploit the Asset)
Vulnerability 2 (V2) (Score based on Disruptor’s remaining ability to exploit the Asset after applying Recommended Mitigation)
Risk (R2) (Numerical representation of Risk (R) after applying Recommended Mitigation. Color coded to quickly identify Risk potential. Score: C x D x V2 = R2)
Monitoring, Representative Sampling, and ‘Deep Dive’ Thresholds
The RNA provides a forward-looking capability that identifies areas warranting a more detailed focus and analysis to ensure the risk is adequately mitigated. Depending on the size and complexity of the organization, the Risk-Factors Reference may require additional definitions with a more sophisticated means to differentiate the resulting scores. The organization should establish thresholds for monitoring, representative sampling, and deviations warranting a “deep dive” (focused and formal risk assessment) based on the RNA’s resulting scores.
Evaluating RNA’s Mitigation Measure’s Effectiveness
When assessing the applied mitigation measures, qualitatively and quantitatively measure the level of adherence to the following five criteria:
1. Formal – The mitigation is documented as a component of an approved program.
2. Enforced – Leadership resources the mitigation and enforces managerial controls to ensure the accountability for deviations.
3. Relevant – The mitigation directly impacts the motivation/capability of the disruption or functions as an offset to intensity/probability.
4. Tested – Routinely audits and exercises the validity and functionality of mitigation measures with adjustments to the risk treatment accordingly.
The RNA process supports risk based decision making down to the asset level by maximizing quantitative analysis that is both consistent and relative across the organization. It also serves as an effectiveness model for potential risk treatment methodologies. Quantitative analysis is amalgamated to a strategic level where it is transformed into qualitative analysis, there it can be used to prioritize assets or location-specific efforts for further analysis to identify and adjust the organization’s risk tolerance, appetite, and capacity.
Not long ago, after briefing a senior executive on safety and security, she asked, “How much longer will I have to spend large portions of my day addressing these issues instead of focusing on our core business?” The response: “When it becomes a component of core business.”
Michael Payne is an ASIS International, Certified Protection Professional (CPP) and DRI International, Certified Business Continuity Planner (CBCP) leading iJET’s Organizational Resilience Department within the Global Operations Division. In this position, he is responsible for organizational planning/ readiness, security operations, strategy, assessments, evaluations, resiliency systems design and emergency assistance. Michael has a distinguished career managing the operations, crisis/emergency response, protective strategies, physical security implementation, physical and cyber security integration, procedural development, and personnel situational awareness and safety for several critical infrastructure and key resource entities. During iJET critical response operations, he assumes the role of Global Operations Incident Manager, leading crisis surge management efforts for significant events such as major natural disasters, political situations, and terrorism.
Edward D. Clark is a retired Special Forces Officer with both strategic and tactical level experience in developing and implementing critical infrastructure protection programs and armed response capabilities. Edward holds a bachelor’s degree in criminal justice and master’s degree in computer information systems. He served as the security lead for the WhiteHouse Homeland Security Council on Bio-terrorism and is a nationally sought after trainer and public speaker on conducting vulnerability.