In the security industry, the concept of measuring risk is a frequent topic for discussion. How best to measure risk is debated and results are dissected to determine if they represent the real situation. In this post, we will look at WHY you should measure risk, how doing so must align with your business goals, and the critical discussions security will bring to the table as you map out annual plans and forecasts.
Measuring risk is critical to business continuity
Measuring risk is perhaps one of the most complex issues in the security industry. So many opinions vary on what is “risk” and what factors should go into measuring it. But over the past 160+ years, Pinkerton has been able to hone the complexity of risk measurement into a seemingly simple formula: Threat x Probability x Business Impact.
Easy, right? No, as you probably realize, it is not. By far, our most popular blog post historically has been “Risk vs Threat vs Vulnerability – and Why You Should Know the Differences.” And the reason, we believe, is that there is much confusion regarding defining these terms. But as this post is about measuring risk, we will use the definitions of that article to go further in helping you determine what threats could have a real impact, good or bad, on your business.
A good start is to look at our Risk Index Report. In it, you will see the methodology we used to determine risk levels for nearly every major country/region, broken down into risk categories. Further, review the Global Risk Map that accompanies the report for an interactive way to look at countries in which you are doing business or where your major suppliers are located, or even where you are sending executives on a business trip. Both the report and map will give you a great overview of global risks.
Most companies do a good job of determining threats and then communicating them throughout the enterprise. For example, theft is a threat to retail companies. It’s not going away, so it’s something with which all retailers have to contend. They then have to determine the risk. As Pinkerton’s President Jack Zahran has said, “Risk is anything that will prevent a company from achieving its business objectives.” Retailers know that their merchandise can be easily stolen by employees who have access to it; that’s a vulnerability. They also know that hiring someone with a history of theft suggests higher risk. Increased employee theft could lead to loss in inventory and sales, which impacts the company’s business objectives, so mitigation measures are put in place such as security cameras, human resource interviews and backgrounds checks.
But how do you measure the risk? Using our formula, we would look at the retail example like this:
What is the threat? Loss of merchandise and potential sales due to theft by employeesWhat is the probability of the loss happening? Given that 75% of employees steal from their workplace, the probability is quite high that it will happen.What is the business impact? Office employees stealing staplers or paper at an office comes with a much different potential impact than retail employees taking home computers, art, auto parts, etc., across hundreds or even thousands of locations.
Understanding the threat, knowing the probability of it happening to your business, and then determining the business impacts, will help you determine what resources are most useful to mitigate the risk.
Risk measuring has to be holistic and aligned with business goals
“No longer can security departments be focused solely on protecting assets,” said James McClain, Pinkerton Vice President. “Security leaders now need to understand the business objectives of their organization, so that corporate security aligns and partner to their needs. A holistic approach to risk management requires that decisions not only be about cost but to focus on the totality of the impact to the business. That is why measuring risk accurately is critical, especially as companies and their supply chains become more interconnected with global events.
“The 2016 Belgian airport terror attack is an example,” said Zahran. “Of course, the attack impacted airlines and supporting businesses. But, the impact to the chocolate industry was huge. Millions of tourists buy their souvenir chocolate at the airport each year. With travel to Belgium way down after the attack, the chocolate industry was impacted.”
In a traditional security model, threats are only analyzed in terms of a company’s specific business assets. Given that, a chocolate company might assess that terror attacks are a potential threat, as they are with any company, and they might even acknowledge that they are vulnerable to a potential attack. However, the overall risk is not very high since the probability of an attack at their facility is low. Therefore, they wouldn’t put much weight on terrorism in security planning. Most of us would not think of the chocolate industry as a direct target of a terrorist act.
However, given the spate of terror attacks over the last few years, especially in Europe, a company considering their security more holistically would see that an airport attack, even if hundreds of miles from their facility, could significantly impact their sales, as it did for a number of Belgian chocolatiers. “Connectivity is the key,” says Brian McNary, Vice President of Pinkerton’s Global Risk Group. “Threat doesn’t manifest in silos, and neither should risk management within an organization. We must look outside the business entity, even beyond the supply chain, to get a whole picture. Looking at threats, the likelihood of them occurring and the impact they could have on your business is a reason to have security at the executive table all the time.”
How risk measurement affects annual planning
As has been said many times, the only constant in life is change. Of course, that’s true in business and security, too. You may have planned for certain risks using our measurement formula, and put mitigation protocols in place to lessen the business impact if incidents to occur. How long are those plans valid and relevant? A year? Two? Forever?
Risk measurement must be performed regularly, even constantly, because of the fluidly changing nature of risk levels. An example can be witnessed in California today. For more than five years, California has been suffering a “100-year drought,” resulting in dry conditions that have affected nearly every business, most especially agriculture. Businesses have had to adhere to water conservation restrictions and adapt their business practices to the new reality that there just isn’t enough water. Using our risk measurement formula, one can see that the threat of drought is very real, and the probability of it impacting an agriculture-reliant business is very high. Thus, the business impact is potentially severe. Companies planning their annual budgets, resource allocation and staffing have to take this impact into consideration or risk significantly underestimating costs which affect the bottom line. But… that was last year. In January 2017, areas of California, including Los Angeles, received more rainfall in 31 days than they had in all of 2015, or 2013, or 2012. Throughout the state, threats dismissed as low risk have now become all too real, such as the potential collapse of the Oroville Dam. All dams come with a threat of a breach, suddenly releasing vast amounts of water downstream. However, California dams have had far less water to hold back in recent years, due to the drought. Businesses near the Oroville Dam likely considered the probability of a breach very low, and had few mitigation elements in place. Think that has changed?
The dam example is one that highlights the importance of measuring risk holistically, and why security must be a business outlook consideration. Using our formula helps to take into account the ever-changing probability of risk, so real business decisions can be made on the basis of potential impact. And not all risks are represented negative outcomes for companies. In the California example, the risks of widespread flooding and mudslides bring with it the probability of damage to homes, businesses, vehicles, and roads. Those all need to be replaced, representing new business opportunity for contractors, the home improvement market, automotive dealers, and other related businesses. For them, the formula would include a positive business impact, and that also needs to be assessed regularly.
As McClain summarizes, “Probability is the single biggest factor in determining business impact.” And with probabilities changing all the time, it’s more important than ever that risks be measured regularly, and resources allocated appropriately. Remember: Threat x Probability x Business Impact