In today’s world, if you are a CEO, COO, government official, or in other leadership positions that can implement change in your organization, we at Pinkerton believe it is crucial to maintain a diligent overview and understanding of risk, threat and vulnerability.
There are many articles and blog posts written that attempt to define each of these three terms individually, however it is the interactive relationship of all three of these components that combine to create the initial evaluation and recommended action plan for risk management.
As the person in charge of the oversight for the security of your organization, the more that you can rationalize this process - in a way similar to the approach of a professional high level security expert - the better is your understanding and interpretation of the results of their security audits, as well as your ability to implement their findings in a way most suited to your own company or institution.
Lower risk through comprehensive evaluation of threats and vulnerabilities
The view of how big the consequence is, the likelihood of its occurrence, and the potential effect on the entity, are all parts of the panoramic landscape one needs insight into, in order to undertake the process of managing risk. We believe that risk, threat and vulnerability are not interchangeable terms although threat and vulnerability are a part of risk. Here are some important characteristics of the three components:
Threats (effects) generally can NOT be controlled. One can’t stop the efforts of an international terrorist group, prevent a hurricane, or tame a tsunami in advance. Threats need to be identified, but they often remain outside of your control.
Risk CAN be mitigated. Risk can be managed to either lower vulnerability or the overall impact on the business.
Vulnerability CAN be treated. Weaknesses should be identified and proactive measures taken to correct identified vulnerabilities. Risk assessment causes you to re-think because you must protect the highest consequence items – your critical resources. The initial question that needs to be answered is, “What is the most critical resource you have, the one that would have the biggest impact if it were compromised?” THAT’S what you need to protect the most!
When Pinkerton conducts a risk assessment, it is not uncommon that an organization has a false sense of security based on the fact that they have “thrown in all sorts of security measures.” Very often, there is a weakness that can be exploited, one that the organization and their security team is not cognizant of. That is where an ‘outside’ evaluation is crucial to protect valuable and often irreplaceable items like infrastructure, personnel, intellectual property, servers and IT structure, company R & D, and all other digitized information and communications.
Risk assessment is not a one-time thing
Your organization grows and changes over time. So does the world it operates within. The implications of technology expand daily.
For example, let’s look at a prison yard that incorporates multiple layers of security – fences, alarm systems, lasers, structural reinforcements, armed corrections officers, CCTV systems, lighting systems. They may have combined to thwart threats five years ago, but now the similar technology used in military cruise missiles and aerial surveillance devices can be purchased for less than a thousand dollars (USD) by anyone, and a consumer grade drone can quickly compromise all the listed security features of this prison infrastructure. Contraband could potentially be delivered in a stealth way during the night by an unmanned remotely piloted vehicle to a designated destination where an inmate could retrieve it successfully within their time outside the next morning.
With this as an example to answer the question as to how often threats, risks and vulnerabilities get re-evaluated, we leave no room for interpretation. “Constantly, ” is our immediate response!
Can earthquakes and tsunamis impact nuclear reactors at the same time?
The possibility of that occurring is perhaps less than picking the winning Mega Power Ball Lottery numbers, and since the likelihood is minimal, a power company might not address that unimaginable situation.
A risk assessor thinks very differently, and in the case of the nuclear plant in Japan – where the earthquake and tsunami delivered a successive one / two punch – risk experts of an outside firm may have been able in advance to evaluate the off the chart level of risk, and the implications of a nuclear event, that was viewed as statistically possible but highly unlikely. The plant was vulnerable to this perfect storm that destroyed its infrastructure and overpowered its security and safety measures.
Though the probability was small, using the interactive integration of threat, risk and vulnerability, decisive analysis might have compelled the professional risk assessor to recommend additional structural security measures to be incorporated into the plant.
For risk management: A total stakeholder perspective is needed
As business becomes more connected and interdependent, so do the sources of risk. There are more factors to be cognizant of and address. Therefore when designing a risk management framework it must have a total stakeholder perspective.
Stakeholders are not just the shareholders or ownership of an organization. The total stakeholder perspective should include employees, policy makers, suppliers, service users, and customers. It is even necessary to drill down to levels like those responsible for the management of supply chain. Every one of these stakeholders can impact the likelihood of an adverse effect to the organization and these stakeholders can be a powerful partner in helping mitigate risk.
A good example that highlights the need for the total stakeholder perspective is in the manufacturing sector. There have been some cases where engineering created a new product design that provided significant improvements in costs, process, and time & materials from a company standpoint. The new design, however, would have been too disruptive to the existing supplier and distribution base.
If the evaluation of these implications were not included in the initial risk management framework, the potential would be there to proceed to the manufacturing stage without the incorporation of input from the end suppliers and distributors. Ultimately, the company would experience the negative results of that mistake when no market adoption of the product occurs. It may be a great idea on many levels to engineer and manufacture an industrial air filter that lasts a lifetime instead of one year, but that wonderful product might be viewed by the sales force as one that would ultimately put them out of business because it would eliminate return customers and annual sales.
If all stakeholders are included, the risk evaluation is comprehensive.
An expert risk management view from the outside into your organization
We are trained to identify the weak links, and coming in from the outside brings a view uninfluenced by company politics, or any known internal items that may compromise the appropriate risk evaluation and the subsequent recommendations. These are the vulnerabilities in the risk process.
Threat knowledge helps you to tailor your countermeasures, but you must add the vulnerabilities and consequences/impact to process before you rate the risk. As a company or government official, the wisest decision you may ever make for your organization is to recognize the need for expert risk assessment.
A previously published blog post expands on this while discussing a specific example of risk in India. There are far too many weaknesses that brilliant minds with monetary resources and skilled teams are looking to exploit. The threats are always there. Your risks may be more than what is apparent to the most savvy operations officer or internal head of security, and you may be vulnerable to things that are difficult to predict or imagine.
Risk analysis is complex, incorporating the interaction, and the weighting, of the three components - threats, risk and vulnerability. Though the threat to a vulnerable additional manufacturing plant in Mexico may be greater than those to a competitor’s secure one in Iowa, if the Hawk Eye State factory is the sole one for that entire company then their risk is much higher - because a negative situation there has the potential to shut down the entire company.