The Art of Risk Assessment: Preparing for the Unexpected
By Robert Dodge
The emergence of a more dangerous world in 2022 is upon us. Increased violence, fear, and uncertainty are presenting enhanced challenges for corporations as we slowly emerge from the pandemic. Organizations that want to be well-prepared for dealing with the myriad of risks are now investing in comprehensive risk assessments. These are crucial for aligning your security personnel, processes, and technology to not just mitigate risks but to also strengthen your organization’s business resiliency and help ensure its success. So how do you do it?
Step 1: Take a Comprehensive Approach
The risk assessment process needs to be approached holistically, rather than through the narrow ‘Guards, Gates, and Guns’ approach often employed. Traditionally, acts of violence, external risks and regulatory compliance have driven security spending in the past. And yes, mitigating the risks associated with violent or physical incidents are important, but what I advise our clients is to consider all high-impact-high-consequence risks beyond this. For example, when a trusted employee steals your intellectual property for a competitor or a foreign intelligence agency, or when a long-term accounts payable fraud costs the organization millions—these are instances that may be difficult to detect and can cause a tremendous amount of damage to the business. The key point is that it is not always the source of the risk but the potential for damage to the organization that should get our attention, and this is where internal (insider) bad actors have an advantage due to the access they have.
Considering a broad array of threats, such as the ones I just mentioned, is critical. And I’d like to emphasize that there is a difference between the terms risk and security. The latter is narrower and tends to focus on external and mostly physical threats, while the former takes more of an all-hazards approach.
It’s not always the bad guy that gets you. It could be a litigator, for example, with a large legal case around a “duty of care” failure for one of your traveling employees. Or it could be a government regulator coming to a town near you for a supply chain security compliance program failure. Or it could be a natural disaster for which you are not adequately prepared.
Risk-based approaches to security assessments are therefore better than the standard physical security approaches. They help us to:
- • Prepare a data-driven, factual plan, based on identified risks
- • Provide security and business leaders a common framework for decision making around security needs
- • Move the organization’s security from a reactive to proactive posture
- • Clearly define and quantify risks and vulnerabilities, which helps with appropriate funding requests
Step 2: Know Your Assets
At the outset of a risk assessment, it is imperative to know the key organizational assets. They come in three broad categories:
- • Physical assets are tangible. Some examples include infrastructure, facilities, land, cash, raw materials and finished goods.
- • Knowledge assets are intangible. They include intellectual property, trade secrets, copyrights, patents, marketing plans, expansion or downsizing plans, research and know-how, unique capabilities, etc.
- • Organizational assets can be both tangible and intangible. They include people, governance structure and relationships.
According to ANSI/ASIS/RIMS RA.1-2015 standard, the “the value of an asset and service should be considered within the context of how the assets contribute to the organization’s achievement of its objectives.” What I would like to emphasize here is the “context” part. The book value of something, like a manufacturing plant for example, is different than its value for your business. The plant may have cost $1M to build, but if it produces $100M in goods every year and is destroyed in a natural disaster, the loss to the company will be a lot more than $1M. The same thought process should be followed for all other assets mentioned above—physical, knowledge and organizational ones.
Step 3: Accurately Identify Risk
Most organizations recognize that it is important to identify potential risks, but most also find this to be difficult in practice. Throughout my career, I have noticed that many organizations don’t really understand what actual threats they face. This is a key benefit that the risk assessor can bring to the table in helping the organization to define risks, which generally fall into three categories:
1. Human error. People make mistakes, accidents happen, inadvertent confidential info disclosures are leaked.
2. Malicious actions. From theft, to sabotage, to espionage, there is a whole host of actions—with intent—that can harm an organization.
3. Natural disasters. These are increasing dramatically around the globe and are creating ever-evolving risks.
Accurately identifying risk is a key element of an effective risk assessment. They also must be prioritized because a company’s whole security system—from security officers, to technology, to policies and procedures—should be arrayed appropriately for the detection of the threats that are most likely and potentially most damaging. To be clear, this means we need to align our security systems for detection of indicators of specific threats.
It must be noted that high-profile events sometimes overshadow true, real-world risk. When I ask in my seminars what is the number one killer of Americans overseas, a lot of folks say terrorism or criminal activity. But that’s just not the case—it’s vehicle accidents and other travel accidents that kill more people internationally than either terrorists or criminals. The number two cause of deaths of Americans abroad are medical events that happen with great frequency from things like food-borne illnesses, common and less common diseases, COVID-19, mental health breakdowns and dangers of treatment in foreign countries.
When it comes to protecting your assets—and remember, they can be tangible or intangible—what I see increasingly are threats that blossom where the physical world meets the virtual one. An employee gets a USB at a trade show and uses it: what was on it? Maybe there was a malicious code that could bring down your network or that would allow hackers a backdoor access into your databases. An employee throws confidential documents in the trash rather than shredding them. What if someone is going through your trash? An employee logs into a wi-fi network at a neighborhood café. Was the network secure? What other common occurrences are there that could create a risk? Think policies for key cards, passwords, usage of copiers, etc.
Ideally, risk assessments will show the current security posture of an organization and highlight areas where greater or lesser security is needed. They should also show which systems are misaligned and are wasting organization’s resources while producing no benefit. For example, when conducting assessments for our clients, a common issue I see is a video camera’s field of view that does not match the intended target. Another widespread problem I see is security officer post orders that are not tailored to the actual site duties. These are examples of security assets that are not detecting real threats but are costing real money.
Step 4: Risk Assessment Reporting
The risk assessment report should provide a concise, evidence-based summary of the findings, as well as conclusions and recommendations. It should also be written in plain English. I always recommend that assessors keep reports simple so that business executives who may not be familiar with security industry terminology can fully understand the results. The report should include a succinct executive summary, using business-friendly terminology, and categorize risk as high, medium, and low, while also prioritizing them. Working with the company’s corporate legal department under attorney-client privilege will help protect the assessment reporting process, which is a best practice when working with outside consultants.
Choose Your Risk Assessor Carefully
A risk assessment’s usefulness depends in large part on the company or individual evaluating the risk. Risk assessors should be impartial and should have extensive experience and expertise in the risk consulting field.
Generally, third-party assessors provide a more unbiased and accurate risk assessment, making them a sound investment. Many organizations do not have the internal resources or expertise to undertake their own risk assessment; if they do, they must be aware of the power of bias and how it can skew the results toward “this is how we’ve always done things.” Additionally, if the security team that built the security program conducts the assessment, how critical are they going to be?
Risk assessments provide organizations with a roadmap for negotiating the 21st century’s global threat environment—they are valuable tools when applied properly.
As companies continue to grapple with decisions about where to place resources, security directors must communicate the importance of a broad-based approach to risks that goes beyond “guards, gates and guns.” Companies cannot block themselves off from the rest of the world, and they cannot always apply resources to mitigate every threat. The risk assessment process can provide a roadmap on how to best configure and apply the limited security resources to build resilience, make one’s security program more robust, and mitigate the real risks the organization faces.
* * *
Robert Dodge is the Chief Executive Officer, Global Risk Services at Prosegur USA.
Robert is a recognized global security expert with over 25 years of experience in security, investigations and consulting. He has worked on security and investigative projects in more than 90 countries around the world.
Robert currently serves as CEO of Prosegur Global Risk, a key business unit of the world’s third largest security company, where he leads the team that advises some of the largest organizations around the world on risk mitigation and security strategies. Prior to joining Prosegur, he was Global President of the Corporate Risk Services Division at G4S. He also spent 14 years with Pinkerton, one of the world’s largest risk management firms as the International Senior Vice President, responsible for managing all of Pinkerton’s international offices and operations. Early in his career Robert served honorably in the U.S. Navy.
Robert regularly speaks and writes on the matters of security and risk both domestically and internationally.