Enabling Agile Decisions in a Rapidly Evolving Risk Environment
We are in a period of significant change in the global risk environment. These changes—which include an exponential increase in signal data, greater focus on the role of corporations in civic and political affairs, social unrest, and rapid globalization of local events—have required security leaders to adapt their risk analysis process accordingly. Many security leaders have discovered that, due to the pace of change and increasing demands for real-time risk analysis, organizational capabilities that were effective five years ago are no longer sufficient in today’s environment.
For leaders to make informed decisions about risk in timely manner, they must be able to respond with greater agility to changing circumstances. The ability to respond effectively depends on having the right information at the right time, and agile decision making requires that business leaders support risk analysis by registering risks to their organization, building proactive teams, and effectively leveraging data and technology.
Preparation: Registering Risks
To perform effective risk analysis, leaders must first document risks that may impact their organization, determine their probability and likelihood, and then decide which risks are to be mitigated and which are to be managed.
The process of registering risks should be undertaken with the broadest possible array of stakeholders to ensure future cooperation and limit personal and organizational bias. At a minimum, this stakeholder group should include representatives from corporate security, information security, customer service operations, human capital, and business operations leads from multiple regions. Security leaders must seek to understand where risk tolerance differs among stakeholder groups and individuals. Although some risks may appear to be equal on paper, organizational history or executive preference may indicate a higher or lower tolerance for risks that would dictate a counterintuitive response.
A mismatch of risk tolerance between stakeholders requires a creative response and flexibility.
One example of this, common to the technology sector, is around the issue of access control. Security directors and information security directors tend to push for the use of badges for access to corporate facilities as an industry best practice. In fast-growing tech companies, however, a badge requirement can be seen as something that undermines the valuable culture of collaboration and trust that has been core to the company’s success to date.
Similarly, a CEO who is extremely concerned about protecting personal privacy may refuse to accept protection services, which is counterintuitive to what corporate security teams might expect. An alternative response could be to establish a digital journey management program in lieu of assigning a 24/7 protection team.
In any case, a mismatch of risk tolerance between stakeholders requires a creative response and flexibility.
Once risks have been identified across the organization, each risk should then be tied to a series of risk definitions and indicators to ensure the following: a common understanding of the nature of each risk, indicators that show whether a given risk has changed in severity or likelihood, recommended risk controls, and appropriate triggers for action and escalation to higher leadership. Once risks are documented and embedded in response planning, security leaders need to check in with stakeholders on a regular basis to ensure that the risk register, risk indicators, and risk escalation triggers remain relevant. In today’s environment, risks need to be reviewed more frequently than in the past, and leaders should plan for surprises.
Building Response and Resilience: Investing in Human Capital
One of the most critical elements in establishing effective risk-based decision making is investment in the people with responsibility for assessing and responding to those risks. Investing in a team’s human capital—through training, exercises, and other capacity-building—is essential for risk management.
Security leaders should ensure that their supporting managers are trained in risk management principles, informed about risks to the organization, connected to key stakeholders, and empowered to act.
Investing in a team’s human capital—through training, exercises, and other capacity-building—is essential for risk management.
Involving as many team members as possible in developing and testing crisis plans, for example, or encouraging team members to develop relationships with internal partners and stakeholders improves resilience and communication across teams. Creating opportunities to shadow other business groups or participate in employee resource groups supports organizational knowledge and enables team members to truly understand the nature and impact of risks facing the organization.
Deeper organizational knowledge will allow team members to add greater value in monitoring and responding to organizational risk. These human capital investments take time and money, but they will pay dividends down the road.
Decision Making Through Data and Technology
The volume of data in the world expands at an unprecedented rate. In 2017, humans produced an estimated 2.5 quintillion bites of data per day, according to Domo. With the rate of remote work adoption and the growth of technology worldwide, that number has likely grown. Making use of data—turning raw signals into intelligence that supports decisions on risk—requires technology.
The pool of potential data includes everything from economic indicators, social media mentions, and climate information to internal company data on employee activities and local traffic patterns. This staggering amount of information can only be processed by machines, but effective use of technology for risk analysis depends on a nuanced human understanding of which risks matter to companies and why.
Using technology to take raw data and turn it into an effective risk warning mechanism requires that leaders begin with an established risk register and a methodology for assessing risk. From there, leaders must identify the specific combination of data, technology and tools that will support the specific risk decisions and responses that are required of them. They must also identify gaps in their data—potential blind spots that would prevent an accurate depiction of risk at any given moment—and acquire whatever is missing.
Once the correct data is assembled, it must be put into a computational framework that will provide visibility on trends and patterns in risk events, as well as alerting humans to significant changes in the risk environment. In this way, data and technology support decisions about risk acceptance or risk control in the context of each organization’s unique requirements, allowing stakeholders to make decisions based on a common, dynamic risk picture.
Risk cannot be avoided, but risk is necessary for growth and success. Security leaders who integrate risk analysis into their decision cycle in a dynamic way will add tremendous value across their organizations. Doing so is key to operating successfully in today’s complex environment.
Lianne Kennedy-Boudali is a principal at Control Risks, a global specialist risk consulting firm. Based out of the San Francisco Bay area, Kennedy-Boudali advises Control Risks’ global clients on issues related to enterprise security risk management, security program development, and implementation. A recognized expert on risk and political violence, she brings deep expertise in security and risk management and threat intelligence.