Exploit: The Forgotten Fifth Option of Risk Management
It’s often said that fortune favors the brave. But what does it mean to be brave? Most would say to be brave is to face risks, usually on a level few care to accept.
Security professionals often view risk only in negative terms, and they are taught there are four commonly accepted options for treating risk: accept it, avoid it, manage it, or share it. However, there is a fifth option that is often overlooked but can be very positive to those who understand it: exploit it. This became clear to me very early in my career as a special agent with the Diplomatic Security Service while assigned to northern Iraq with the U.S. Department of State.
In September 2004, immediately after completing eight months of basic agent training, I was assigned to a small compound in Kirkuk, Iraq, where I shared security responsibilities with a classmate and fellow agent. It was trial by fire—quite literally—working in an area where insurgent guerillas sabotaged oil wells, blew up pipelines, and conducted brazen midday attacks against police stations and government buildings.
In Kirkuk, it was all about the oil—raw crude bubbled to the surface, and approximately 1 million barrels were produced every day from the surrounding fields. When the Iraq War began in March 2003, oil fields were among the most precious assets to protect. For decades, oil companies had flourished in the area, but as the environment became more kinetic and their tolerance for risk waned, many ceased operations and, in some cases, abandoned millions of dollars-worth of equipment and product.
When I arrived in Kirkuk, the environment was stable enough to allow State Department protective security details to travel throughout northern Iraq. The abandoned oil sites were still there, and other companies had purchased much of what was left of the assets for a fraction of their value, realizing immediate gains. Unlike the previous companies, these organizations had extensive security teams and robust countermeasures in place to operate and thrive in a non-permissive environment. They placed robust barriers, security cameras, armed guards, and intrusion detection countermeasures around key sites and maintained quick reaction forces to engage would-be saboteurs. They developed intelligence networks and maintained close liaisons with local law enforcement and nearby residents, and they regularly won the hearts and minds of their neighbors. It was as if they had built their program from a special operations counterinsurgency manual. Through resilience and determination, they conducted business despite harrowing odds.
In 2011, I was posted to Mazar-i-Sharif, Afghanistan, to an even smaller off-site compound located along the famous Ring Road and miles from the nearest military base. Conditions were stable enough in Regional Command North to allow us to produce many long-range protective security missions.
During one such trip to Badakhshan Province, we took our senior civilian representative to dinner with members of the Aga Khan Foundation, an international development agency that ran a wide spectrum of programs in some of the world’s most challenging environments.
Many of the nongovernmental organizations (NGOs) in Afghanistan seemed wasteful and careless, launching short-sighted, half-baked programs that nearly always ran over budget and failed. But the Aga Khan team was different. They took on long-term challenges, lived among their communities, developed relationships with government officials, and created capacity with the support of highly experienced but low-profile security teams.
The Aga Khan Fund for Economic Development owned Serena Hotels, a hospitality company that operated the Kabul Serena Hotel—a comfortable sanctuary that had repeatedly been targeted for terrorist attacks yet continued to operate profitably thanks in large part to its robust security program.
Their resilience in this space paid off. If one needed an armored vehicle and driver for a trip across town, it wasn’t a problem. The Serena Hotel would arrange it for $500 per hour. If a group of journalists needed a meeting room to host an event for visiting corporate leadership, the Serena could produce it with class akin to a four-star Western resort. As a result, the hotel cornered the market, charging high rates and serving a unique niche which the world’s leading hospitality giants simply avoided, driven in part by their inability and disinterest in managing the risk of operating in such a volatile environment.
The risk management community, as reflected in the ISO 31000 and Committee of Sponsoring Organizations (COSO) standards for risk management, views risk as the uncertainty in achieving an organization’s objectives. Risk is a neutral concept that can have negative outcomes as well as positive outcomes. Too often, particularly in security management, the focus is on negative outcomes, but in today’s complex risk landscape, organizations need a holistic risk management approach to pursue opportunities as well as manage undesirable events.
Organizations exist to create value in terms of goods and services. To promote competitiveness, viability, and sustainability, it is essential to understand the purpose, values, culture, and objectives of the organization to provide the information needed to support decision making for the achievement of tactical, operational, strategic, and reputational objectives. Unless the trade-offs between upside and downside risk are clearly articulated and understood, it is not possible for the governance body to determine the risk appetite it is comfortable with to achieve its objectives. The risk management mind-set has transformed from reactive to proactive—where rather than just hunkering down, effective risk management weighs offense as the best defense.
Consider this: You’re an expert blackjack player who has invested—and probably lost—thousands of dollars in pursuit of understanding the game. You know your odds as a result of hundreds of hours of study and play, and you understand the risks because you’ve lost in the past. In the latest game. you receive your first two cards and are so confident in your abilities, you decide to double down on your bet because you are keenly aware of the potential upside of winning. You are now exploiting risk for financial gain. By understanding and managing your risk through experience and study, you stand a better chance of profiting.
Resilience is the ability to become strong, healthy, or successful again after something bad happens. We often say security risk management programs exist to enable business to operate, and we use terms like resilience and capacity building when describing our programs. But are we thinking too small?
What if we set the bar higher to say that our programming not only allows a business to operate, but thrive by facing, managing, and exploiting risk? This is what author, statistician, and risk analyst Nassim Taleb would call antifragility—a property of systems in which they increase in capability to thrive as a result of stressors, shocks, volatility, noise, mistakes, faults, attacks, or failures.
In security’s case, we’re not only managing stressors (risk), but improving as a direct result of exploiting it. Taleb’s concepts seem to be enjoying a resurgence of late, particularly as the COVID-19 pandemic has exposed just how fragile many of our systems have become. (For a full dose of these concepts, start with Taleb’s 2012 book Antifragile: Things That Gain from Disorder.)
Michelangelo once said, “The greater danger for most of us lies not in setting our aim too high and falling short; but in setting our aim too low and achieving our mark.” Effective security risk management systems should be designed with antifragility as the higher goal, built upon the capacity to not only accept, avoid, share, and manage risk—a worthy goal of a resilient program—but also exploit risk, thereby reaching a higher standard.
However, one must always remember this is an advanced concept. Just as one would not be prudent to double down at the blackjack table unless an expert at the game, one should fully understand risk at the tactical, operational, and strategic levels before attempting to exploit it. This isn’t recommended for an immature security program. Don’t try it out on the battlefield without first proving it during peacetime.
Is there a market your organization has wanted to explore but shied away from because of security concerns? Is there a product your company always wanted to make, but didn’t feel it had enough security controls in place to protect the proprietary information associated with the manufacturing process? This is where a next-level security program can create value by developing an antifragile program and enabling organizations to thrive within challenging environments.
Erik Antons, CPP, PSP, is the chief security officer of Whirlpool Corporation, where he leads the physical security risk and crisis management programs for the $22.3 billion enterprise of more than 77,000 employees across 170 countries. Previously, he was vice president and CSO of Hyatt Hotels Corporation and the manager of international security and executive services with Sempra Energy. Antons began his security management career as a special agent with the Diplomatic Security Service with the U.S. Department of State, where he safeguarded the people, property, and information of Americans overseas, often in critical-threat environments.
The comments and views expressed in this article are the author’s alone and may not reflect those of his employer.