Forecasting Risk: How to Maximize Assessment Efforts Using Minimal Resources

Wednesday Oct. 12, 2016

Forecasting Risk: How to Maximize Assessment Efforts Using Minimal Resources

Many organizations commit significant resources to forecast a market's growth potential. Before investing in a company, it is likely a person would review a summary prospectus of the organization's potential earnings. We routinely look to the National Weather Service for a forecast to determine the resource needs for a weather-dependent activity, days, or possibly weeks, in advance. So, given the need to conduct effective and efficient risk analysis beyond picking the low-hanging fruit, a question arises: How can an organization, using minimal resources, gather the appropriate amount of information to forecast risk? 

The Operational Environment

One of the most cost-effective options available to maintain a reasonable forecast is through a risk needs assessment (RNA). Global organization models are changing. Given the increasing frequency and severity of disruptive events, safety and security remain the primary concerns. This observation was recently reinforced by the Global Business Travel Association (GBTA). In an informal poll, when asked if their organization’s efforts toward safety and security had increased, remained the same, or decreased within the last six months; 60 percent of the respondents reported an increase, while the other 40 percent stated it had remained the same. Risk, and the way it is being assessed, is at a transition point. A large number of organizations are either unable or unwilling to commit the resources required to conduct and maintain a current risk assessment. For those who can and do commit these resources, certain aspects of the project can become outdated before the effort produces tangible results. What is the answer? Forego the assessment? Rely solely on best practices or industry benchmarking? Continue to pick the ‘low hanging fruit’  and hope for the best? The risk assessment is the answer. 

Why Perform a Risk Needs Assessment?

A risk needs assessment (RNA) provides a snapshot of where potential risk currently resides. It focuses on the impact and consequence of losing an asset (or a combination of assets), the threats which pose a risk to those assets, and the effectiveness of current mitigations. The RNA details the relative risk rankings of assets, graded by region or operational subdivisions down to individual locations. It establishes the requisite level of risk information, maximizes the limited resources required while providing a foundation to build, restructure or update its security and risk management capabilities.  The output informs all levels of management where relative risk lies by focusing on the degree of impact if an asset is lost, the disruptive scenarios posing risk, and the effectiveness of risk-related programs. When compared to the time and materials required for an organizational-wide risk or vulnerability assessment, the RNA provides a more timely and less resource intensive option to identify the organization’s risk profile.

Conducting a Risk Needs Assessment

An RNA improves the organization’s awareness of where to allocate resources to maximize its return. It analyzes the enterprise’s three factors of risk up to, and including, a global level. It delivers a quantitative analysis of key assets within the system that identifies any outliers beyond established levels of risk tolerance.

Using the example below (Figure 1) and a table or spreadsheet, populate the headers and follow the RNA Rubric. Reference the Risk-Factors Reference Example (Figure 2) to define and score the assets, potential disruptors, and mitigations. 

Figure 1 Risk Needs Assessment (RNA) Example

Monitoring, Representative Sampling, and Deep Dive Thresholds

The RNA provides a forward-looking capability that identifies areas warranting a more detailed focus and analysis to ensure the risk is adequately mitigated. Depending on the size and complexity of the organization, the Risk-Factors Reference may require additional definitions with a more sophisticated means to differentiate the resulting scores. The organization should establish thresholds for monitoring, representative sampling, and deviations warranting a ‘deep dive’ (focused and formal risk assessment) based on the RNA’s resulting scores.

Evaluating RNAs Mitigation Measures Effectiveness

When assessing the applied mitigation measures, qualitatively and quantitatively measure the level of adherence to the following four criteria:

  1. Formal: The mitigation is documented as a component of an approved program.
  2. Enforced: Leadership resources the mitigation and enforces managerial controls to ensure the accountability for deviations.
  3. Relevant: The mitigation directly impacts the motivation/capability of the disruption or functions as an offset to intensity/probability.
  4. Tested: Routine audits and exercises that validate the functionality of mitigations with adjustments to the risk treatment. 

The RNA process supports risk-based decision-making down to the asset level by maximizing quantitative analysis that is both consistent and relative across the organization. It also serves as an effectiveness model for potential risk treatment methodologies. Quantitative analysis is amalgamated to a strategic level where it is transformed into qualitative analysis; there it can be used to prioritize assets or location-specific efforts for further analysis to identify and adjust the organization's risk tolerance, appetite, and capacity.

Not long ago, after a senior executive was briefed on safety and security, she asked, “How much longer will I have to spend substantial portions of my day addressing risk mitigation issues, instead of focusing on our core business?” The response? “When it becomes a component of core business.”


This article was originally published by Homeland Security Today Magazine, October 2016. 

This blog was originally published October 12, 2016 and was updated on May 30, 2018. 

Michael Payne is an ASIS International, Certified Protection Professional (CPP) and DRI International, Certified Business Continuity Planner (CBCP) leading iJET’s Organizational Resilience Department within the Global Operations Division. In this position, he is responsible for organizational planning/ readiness, security operations, strategy, assessments, evaluations, resiliency systems design and emergency assistance.
Michael has a distinguished career managing the operations, crisis/emergency response, protective strategies, physical security implementation, physical and cyber security integration, procedural development, andpersonnel situational awareness and safety for several critical infrastructure and key resource entities. During iJET critical response operations, he assumes the role of Global Operations Incident Manager, leading crisis surge management efforts for significant events such as major natural disasters, political situations, and terrorism.

Edward D. Clark is a retired Special Forces Officer with both strategic and tactical level experience in developing and implementing critical infrastructure protection programs and armed response capabilities. Edward holds a bachelor’s degree in criminal justice and master’s degree in computer information systems. He served as the security lead for the White House Homeland Security Council on Bio-terrorism and is a nationally sought after trainer and public speaker on conducting vulnerability


Leave a comment

Your email address will not be published.
Required fields are marked.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
5 + 2 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.