Forecasting Risk: How to Maximize Assessment Efforts Using Minimal Resources

Wednesday Oct. 12, 2016

Forecasting Risk: How to Maximize Assessment Efforts Using Minimal Resources

Many organizations commit significant resources to forecast a market's growth potential. Before investing in a company, it is likely we would review a summary prospectus of their potential earnings. We also look to the National Weather Service for a forecast to determine our resource needs for a weather-dependent activity, days or possibly weeks, in advance. So why, given the need to conduct effective and efficient risk analysis beyond picking the low-hanging fruit, is there such a limited effort to forecast risk? How can we gather the appropriate amount of information to forecast risk using minimal resources in todays operating environment?

The Operational Environment

Global organization models are changing. Given the increasing frequency and severity of disruptive events, one aspect remains constant: safety and security are the number one concern. This observation was recently reinforced by the Global Business Travel Association (GBTA). In an informal poll, when asked if their organization's efforts toward safety and security had increased, remained the same, or decreased within the last six months, 60% of the respondents reported an increase, the other 40% stated it remained the same. Risk, and the way it is being assessed, is at a transition point. A large number of organizations are either unable or unwilling to commit the resources required to conduct and maintain a current risk assessment. For those who do, certain aspects can become outdated before the effort produces tangible results. What is the answer? Forego it? Rely solely on best practices or industry benchmarking? Continue to pick the low-hanging fruit and hope for the best? We submit one of the most cost effective options available to maintain a relevant forecast is through a risk needs assessment (RNA).

Why Perform a Risk Needs Assessment?

A risk needs assessment (RNA) provides a snapshot of where potential risk currently resides. It focuses on the impact and consequence of losing an asset (or a combination of assets), the threats which pose a risk to those assets, and the effectiveness of current mitigations. The RNA details the relative risk rankings of assets, gradated by region or operational subdivisions down to individual locations. It establishes the requisite level of risk information, maximizes the limited resources required while providing a foundation to build, restructure or update its security and risk management capabilities. The RNA informs all levels of management where the relative risk lies by focusing on the degree of impact if an asset is lost, the disruptive scenarios posing a risk, and the effectiveness of risk-related programs. When compared to the time and materials required for an organization-wide risk or vulnerability assessment, the RNA provides a timelier and less resource intensive option to identify the organization's risk profile.

Conducting a Risk Needs Assessment

An RNA improves the organization's awareness of where to allocate resources to maximize return. It analyzes the enterprise's three factors of risk up to and including a global level. It delivers a quantitative analysis of key assets within the system that identifies any outliers beyond established levels of risk tolerance. Using the example below (Figure 1) and a table or spreadsheet, populate the headers and follow the RNA Rubric. Reference the Risk-Factors Reference Example (Figure 2) to define and score the assets, potential disruptors and mitigations.


Figure 1 Risk Needs Assessment (RNA) Example



Figure 2 Risk Factors Reference Example


Monitoring, Representative Sampling, and Deep Dive Thresholds

The RNA provides a forward-looking capability that identifies areas warranting a more detailed focus and analysis to ensure the risk is adequately mitigated. Depending on the size and complexity of the organization, the Risk-Factors Reference may require additional definitions with a more sophisticated means to differentiate the resulting scores. The organization should establish thresholds for monitoring, representative sampling, and deviations warranting a deep dive (focused and formal risk assessment) based on the RNAs resulting scores.

Evaluating RNAs Mitigation Measures Effectiveness

When assessing the applied mitigation measures, qualitatively and quantitatively measure the level of adherence to the following five criteria:

  1. Formal: The mitigation is documented as a component of an approved program.
  2. Enforced: Leadership resources the mitigation and enforces managerial controls to ensure the accountability for deviations.
  3. Relevant: The mitigation directly impacts the motivation/capability of the disruption or functions as an offset to intensity/probability.
  4. Tested: Routinely audits and exercises the validity and functionality of mitigation measures with adjustments to the risk treatment accordingly.

The RNA process supports risk based decision making down to the asset level by maximizing quantitative analysis that is both consistent and relative across the organization. It also serves as an effectiveness model for potential risk treatment methodologies. Quantitative analysis is amalgamated to a strategic level where it is transformed into qualitative analysis, there it can be used to prioritize assets or location-specific efforts for further analysis to identify and adjust the organization's risk tolerance, appetite, and capacity.

Not long ago, after briefing a senior executive on safety and security, she asked, "How much longer will I have to spend large portions of my day addressing these issues instead of focusing on our core business?" The response: when it becomes a component of core business.

This article was originally published by Homeland Security Today Magazine, October 2016. 

Michael Payne is an ASIS International, Certified Protection Professional (CPP) and DRI International, Certified Business Continuity Planner (CBCP) leading iJET’s Organizational Resilience Department within the Global Operations Division. In this position, he is responsible for organizational planning/ readiness, security operations, strategy, assessments, evaluations, resiliency systems design and emergency assistance.
Michael has a distinguished career managing the operations, crisis/emergency response, protective strategies, physical security implementation, physical and cyber security integration, procedural development, andpersonnel situational awareness and safety for several critical infrastructure and key resource entities. During iJET critical response operations, he assumes the role of Global Operations Incident Manager, leading crisis surge management efforts for significant events such as major natural disasters, political situations, and terrorism.

Edward D. Clark is a retired Special Forces Officer with both strategic and tactical level experience in developing and implementing critical infrastructure protection programs and armed response capabilities. Edward holds a bachelor’s degree in criminal justice and master’s degree in computer information systems. He served as the security lead for the White House Homeland Security Council on Bio-terrorism and is a nationally sought after trainer and public speaker on conducting vulnerability


Leave a comment

Your email address will not be published.
Required fields are marked.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
6 + 5 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.