Terry King, Vice President, STC Operations, Guidepost Solutions, explores risk appetite: the foundation of resilient security.
Unpredictable threats, from widespread cyber-crime to localized extreme weather events and even societal challenges like mass violence, have organizations frequently finding themselves in a reactive posture, scrambling to understand what went wrong and how to prevent future occurrences.
This constant state of reaction often overlooks a fundamental element: a clear and comprehensive understanding of an organization’s risk appetite.
Defining this appetite is not merely a theoretical exercise; it is the cornerstone upon which effective security, strategic decision-making and long-term resilience are built.
At its core, organizational risk appetite is the amount and type of risk an organization is willing to accept in pursuit of its goals.
It represents the deliberate willingness to tolerate a certain degree of uncertainty and potential loss in exchange for achieving strategic gains.
This isn’t a static concept; it’s dynamic, evolving with an organization’s business goals, operational changes and even its inclination to embrace or shy away from potential losses.
Simply put, it is about what you are willing to lose to advance your gain.
Consider the proactive approach of Texas-based grocery retailer HEB in early 2020 as the COVID-19 pandemic began to emerge globally.
In a March 2020 article from Texas Monthly Magazine, HEB described in detail how they modeled the transmission and impact of the virus based on events in China and mirrored the protective steps taken by the Chinese government.
This forward-thinking strategy demonstrated a critical aspect of risk assessment: establishing a clear foundation of their risk appetite to continue operating and serving customers even before the virus directly impacted the US.
They understood what level of risk they could accept to maintain their core mission.
Similarly, organizations like Space-X exemplify a high-risk appetite culture.
Their business objectives are tailored around expansion and growth in demanding, innovative sectors, leading them to accept significant risks in research, development, testing and production to achieve their ultimate goal of space travel.
This willingness to embrace high potential risk for high potential reward, clearly espoused by their leadership, has resulted in both high-profile testing failures and remarkable delivery successes.
These examples, though vastly different in industry and operational scale, share a common thread: a deliberate understanding and communication of their risk appetite.
Whether a 120-year-old retailer or a rapidly evolving startup, knowing your risk appetite allows for consistent decision-making, balances excessive risk-taking with overly cautious approaches and enables proper resource allocation.
Without this internal clarity, an organization risks misaligning its goals, communicating improperly and failing to adequately prepare or respond to emerging situations.
The principles of understanding and defining risk appetite are particularly critical in environments with distinct operational mandates and significant potential for harm, such as large public venues and correctional facilities.
While their objectives differ dramatically, both need a rigorous approach to risk management, informed by a clear understanding of what risks are acceptable and what are not.
Stadiums and entertainment venues: For major sports and entertainment venues, the core objective is to provide a safe, enjoyable and engaging experience for large crowds, while also protecting the athletes, performers, staff and physical assets.
This involves a complex interplay of crowd management, physical security, emergency response and reputational concerns.
Stadium organizations, while accepting the inherent risks of large public gatherings, have a very low appetite for preventable harm, operational chaos or reputational damage.
Their security programs are designed to minimize these risks through comprehensive planning, advanced technology and multi-agency coordination, reflecting a deliberate choice to prioritize safety and security as integral to their business objectives.
Correctional facilities: Correctional facilities operate under a fundamentally different risk profile.
Their primary objectives are containment, safety of staff and inmates, and prevention of escapes, contraband and internal violence.
Their risk appetite, by nature, is extremely low when it comes to security breaches or uncontrolled incidents.
In a correctional setting, the potential for harm from security failures is immense, leading to a risk appetite that demands stringent, multilayered security measures.
The focus is on elimination or extreme reduction of specific, high-impact risks through architectural, operational and technological countermeasures.
Regardless of the industry or specific venue, understanding risk appetite allows organizations to move beyond being “creatures of reaction.”
It enables them to:
While some organizations may possess the internal resources and expertise to undertake this critical self-assessment, many find immense value in partnering with independent security consulting firms.
These external experts bring a fresh, unbiased perspective and deep experience across diverse industries and threat environments.
They can help organizations not only identify threats and vulnerabilities but also gain clarity on their actual risk appetite – how it is quantified, qualified and communicated.
Experienced consultants can incorporate lessons learned from various facilities and integrate multiple points of view (e.g., environment, health and safety; business continuity; HR; IT; crime prevention through environmental design) to develop comprehensive asset, threat, vulnerability and mitigation profiles.
This collaborative process, predicated on understanding the organization’s unique risk appetite, leads to clear, aligned and actionable recommendations for a proper risk mitigation strategy.
Ultimately, security risk assessments, informed by a defined risk appetite, are far more than a regulatory checkbox.
They are indispensable components for protecting an organization’s people, operations and reputation.
By approaching them with the right expertise, methodology and objectivity, organizations can ensure they are not merely reacting to an “ominous world” but proactively safeguarding what truly matters.
Partnering with professionals who specialize in this work can make all the difference in achieving a resilient and properly protected future.
This article was originally published in the September edition of Security Journal Americas. To read your FREE digital edition, click here.
