White_1
Categories: SJA Exclusives, Americas - Featured News, Featured News
Tags: Jeffrey A Slotnick, Setracon

Understanding risk assessments

Lightbulb - risk assessment
Picture of Victoria Hanscomb

Victoria Hanscomb

Share this content

Facebook
Twitter
LinkedIn

Why are security threat, vulnerability and risk assessments important, Jeffrey A Slotnick, President, Setracon ESRMS asks.

Risks and threats

Over the past 26 years, I have encountered numerous security risk, threat and vulnerability assessments – some exemplary and others lacking.

Many organizations approach risk assessments primarily to fulfill compliance requirements, often relying on checklists, Excel spreadsheets or questionnaires.

While these methods are effective for compliance, they fall short of providing a comprehensive qualitative or quantitative analysis.

Qualitative risk assessment

A qualitative risk assessment evaluates risks based on their characteristics and potential impact on a project or organization.

It uses descriptive terms and subjective judgments to prioritize risks, often through methods like expert opinions, interviews and risk matrices.

The focus is on understanding the nature of risks and their relative significance to the enterprise.

Quantitative risk assessment

A quantitative risk assessment involves numerical analysis to measure the probability and impact of risks.

It quantifies risks using statistical methods and data, often resulting in specific values or ranges.

Techniques like Monte Carlo simulations, sensitivity analysis and decision tree analysis are commonly used to better evaluate risks.

Monte Carlo simulations, for instance, are particularly suited to engineering risk, evaluating the reliability and performance of systems under uncertain conditions.

They also have applications in determining security risk.

Understanding risk assessment

Threat, vulnerability and risk assessments are often misunderstood and misapplied.

Risk assessment is not merely about identifying risks and calculating a risk level.

It serves as the entry point for identifying and quantifying all enterprise risks, facilitating compliance and making informed business decisions for physical security investments.

Moreover, a continuous improvement process ensures alignment with enterprise strategy.

Consider this: many enterprises invest significantly in physical security systems, security forces and security programs, often amounting to millions of dollars.

However, budgets are frequently cut because executive leadership does not fully understand the value of these investments.

How do we demonstrate the value of the security function? How do we position ourselves as a revenue center rather than a cost center?

The security threat, vulnerability and risk assessment is the first step in understanding our enterprise and the value the security function brings to the table.

A comprehensive and in-depth assessment aligned with the enterprise’s strategic risk goes a long way in demonstrating the value of investments in mitigations.

Aligning security and strategic risks helps prioritize investments in security measures that support the organization’s overall goals.

This ensures that resources are allocated efficiently to areas with the highest impact on the business.

By aligning strategic risk and security risk, we can rapidly demonstrate the value of the investment.

Strategic risks from a Form 10-K

Here is a sampling of strategic risks from a global corporation extracted from their Form 10-K, a comprehensive annual report filed by publicly traded companies with the US Securities and Exchange Commission (SEC).

One of the elements of a Form 10-K is strategic risk factors.

Please read the strategic risk factors below and, with a security lens, imagine what actions the security department can take to eliminate or mitigate these risks:

  • Reported incidents involving food or beverage-borne illnesses, tampering, adulteration, contamination or mislabeling, whether or not accurate, could harm our business
  • Interruption of our supply chain and reliance on suppliers could affect our ability to produce or deliver our products and negatively impact our business and profitability
  • The loss of key personnel, difficulties with recruiting and retaining qualified personnel or ineffectively managing changes in our workforce could adversely impact our business and financial results
  • Failure to adequately protect our intellectual property or ensure that we are not infringing on the intellectual property of others could harm the value of our brand and our business

When we can tie the investments in security risk to the elimination or mitigation of strategic risk, we have a business methodology that demonstrates the value of the security function and its overall impact on the enterprise.

A checklist cannot accomplish the type of security threat, vulnerability and risk assessment required to make decisions of this magnitude.

A comprehensive security risk, threat and vulnerability assessment grounded in quality management processes should include several key attributes to ensure accurate and actionable information for mitigating security and strategic risks.

Here are the essential attributes:

  • I always start my assessments with document reviews, but by examining existing policies, procedures, contracts and incident reports, I can gain great knowledge, identify gaps and provide context for field visits, ultimately resulting in identifying areas for improvement
  • We must take a holistic approach. Physical security and digital security are now integrated and dependent on one another. We must assess physical infrastructure and digital systems to identify vulnerabilities across all domains
  • In comprehensive threat analysis, we must consider all physical, operational and cyber-threats that are human-made, technological or caused by natural disasters. Oftentimes, these threats will intersect and impact each other
  • It is essential to use a structured framework. In many sectors, compliance standards drive the risk assessment. In the absence of a compliance standard, consider using ISO 31000 Risk Management
  • Ensure a consistent process in assessment methods to maintain reliability and repeatability of results. This is especially important in large enterprise organizations with numerous and diverse facilities
  • Be detailed in data collection by conducting thorough onsite inspections to identify physical vulnerabilities
  • Interviews and surveys can gather information from key personnel to understand potential risks from their perspective. Some of the best information I have received was obtained during a conversation in a service vehicle
  • Always use qualitative and quantitative analysis, soliciting expert opinions, risk matrices and scenario analysis to evaluate risk. One of my favorite methods for scenario analysis of complex systems is failure or fault tree analysis. Using this method, it becomes obvious where a low-level event can create a strategic failure

After engaging in the above process, we can now prioritize and rank risk based on its potential impacts on the enterprise’s strategic objectives.

Understanding risk based on its potential impacts enables us to justify resource allocations well, first addressing the most critical risks.

This leads us to actionable recommendations, mitigation strategies and an implementation roadmap.

Continuous improvement

  • Regular updates: Update the assessment regularly to reflect changes in the threat landscape and organizational environment
  • Feedback loop: Incorporate feedback from previous assessments and incidents to continuously improve the assessment process

Stakeholder involvement

  • Multidisciplinary team: Involve a diverse team of security professionals, IT experts, facility managers and leadership stakeholders
  • Executive engagement: Ensure executive leadership understands and supports the assessment process and its findings

Compliance and best practices

  • Regulatory adherence: Ensure the assessment aligns with relevant regulatory requirements and industry standards
  • Best practice integration: Incorporate best practices from leading security frameworks and guidelines

Throughout this article, we have aimed to highlight the importance of detailed risk assessments.

When evaluating strategic risk and its impact on the enterprise, there are no shortcuts.

Inadequate baseline information results in poor decisions, whereas exceptional information empowers organizations to conduct thorough security risk, threat and vulnerability assessments.

This, in turn, provides accurate and actionable insights, ultimately enhancing their ability to mitigate security and strategic risks.

About the author

Jeffrey A Slotnick, CPP, PSP is President of Setracon ESRMS. Jeffrey is a trusted advisor, leader, risk consultant and security management professional.

This article was originally published in the April edition of Security Journal Americas. To read your FREE digital edition, click here.

SUBSCRIBE NOW