Threat Assessment: Knowing Your Risks
The ultimate goal of any security program is to manage and mitigate risks. What do we mean by risk? In its broadest sense, risk can be defined as the likelihood of loss of anything having value, including people, facilities, information, equipment, and reputation. In a sense specific to security and loss prevention, risk is the probability that a particular threat will exploit a given vulnerability, leading to an unwanted result.
Knowing your risks is the obvious first step. But what is the best approach? And where do you go from there? Here are some key considerations:
First and foremost, identifying the threats to your business is instrumental. It is likely that your institution already has experience with a number of risk factors, but it is important to understand the rate in which new threats arise. It is crucial, therefore, to monitor emergent threats targeting your industry. This can often be accomplished by reading trade publications, engaging in discussions at industry conferences and loss prevention forums, and by obtaining case studies. Also, a number of sources provide crime metrics, some of which are industry specific, and can be very beneficial in identifying threats.
Categorizing Threats: Internal v. External
Knowing the source of the threats you face is a necessary step in determining what risk mitigation measures to have in place. Although it may be easy to think that an external threat comes from crime elements outside the organization, it is often the case that the threat on the inside can be much more devastating. Loss from occupational fraud can run undetected for years and according to the Association of Certified Fraud Examiners (ACFE), just 14% of defrauded organizations are able to fully recover their losses.
Evaluating the Risk: Likelihood and Outcome
When assessing the impact from any single threat, two factors are generally considered: Likelihood, or how probable is it for a risk event to occur; and outcome, what would be the overall ramifications if that risk event occurred. All threats should be evaluated in this manner on a case-by-case basis. In an operating environment with limited resources for risk mitigation, this evaluation can help determine priorities.
Risk Mitigation Measures
Once the threats have been determined and evaluated, preparation through risk mitigation is key. In having the proper security and defenses in place, suitable to the specific threats you face, you may actually win the fight before a risk incident ever occurs. Having proper security measures in place, such as physical security/hardening, CCTV, access controls, training, alarm system/hold-up devices, as well as effective processes and procedures will make your organization a hard target, and can help to drive away those determined threats.
Proper risk management should serve to turn the tables on the threats, forcing them to conduct their own form of risk assessment on you. When the sometimes unpreventable or inevitable crime does occur, prevention elements and safeguards already in place will serve to mitigate the risk, lessening the potential damage from the crime and expediting the recovery process.
Audit and Testing
Risk mitigation is a continual process, and must be adaptable to continued threats. Auditing the measures and processes put in place, for suitability and employee compliance. Scenario-based testing can also help assess effectiveness, or perhaps even identify better ways to do things.
Even with the proper safeguards are in place, the threat assessment process is far from over. Threats must continue to be evaluated, and this is often accomplished through some form of threat monitoring with the goal being to observe how the threats may be evolving and assessing if changes to likelihood and outcome should be considered.
As the business terrain continues to evolve, increased business risks and changing profiles create the need for organizations to continuously improve their ability to identify threats and act accordingly. If your business is ready to take a closer look at the threats you face, we invite you to learn more about our threat assessment program and contact a risk management expert to discuss your situation.