In the early fall of 1998 when the U.S. Embassies in Nairobi, Kenya and Dar Es Salaam, Tanzania, were still smoking piles of rubble from twin attacks by Al Qaida terrorists, State Department Security experts were scrambled worldwide to assess the security profiles of U.S. missions abroad. One inspector was dispatched to Dublin, Ireland, where he found that the Embassy was a circular, solid glass building with a small waist-high stone wall around it. His report the next day began with these words: “The U.S. Embassy in Dublin was built in a more innocent era. We do not have that luxury, today.”
If history is any indication, the twin attacks by Al Qaida on our embassies in East Africa were only a small taste of what was to come. Now we live in a much more complex and dynamic world, and the demands on physical security and cybersecurity have increased dramatically. As the world is continually changing, the challenges faced by security leaders change as well. Risk is now at the forefront of discussion and risk analysis has become the basis for strategic security planning in many organizations. Insightful leaders are also finding that a myopic view of security at a facility-by-facility level can cloud the holistic understanding of how the system of facilities, technology and processes interconnect. The systemic risk has implications on the risk interpretation at an individual site, and vice versa. Single site or business unit risks are viewed through the prism of their role in the greater enterprise so the focus can be on the tree, but without losing sight of the forest.
At the same time, security leaders are often faced with the conflicting challenges in today’s business environment. The constant drive towards increased productivity paired with sharp budget cuts puts a huge strain on security leaders’ abilities to rapidly and reliably provide guidance when critical decisions are required. Fortunately, with creative application of technology, solid risk analysis principles, and attention to business operations requirements, complex situations become much more manageable.
Looking at Risk in Context
Risk analysis is a well-established and widely used tool in strategic planning and budget development. This is codified in global standards such as ISO 31000, ISO 27000 and others. Unfortunately, historical risk analysis methodologies (such as ASIS International’s) are extremely time and labor-intensive. As a result, an enterprise may only assess its facilities every three to five years. Imagine, if you will, a company with a risk assessment team of two people and 200 locations around the globe. It could take close to two years and a large travel budget for the team to cover all of the sites, and by then, the risk data for the first location surveyed would be “stale” and of questionable currency to support planning and decision-making. In-depth understanding of the risks facing the organization from strategic planning through crisis management is the next step to give these leaders an edge in successfully navigating dynamic challenges and situations. That edge is especially important in competitive business environments with constrained security resources and budgets.
When a situation unfolds, security leaders need assurance that the physical and technological countermeasures in place are able to mitigate the risk to their enterprise. Security leaders know better than anyone the potential impact of a situation on the safety and security of lives and critical assets. In the real world, where security threats, natural hazards and the need for life safety and timely response are critical, leaders can face unanticipated challenges when a crisis unfolds. Sound security planning and procedures can unravel due to the unexpected. The need is real-time reflection of risk.
Dynamic analysis of risk, with predictive indicators of threats, yield leading indicators of plausible situations and potential mitigation measures prior to an event or crisis. Lacking reliable analysis, leaders are forced to rely on gut instinct and outdated information when time-sensitive decisions are required. Unfortunately for them, research has demonstrated that when people rely on gut instinct for rapid risk evaluation, the decisions can be skewed due to lack of information, personal or professional bias, personal comfort level, or information overload.
So if you can’t trust your gut, what can you trust? Relatively simplistic software solutions, which claim to provide rapid risk evaluation and reporting, have been on the market for years. But these programs lack in-depth and widely applicable automated analysis. With the value of the analysis dependent upon the rigor and insight of the assessment team, weak input in yields weak analysis out. Forward-thinking security organizations are designing the next generation of risk analysis software. The solutions are data-rich platforms incorporating real-time and predictive analysis of risk. The result: the ability to orchestrate large and disparate data inputs into a harmonious picture of enterprise risk and with insights for long-range and real-time decision-making. Once the initial analysis is performed for a site or enterprise, the system can be used as a “what if” analysis tool for business planning, crisis/emergency response planning and tabletop exercises.
Data is Fundamental
Data surrounds us through the internet, corporate business systems, security systems, social media, and a host of others both public and private. Harnessing the power of this “big data” means security leaders are empowered to stay abreast or even ahead of developing situations, act decisively based on solid information, and reduce corporate losses. A predictive risk analysis program utilizes analytics to support rapid initial assessment, nearly instantaneous risk analysis results, and dynamic updates of the risk once a baseline has been established. This approach allows for local facility and enterprise-level risk insights, dynamic updates that convert what was historically a strategic planning tool into a real-time asset for use during crisis operations, and “what if” planning exercises.
It all starts with the data. Capturing current, complete and insightful data from public sources (radio, television, social media, financial markets, industry databases, government sources), blending it with data from corporate systems (electronic security systems, purchasing, logistics management, etc.) and feeding all that information into a powerful analytics engine gives leaders up-to-date risk information. It is no longer necessary to wait weeks for updates when the decisions need to be made immediately.
A data-driven approach has the additional benefit of allowing for rapid and efficient multi-site assessments. Facilities and operations of similar type are identified early in the process. The assessment team can use sample assessment data for each facility type as an initial baseline for similar facilities and environments. The assessment teams then focus on refining baseline data instead of starting from scratch for each facility under review. Thus, hundreds (or thousands) of sites can be assessed in a single year with minimal staff. So a company’s skeleton crew is able to establish and maintain updated risk profiles for numerous sites with confidence that the information they have is accurate and current.
Summary
As hard as it may be to believe in this day and age, there are still multi-billion dollar companies that make decisions about security and business risk based upon gut feel and experience. Simultaneously, economic conditions are creating tremendous pressure on companies to find better and more efficient ways to reduce costs. Nowhere is this truer than in the oil and gas industry, where margins are at historically low levels. But in 2015 we have reached a time in technological development where those slimmer margins actually represent an opportunity for CEOs and corporate leaders. Those who are able to harness the power of the “Internet of Things” into cutting-edge programs that assess and re-assess risk in a dynamic way will have a competitive edge. The days where a risk assessment is performed by a team of experts and put on a shelf to gather dust have passed. The next generation of risk assessment tools will be able to electronically “take the pulse” of the security and business risk environment and warn management in advance if something is not right, well before it reaches crisis level. Experienced security consultants who have worked in the area of threat and risk assessment for a decade or more recognize the power of harnessing big data to risk analysis and are bringing solutions that do just that in innovative and ground-breaking ways. Using experience in the industry as well as expertise in software development and process management, they are finding exciting ways to breathe new life into time-tested risk assessment principles. These solutions will provide valuable insights and information when, where and how it is needed, not just at the beginning, but throughout the entire life-cycle of the business process.
