Risky Business: Building a New Model for Calculating Risk
In a fast-changing world where security and risk management professionals are constantly looking for more effective ways to help business leaders assess and evaluate organizational risk and protect against new and emerging threats, information is currency.
But context is the critically important piece of the security puzzle.
To perform an accurate and holistic risk assessment, it is imperative to not only understand the threats facing an organization, but also the probability of those threats occurring – and to what degree those threats could impact business objectives. Natural disasters, cybersecurity and economic downturns are all threats that could affect a business, but the potential impact of those threats depends, to a large extent, on the location of the business in question and the nature of that business’s operations. For example, we all understand the underlying logic that a hurricane making landfall at the mouth of the Mississippi will impact business operations for an organization in New Orleans to a much greater degree than an organization in Nashville.
While this straightforward example is fairly intuitive, accurately evaluating organizational risk becomes dramatically more complex and significantly more challenging when the full spectrum of threats is applied, and the contextual complexity of a vast number of region, industry and company-specific factors are added to the mix.
At the same time that risk calculations are becoming more complex, the need to accurately perform those calculations is becoming more urgent than ever. The growing importance of information security, combined with an increase in global instability and an uptick in the kind of one-in-fifty-year events that keep CEOs and security professionals up at night has created a climate of uncertainty. Traditional parameters are changing. Long-held assumptions are being challenged. Whether it is a natural disaster or a precipitous stock market plunge, businesses are understandably worried about their ability to withstand those formerly rare but increasingly prevalent events that can shift the bedrock of an industry or a company in an instant.
What is needed is an entirely new way to think about and calculate risk, and experienced security professionals are responding to that mandate. Forward-thinking security and risk management professionals are beginning to view risk with a new appreciation for context and consequence. That approach is encapsulated in the risk formula that Pinkerton has developed – a formula that is far better suited for these new realities. Understanding the logic behind this innovative approach to enterprise security risk management will not only help decision-makers better understand what risk is and how to measure it, but also appreciate how those measurements can be applied to help them focus their risk management efforts going forward.
The traditional formula for calculating risk is:
Threat x Vulnerability x Consequence = Risk.
Pinkerton’s risk formula, that embodies the emerging way to view risk, is:
Threat x Probability x Business Impact = Risk.
While the differences between the two might seem fairly modest on the surface, they represent a fairly profound and important shift.
One change hinges on how we should define the very notion of “risk” itself (a term that is all-too-often used interchangeably – and incorrectly – with words like “threat”). Traditional security approaches have generally done a good job of identifying threats. In this new way of thinking about and calculating risk, however, risk is defined as that which prevents an organization from achieving their objectives. That is specifically what we are trying to help organizations mitigate against. Zeroing in from Consequence to Business Impact is the first step in crafting a new formula that is all about evaluating threats through the prism of business impact, and aligning risk assessments (and any subsequent remedies) with business goals and objectives.
Changing Vulnerability to Probability is arguably an even more significant shift. In this new way of thinking, Vulnerability should not and does not exist outside of Threat: threats should incorporate any vulnerabilities that exist. The introduction of probability into the equation is a fairly new and innovative piece of advanced risk assessment. The result is a formula that is a probabilistic expression based on quantitative analysis.
But that analysis requires hard data. Which is perhaps one of the reasons why probability has not previously been included in traditional risk formulae: the data required to quantify it was vast and variable, and reliable probability metrics were consequently extremely difficult to predict.
That data is now available in the Pinkerton Risk Index, a sophisticated and comprehensive risk assessment tool designed to distill different dimensions of risk into a single in-depth analysis. The Risk Index is the first truly global risk analysis tool: a matrix of threats and potential consequences that is correlated to individual markets, real-world risks and current events.
The Risk Index integrates a wide range of different variables, including specific risk factors, the likelihood of an event occurring, and a comprehensive impact analysis, to provide a detailed picture of business risk (for any business, in any industry, in any part the world). Country-specific and regional considerations range from complex geopolitical calculations to the state of the legal landscape in different nations. Statistically significant correlations connect inherent risks to specific business indices, creating an overall threat analysis tailored for businesses. The Risk Index incorporates threats like natural disasters, infectious disease, population health, violent crime, property crime, terrorism, business operations, supply chain and employee negligence. It also covers technology, information, market and economic risks, including risk factors like economic structure, human capital, social and institutional structures, societal upheaval, and information and technology. A sophisticated spatial analysis of those risks and more results in an overall risk profile that is available on a country level internationally and on a county level in the United States.
All told, the Risk Index integrates 60 different threat vectors divided into five groupings, and, ultimately, four distinct threat categories:
- Hazard & Event Risk
- Operational & Physical Risk
- Technology & Informational Risk
- Market & Economic Risk
Those 60 vectors are based on hundreds of public and private data sources, including decades of insurance data and information from the United Nations, the World Health Organization and other international organizations.
Probability and Utility
The power of tools like the Risk Index comes from impartiality: the ability to provide an agnostic expression of inherent threat irrespective of vulnerability – which allows security and risk management professionals to assess the probability of those threats impacting business operations. Working with a much larger quantitative data set also yields more comprehensive conclusions. Facts and figures from the last year or two are not enough: a longer-term approach that blends historical trends and new and emerging threats is required.
Critically, this information also makes the new risk formula a very useful tool: something that provides clarity, not simplicity, and generates actionable intelligence with specific strategic and practical applications. Applying this formula to a client’s real-world circumstances allows security professionals to design a customized enterprise security risk management program that accounts for that client’s risk tolerance, operational model and business objectives, as well as the constellation of threats facing their business. It is important to remember also that this kind of detailed risk assessment is truly holistic. It inherently encompasses potential positive impacts as well as negative outcomes, and opportunities as well as potential challenges.
For instance, if we reconsider the hurricane example, the negative outcomes of such a natural disaster are often observed and top of mind for risk management professionals responsible for business resiliency or supply chain management. The same hurricane that negatively impacts business continuity for some organizations can potentially positively impact sales growth and new construction development. This scenario represents the other side of the coin and illustrates how one event can impact different organizations in different ways. This dynamic can even be observed within the same organization from department to department. It is a great example of why a balanced/holistic perspective is needed.
The good news is that the industry as a whole seems to be moving in this direction and embracing the ideas expressed in this new risk formula by taking a holistic approach to risk assessment and enterprise risk management. The speed with which new threats are emerging makes it extraordinarily challenging to fully understand the features on an evolving threat landscape. Recognizing threats and prioritizing protective resources requires a deep and nuanced appreciation for market- and industry-specific factors, and the corresponding ability to evaluate real-world risks in a real-world context. Fortunately, this new risk formula provides us with the perspective needed to do just that. And, while it may not be completely rewriting the book on evaluating business risk, it is certainly adding an important and compelling new chapter.