Learning to speak risk
Risks, threats, hazards, vulnerability... what do these terms mean and why should you even care? Establishing a shared understanding of risk related terminology is actually a critical first step when it comes to developing your risk and security architecture, because risk like all disciplines has its own unique language. While we all possess an innate ability to assess and manage risk, most of us have never received any formal training on the subject, so being able to "speak risk" is an important first step to developing the competence needed to effectively manage it.
The obvious place to start is with the word "risk".... so what is a risk? The international standard for risk management (ISO 31000) broadly defines risk as the effect of uncertainty on our lives and objectives. The word effect in this context simply refers to any deviation from our expected outcome and this deviation can be either positive or negative depending on the circumstances. So, what does this mean in practical terms?
Imagine you are taking a trip by road, you have planned the route from A to B and calculated how long the trip is likely to take. There are a host of variables that might impact your trip including; weather, technical problems, traffic, road works or even an accident. These variables are just a few of the events or “risks” that might impact your trip and depending on how the journey unfolds you may (a) arrive at your destination on time (b) arrive early or (c) arrive late, with scenarios (b) and (c) illustrating how risk can have both positive and negative consequences depending on the circumstances.
Therefore, when we consider risk, whether it be for a simple trip or a complex project, we are primarily considering the potential events which may arise during an activity, their consequences and the likelihood those consequences will occur. As you will quickly learn, risk is a broad term that can be broken into a variety of sub-categories, including political risk, strategic risk, financial risk and operational risk just to name a few. For the purposes of this post we are going to focus primarily on two specific categories of risk, they are threats and hazards.
So what is a threat?
A threat is a category of risk that usually involves a malicious and dedicated intent to harm and is directed at a specific target. In order to develop an understanding of the threats in our specific operating environment we can apply a range of filters, starting with the source of the threat, which aims to identify the specific threat actor and their motive or mission. For example; Al-Qaeda (“the Base”) is a militant Islamist organization founded by Osama bin Laden in the late 1980s. They are a terrorist organization whose stated mission is to overthrow the corrupt “apostate” regimes in the Middle East and replace them with “true” Islamic Governments. Al Qaeda's primary enemy is the United States, which it sees as the root cause of the Middle East's problems. In addition to Terrorism other common threat sources include; Criminal and Factional threats.
Another important element to consider is the threat mechanism or method of attack. In order to implement measures to to counter or reduce your exposure to a specific threat you need to develop a detailed understanding of the threat actors modus operandi, i.e. the tactics, techniques and procedures they employ to achieve their stated objectives. Finally, threats commonly fall in to two broad categories; the first is a Direct Threat and this normally refers to the individual, organization or a specific nationality who has been clearly identified as the intended target(s) of these malicious acts. The second category is an Indirect Threat, which can be best described as being in the wrong place at the wrong time and becoming collateral damage or the unintended victim/target of a malicious act.
When assessing the credibility or seriousness of a threat we generally evaluate three key elements; Opportunity + Capability + Intent. The first (Opportunity) refers to the threat actors access to the target(s) i.e. do they have access or the opportunity to carry out the threat? A soft target might be easily accessible providing ample opportunity while a “hard” target may provide little or no opportunity. The second (Capability) element refers to key attributes pertaining to the threat i.e. does the threat actor have the necessary knowledge, expertise and resources required to carry out the threat? If the threat actor is highly skilled, comprehensively trained and well-resourced in terms of funding or access to weapons or explosives then they would be deemed to possess the requisite capabilities.
The third and final element (Intent) refers to the threat actor’s motivation i.e. do they have the desire or confidence to carry out the threat? Desire refers to their motive be it financial or ideological, while confidence is closely linked to Capability and Opportunity, meaning that if the threat actor believes they have the necessary skills and expertise and the target is accessible then they will likely have a high level of confidence in their ability to carry out the threat. When these three elements are present a threat is deemed to be credible.
What is a hazard?
Hazards vary from threats in that they are indiscriminate sources of risk that are inherent to our operating environment. Typical hazards might include vector-borne diseases like malaria or dengue fever, natural disasters including floods, fires or earthquakes or even motor vehicle accidents in countries, which have poor roads and no enforcement of traffic regulations. The key difference with a hazard is the indiscriminate nature of these events.
How does vulnerability impact our exposure to threats and hazards?
Vulnerability refers to a factor or variable that increases the likelihood or consequences of a threat or hazard. Common variables effecting vulnerability include attractiveness, accessibility of the target, exposure (size/duration) and various personal risk factors. Personal risk factors in this context refers to individual factors including; your age, health, gender, knowledge, special skills and the impact these factors can have on your individual risk profile. A common mistake that many organizations make is an over reliance on generic country risk ratings that fail to account for personal risk factors or what I’ll refer to here as the totality of circumstances. Totality of circumstances is a legal term which simply refers to a method of analysis where decisions are based on all available analysis rather than relying on a single rule of thumb.
While country risk ratings are a useful indicator for identifying those countries that require additional safeguards, personal risk factors like those outlined above can have a significant impact on each individuals personal risk profile. In other words, all travelers are not equal. For example, Mexico City is considered by many to be a high-risk environment for business travel, however if the traveler is Hispanic, speaks Spanish and has a firsthand knowledge of the operating environment they are traveling to these factors will significantly lower their level of risk. The opposite scenario is also true, for example; if the traveler is a white US citizen who only speaks English and has no previous knowledge of the operating environment then the risk to this individual will be significantly higher.
Hopefully this blog post has equipped you with a better understanding of the differences between threats and hazards and demonstrated how vulnerability can have a direct influence on both. Developing a good understanding of the terminology is a foundation for effective risk management - if we don't have a common understanding of the problem then what hope do we have of crafting an effective solution.
Stay safe.
