Understanding and Responding to Risk
By TorchStone VP, Scott Stewart
Risk is a constant element of life. Every action we take—or don’t—carries with it some degree of inherent risk. If I decide to leave my home, there is a risk that I could trip on a curb and break my leg or be struck and killed by a delivery truck while crossing the street.
Conversely, deciding not to leave my home also comes with a risk. According to the Safety Council, in 2018 there were 89,300 preventable injury-related home deaths in the United States.
Obviously, some actions invite more risk than others. There is a higher degree of inherent risk involved in riding a bull at the rodeo than there is riding a stationary bike at the gym, and the truth remains that to live is to risk.
It is impossible, and one should not try, to avoid every potential risk. Even if one were to somehow build a hermetically sealed bubble to protect against external risks, that itself would bring with it a different set of risks.
If nothing else, the past year of COVID-19 lockdowns has plainly illustrated the mental and physical risks that come with isolation.
These same principles also apply to organizations. Everything an organization does or does not do brings a risk. If your organization is a business, making an investment in country X may bring with it risks associated with criminal activity, corruption, and tariffs, or sanctions.
However, not investing in country X brings the risk of missing out on an opportunity to make a significant profit. All this raises the question, what is the proper way to evaluate and respond to risk?
Charting a Safe Course
As I hope I’ve already convinced you, it is impossible to avoid all risk. Some organizations, however, attempt to implement maximum risk avoidance policies.
For example, they may refuse to allow employees to travel to any places ranked as “do not travel” on the U.S. Department of State’s travel advisory list.
While organizations can succeed while following such risk-averse policies, doing so may place them at a significant disadvantage compared to their less risk-averse competitors. Some organizations simply can’t strictly follow State Department travel guidance due to the requirements of their business or mission.
For example, the U.S. Department of State advises against any travel to the Mexican States of Colima, Guerrero, Michoacán, Sinaloa, and Tamaulipas, but many organizations operating in Mexico simply cannot afford to follow this advice and remain in business.
At the other end of the spectrum are the organizations that ignore risk and take a reckless approach in the quest to fulfill the organization’s mission.
In my opinion, this approach is even more dangerous than risk avoidance, because it can place businesses on the precipice of catastrophic personnel or financial loss. The losses these reckless organizations suffer are often compounded by litigation over the failure to exercise proper duty of care for personnel, fiduciary responsibility for assets, or even for violating laws such as the Foreign Corrupt Practices Act.
Clearly, strict risk aversion isn’t the best approach to dealing with risk. Ignoring risk is also not the answer. A balanced approach that recognizes the risks inherent in a business operation and takes prudent steps to mitigate those risks is the optimum solution.
I often refer to this as “yes, but” security. Yes, we can open operations in that place, but in order to do so, we need to put some measures in place to mitigate the risk.
Going back to our Mexico example, if a business needs to ship product from Monterrey, Nuevo Leon, to Texas, the most efficient route is to take federal route 85D from Monterrey to Nuevo Laredo, and then connect into Interstate 35 in Laredo, TX.
However, to do so, your product will have to pass through the Frontera Chica section of Tamaulipas State, a region that the U.S. Department of State advises against travel to. In this instance, rather than refusing to have product and employees pass through Tamaulipas, some risk mitigation measures may be employed to ensure the cargo and drivers can do so safely.
Such measures could include using cargo tracking devices in each load of product, ensuring the drivers are given security and incident response training, asking the drivers not to use rest stops, and mandating your product is only transported during daylight hours.
What is Our Risk Policy?
Before an organization can employ effective risk mitigation measures, senior leadership must first develop an overarching and unified risk policy.
And I stress senior leadership here because unless an organization’s risk policy or enterprise risk management program has C-suite support, it will not be able to generate the type of cross-functional and cross-organizational support that is required to succeed.
However, when senior leadership embraces the concept and clearly delineates a risk policy, it will provide every stakeholder with a single point of reference to gauge and manage the potential risks associated with a particular action or plan.
This risk policy must establish a clear understanding of the organization’s mission, and then clearly outline the degree of risk the organization is willing to tolerate to achieve that mission. General guidance for different types of potential risks is also helpful.
I have noticed over the years that there are often serious disconnects within organizations when it comes to understanding and reacting to risks.
In some cases, individual teams or departments may all have their own way of assessing threats, and sometimes even have varying degrees of risk tolerance.
For example, a business development team that is tasked with generating new streams of revenue may be more aggressive in its assessment of a potential opportunity in a foreign country than the corporate security team, whose job it is to keep people and facilities safe and to protect against product theft.
A company-wide risk policy that clearly delineates how risks are weighed and how much risk the organization is willing to bear, prevents such disconnects and can greatly reduce the unnecessary friction that can arise between departments or branches with conflicting risk tolerance.
In terms of overall risk, some organizations and companies are, by their very nature, more willing to accept a higher level of risk than others.
A nongovernmental organization that provides aid to refugees in war zones will naturally have to account for more risk than a retail company with stores in upscale shopping malls in the U.S. But no matter the primary mission, everyone in an organization—whether they’re in the headquarters C-suite or working out in the field—must understand how their organization views risk and what degree of risk their organization is willing to brave to achieve its goals.
A risk policy provides that understanding.
Once an organization’s threshold for risk tolerance is established and codified, it is then possible for company personnel to begin educating themselves about the specific threats associated with locations where the organization currently operates or would like to operate.
Once the threats and the risks they present are understood, it is then possible to gauge them against the organization’s risk tolerance level.
A good place to start with this process is by conducting a baseline threat assessment on the organization and its various operations that examines all the potential threats.
Assessing risks and then measuring them against the threshold outlined in the organization’s risk policy can help guide business decisions on whether to expand, suspend or even discontinue operations.
Assessing threats and risks is also a critical component of effective contingency planning, as well as in establishing appropriate tripwires to trigger those plans.
Risk levels are never static and must be frequently updated. Closely tracking incidents that occur near an organization’s operations and interests can help raise awareness of emerging threats or threat actors.
In analyzing such incidents, one hopes to learn how and why they occurred as well as ways to prevent them.
By focusing on the tactics, techniques, and tradecraft used by a threat actor, it is possible to assess the risk a similar incident poses to your operations, as well as design and implement sound security policies, plans, and procedures to protect your organization’s operations and personnel from the risk posed by similar threats in the future.
A solid training program is a key component of an effective risk mitigation program.
Teaching employees to understand how threat actors operate and teaching them how to practice proper situational awareness helps employees spot threats as they are developing so that they can take proactive steps to avoid or mitigate their impact.
A properly trained workforce operating under a clearly defined risk policy can significantly augment an organization’s security posture and increase its durability in the face of threats and risk. It also provides a proper level of duty of care for employees in locations where business operations and human lives may be on the line.
A good security education helps employees navigate risks and threats, and can also equip them with the tools to be resilient in the face of them.
As we’ve seen repeatedly through the crises of the past two decades such as 9/11, the Asian Tsunami, SARS, and now COVID-19, resilience is the key to organizational success in challenging times and environments.
Whether it’s in the form of crime, terrorism, espionage, natural disasters, or political instability, threats and their accompanying risks are omnipresent.
Understanding, anticipating, and mitigating these risks, however, is the key to negate, or at least mitigate, the effect they can have on your organization.