For any business or enterprise, managing risk needs to start from the beginning, or at least at a point when risk realisation has not become too prevalent. After all, a key objective of any business must be to create a secure and safe environment for people to work in, and for the business to operate profitably.
Too often, a business’s primary focus is directed towards financial growth and sustainability in demanding markets. This is, of course, understandable and even laudable, but can mean that many businesses do not properly consider where the actual threats to their survival may lie.
Our goal as risk professionals, in whatever discipline or function we may serve, is to prepare our employees or clients to an extent where a harmful event will not lead to a crisis. We should seek to create facilities that protect our employers’ assets and we implement processes and practices to respond purposefully, appropriately and effectively to an emergency. Should an emergency result in a critical loss, plans should be developed and put in place in such a way that will enable business continuation.
While the controls to manage risk can become convoluted, implementing the basics will go far in achieving resilience to those events that may cause harm and have the potential to lead to a crisis.
A realistic view of risk
While large organisations often have the capability to invest in a risk management function – in whatever form that may be known and to whatever purpose it may serve – small to medium-sized businesses are often found lacking in this respect. In a complex market, with ever-evolving risks and security priorities, medium-sized and even smaller businesses now need to consider threats and risks that may once have been seen as the purview for larger businesses and brands.
Reputational harm, data and cyber security attacks and malicious actors are able to affect businesses of all sizes if the organisations have not properly analysed weak points and prepared for these threats. The most serious risk to all businesses remains – assuring their survival. We have several recent case studies in the press of the damage being done to businesses and brands due to lack of preparedness for a harmful event, or series of harmful events.
History is rife with examples where such events eventually lead to crisis and for some, the end conclusion is closure. In the last few months alone we have seen a number of high profile brands dealing with the consequences of malicious attacks, poor security or inadequate preparation for 21st-century threats. The consequences can be fines, legal and reputational damage and in extreme cases, business continuity itself.
Designing for risk
A business cannot operate efficiently and effectively if its facilities and operations are not designed to protect its assets, both tangible and intangible. Designing a secure environment is the first step in creating resilience to a harmful event and this is achieved by understanding the threats, assessing the vulnerability of the existing controls in place, and evaluating the likelihood of the threat occurring and its potential to cause harm. Risk assessments are strategic tools to analyse current risk levels and can inform subsequent design solutions to mitigate and minimise the challenges as they are identified. Ideally, this process should also identify those critical functions that cannot suffer harm and must be protected foremost.
Undertaking an independent and comprehensive risk assessment should critically evaluate the controls in place at a business’s facilities. A quality assessment should provide a good understanding of the level of risk present and, undertaken holistically with other areas of risk consideration, will guide where risk focus is best achieved while giving a good understanding of the present vulnerabilities. Events that have the potential to cause harm need to be recognised as early as possible to enable a considered and appropriate response.
Preparing for risk as inevitable
A risk that has been identified but has not been countered with a prepared response or solution has not been mitigated. Once again, comprehensive risk assessments can advise businesses where statistical threats are more likely to penetrate or can suggest areas for immediate investment or attention. The implementation of emergency and business continuity plans and response procedures is crucial to ensure that the right level of attention is enabled when and where it is needed.
However, between malicious actors, human error and ever-changing threats, the business that does not consider and prepare for a ‘worst-case scenario’ is doing itself a disservice.
Unfortunately, a documented process does not suffice to enable an appropriate response to an emergency alone. The emergency and business continuity planning process should also include training exercises where those with responsibilities in the response activities are continually educated, exercised and tested. Furthermore, provisions and processes should be put in place that all staff are aware of, and know what to do, in an emergency. The importance of situational awareness cannot be understated, and this can be achieved through incident alerts and notifications, the monitoring of known or specific threats, and horizon scanning above others.
What is true across the industry is that our approach to risk must continue to become more complex because the threats we face are themselves more complicated than they have ever been. Businesses that are not factoring risk assessments and continuity planning into their security strategy are leaving themselves exposed to more subtle but sinister threats which may pose a greater threat to the sustainability of their brand in the long run. Crises may not be 100% avoidable, but in planning for risk correctly, we can help ensure that they are not business-fatal.
A version of this piece appeared in City Security Magazine.