Quantitative vs. Qualitative Assessment
For some types of business operations — especially retail store operations — quantitative risk analysis is quite feasible as monetary values are easily assigned to the loss events, and business accounting and inventory records provide information needed to quantify each type of loss in specific time periods. Where quantitative information is not available and cannot easily be developed, a qualitative approach can be used to categorize risks. The main advantage of a qualitative impact analysis is that it prioritizes the risks and identifies areas for immediate improvement in addressing vulnerabilities.
The ASIS General Security Risk Assessment Guideline provides advice for performing each type of analysis in Appendix I and Appendix II of the guideline.
Ongoing Reassessment of Risks
Risk assessment is not just a periodic action. It should be part of the organization’s change management process, so that security can be kept synchronized with changes to business risk. Additionally, there are some threats whose impacts are significant and whose likelihood can change on a moment’s notice. For example, a new building construction project can suddenly have its construction site risk escalate if a news story identifies a prospective tenant — which happens to be a company targeted by activist groups. Similarly, a chain company can become a public target, thus increasing risk for customer businesses. Therefore, some risks warrant real-time risk monitoring, which is the specialty of Risk IQ.
Risk IQ goes beyond news monitoring to monitor social interaction sites and other types of information on the Web, providing the ability to identify and correlate active threats from individuals or groups in real-time — providing its subscribers with the ability to take preemptive action. See the “7 Must-Read Risk Scenarios” on the Risk IQ Web site (http://riskiq.net).
The Business Perspective
When categorizing loss for senior executives, it helps to define risk rating categories in business terms that executives can relate to. This example language is generic and high-level. Often the language can be specifically tailored for the business functions.
It is important for management (as well as Security) to understand that job of the corporate security function is to reduce security risks to acceptable levels at an acceptable cost, in a manner harmonious to the business. That is why the objective of a risk-based security program should not be to find and fix every security vulnerability or gap, but to outline a comprehensive, systematic approach to risk mitigation and management, starting with the most critical risks. When both upper and middle management see that Security has its eye on the business and is looking out for the business bottom line, they are usually eager to help identify their risk tolerance and cost tolerance considerations when Security presents the risk picture information.