Organizational risk has become increasingly more complex, and external threats aren’t going away. In fact, they’re growing in severity and frequency. Ninety-nine percent of the 450 risk and security professionals surveyed recently by Forrester Consulting experienced a critical event in the last 18 months. The combination of ongoing pandemic complications, cyber threats, extreme weather conditions, active shooter events and now a broken global supply chain makes risk a board-level conversation.
Dynamic risk is one of the greatest barriers to organizational resilience, but it’s not insurmountable. To do a better job of managing it, we need to better understand its fundamental nature.
Differentiating Dynamic Risk
Traditionally, we understand risk to have a cause-and-effect relationship: Point-of-origin (environment) and consequences (harm). Since the world is defined by constant change, we’ve long accepted that our operating environment will always be dynamic, regardless of industry.
Yet, we often don’t apply this concept to the consequences themselves. Instead, we erroneously assume that when a threat becomes a critical event, the resulting harm will follow a familiar pattern.In reality, the consequences of the risk are often as unpredictable as the risk itself. Here is where we come to the concept of “dynamic risk.” At its core, this is defined as a risk in which the ultimate resulting harm (i.e., consequence) is different from the initially expected harm.
Problematic Patterns of Approach
Dynamic risk presents a unique challenge because it requires the ability to constantly pivot. Not only do you need to plan for the potential of different coinciding threats, but you also have to broaden your view of where and how those threats might manifest. Think of a domino game where instead of one long winding row of tiles, you have an asterisk-shape with multiple lines of tiles falling at different rates. Inevitably, when you try to focus on one arm, you quickly lose control of another.
Similarly, managing interconnected critical events means dealing with consequences that overlap multiple areas of your operations. And yet, in many organizations, information about the impact of risk and risk management often remains scattered and siloed. Many security leaders are overconfident, misaligned and taking numerous missteps with technology. Only 30% of senior risk and security leaders say they’re “very confident” they can handle increasing risk complexity. Further, just 38% cite “becoming more proactive” as a goal for their future risk management endeavors.
Bottom line: Most organizations are not prepared to handle the increasing complexity of dynamic risk.
Making the Change
So how do leaders make the changes necessary to survive and thrive amid these dynamics? In 2022, it starts with finding a way to anticipate and adapt to both incremental shifts and sudden business disruptions. The fastest way to up-level the way you manage dynamic risk and build organizational resilience is to focus on the following two-step approach:
Step 1: Identify Misaligned Priorities and Teams
We know that many organizations still manage and respond to risk in silos. This occurs when departments fail to communicate and instead operate based on separate principles conceived without a big picture overview of organizational goals. While each department will naturally have its own targets and metrics, successful critical event management (CEM) depends on everyone understanding how their work supports overall corporate objectives.
To facilitate this, leaders must align cross-functional teams by delivering a unified vision of:
- A hierarchy of risk prioritization: Which risks should receive the most attention, under what circumstances and why?
- A clear plan for risk response: How should each department respond, how will those responses affect each other’s results; and what is their impact on the overall outcome?
Depending on the circumstances, any number of departments could take the lead in managing a given critical event. Make optimal designations by first identifying patterns of known threats and recurring risks. Use this actionable intelligence to create a strategy map in advance that delegates responsibilities and associated duties. This saves time and speeds up the process of mitigating damages when the event occurs. It also improves business continuity by enabling a faster return to fully operational status.
Step 2: Seek Out Technology to Help Make Risk Management More Effective
Effective risk management strategies require firms to respond to events by proactively triaging, mitigating and remediating risks across the entire organization. Yet only 17% of senior risk and security leaders have tapped their enterprise risk management team to manage CEM, and a mere one percent split responsibility for event management across multiple disciplines. This disconnect between understanding and action is a significant cause of failure when managing dynamic risk.
Security and risk leaders need to think about how they can embrace new technology to become more proactive. This means using technology to create a 360-degree view of potential and evolving risk to your people, places, assets – or even vendors or customers. The ability to view and track the entire threat landscape in real-time is an enormous advantage when developing risk response procedures and analyzing threats.
The next piece is thorough risk analysis:
● What types of risks is your organization most vulnerable to?
● How does that risk data correlate to your assets or people?
● Where are the major areas where you can and should take immediate measures to limit your exposure?
● Which of your unavoidable risks are dynamic and should therefore have multiple contingency plans that address multiple types of consequences?
Today’s technology provides numerous options to view, analyze and mitigate the full spectrum of dynamic risks as they unfold. When done well, it works in conjunction with human-driven intelligence to help you achieve organizational resilience.
The Way Forward: Turning intent into action
To leverage proactive risk management, intent and action need to marry. But this is often not the case: 44% of leaders lack risk intelligence solutions, more than half lack security analytics, and 63% don’t have governance, risk management or compliance management technologies in place. All the intent in the world is irrelevant if you lack the ability to quickly identify and plan for critical events. The right technology brings intent and action together to achieve real-world proactivity.
To get the most out of a technology solution, your selection and configuration should prioritize the following:
● Speed: When a threat becomes a critical event, the faster you know about it, the more opportunity you have to course-correct. Look for solutions that utilize artificial intelligence (AI) and machine learning (ML) to sift through data and verify and detect true, evolving risks in real-time.
● Relevance: Fast detection isn’t enough though; you need powerful filters so the information you receive is free of bias and noise. This means using AL and ML to scan and ingest news across platforms to detect events, then augment the data to categorize the events by time and place and rate the severity.
● Usability: An intuitive interface is key during the stress of a critical event. All users should be able to navigate the platform quickly and easily with minimal training and from any location when time is of the essence.
A unified solution that cuts through all of these obstacles also gives you quantifiable ROI. By thoroughly addressing dynamic risk, aligning with teams on priorities and approach, and leveraging Big Data to give you the insight you need, you can be well on your way to mitigating and minimizing the impact of a crisis, and achieving organizational resilience.
Prior to OnSolve, Matt served as Regional Security Director for the Americas at International SOS, where he led the security services business and advised key executives on risk management solutions. Prior to International SOS, Matt worked in Honduras as the Security Director for Tigo Honduras where he handled all matters relating to physical security; health, safety and environment; crisis management; and fraud investigation, and as General Manager for I Solution Security, where he advised on security matters for the Honduran President, Minister of Security, and Minister of National Emergency Commission. Previously, Matt had a distinguished 14-year career with the Central Intelligence Agency (CIA).