Organizational risk has become increasingly complex, and external threats are not going away. In fact, they are increasing in severity and frequency. Ninety-nine percent of the 450 risk and security professionals recently surveyed by Forrester Consulting has experienced a critical event in the last 18 months. The combination of ongoing pandemic complications, cyber threats, extreme weather conditions, active shooter events and now a disrupted global supply chain makes risk a board-level conversation.
Dynamic risks are one of the biggest obstacles to organizational resilience, but they are not insurmountable. In order to better deal with it, we need to better understand its basic nature.
Differentiation of dynamic risks
Traditionally, we understand risk as a cause-and-effect relationship: source (environment) and consequences (damage). As the world is constantly changing, we have long accepted that our operating environment will always be dynamic, regardless of the industry.
However, we often don’t apply this concept to the episodes themselves. Instead, we incorrectly assume that when a threat becomes a critical event, the resulting damage follows a known pattern.
In reality, the consequences of risk are often as unpredictable as the risk itself. This is where we come to the notion of ‘dynamic risk’. At its core, this is defined as a risk where the ultimate harm (i.e., consequence) is different from the harm originally expected.
Dynamic Risk presents a unique challenge as it requires the ability to constantly spin. Not only do you need to anticipate the potential of different co-occurring threats, you also need to broaden your view of where and how those threats might manifest. Imagine a domino game where instead of one long winding row of tiles, you have a star shape with multiple rows of tiles falling at different speeds. If you try to focus on one arm, you will inevitably quickly lose control of another.
Similarly, managing interconnected critical events means addressing consequences that impact multiple areas of your operations. And yet, in many organizations, information about the impact of risk and risk management often remains scattered and isolated. Many security leaders are overconfident, misaligned, and commit numerous technical missteps. Just 30% of senior risk and security leaders say they are “very confident” in managing the increasing complexity of risk. Go on 38% cite “becoming more proactive” as a goal for their future risk management efforts.
Bottom Line: Most organizations are unprepared to deal with the increasing complexity of dynamic risk.
Make the change
So how are leaders making the changes necessary to survive and thrive amid this dynamic? In 2022, it begins with finding a way to anticipate and adapt to both incremental changes and sudden business disruptions. The quickest way to improve your dynamic risk management and build organizational resilience is to focus on the following two-step approach:
Step 1: Identify misaligned priorities and teams
We know that many organizations still manage and respond to risk in silos. This occurs when departments don’t communicate and instead work based on separate principles designed without an overall view of business goals. While each department naturally has its own set of goals and metrics, successful Critical Event Management (CEM) depends on everyone understanding how their work supports overall organizational goals.
To facilitate this, leaders must align cross-functional teams by providing a unified vision of:
- A hierarchy of risk prioritization: which risks should be given the most attention, under which circumstances and why?
- A clear plan for responding to risks: How should each department respond, how will those responses affect each other’s results? and what influence do they have on the overall result?
Depending on the circumstances, any number of departments could take the lead in handling a specific critical event. Make optimal designations by first identifying patterns of known threats and recurring risks. Use this actionable intelligence to create a strategy map up front that delegates responsibilities and associated duties. This saves time and speeds up claims settlement in the event of an incident. It also improves business continuity by enabling faster return to fully operational status.
Step 2: Look for technologies to make risk management more effective
Effective risk management strategies require organizations to respond to events by proactively identifying, mitigating, and resolving risks across the organization. But only 17% of senior risk and security leaders have tasked their enterprise risk management team with managing CEM, and only 1 percent shared incident management responsibility across multiple disciplines. This discrepancy between understanding and acting is a major cause of failure when dealing with dynamic risks.
Security and risk leaders need to think about how they can leverage new technologies to become more proactive. That means using technology to create a 360-degree view of potential and evolving risks to your people, locations, assets — or even suppliers or customers. The ability to view and track the entire threat landscape in real-time is a tremendous advantage when developing risk response techniques and analyzing threats.
The next part is a thorough risk analysis:
● What types of risk is your organization most vulnerable to?
● How does this risk data correlate to your assets or employees?
● Where are the key areas where you can and should take immediate action to limit your exposure?
● Which of your unavoidable risks are dynamic and should therefore have multiple contingency plans that address multiple types of outcomes?
Today’s technology offers numerous options to view, analyze and mitigate the full spectrum of dynamic risks as they unfold. When done well, it works in conjunction with human intelligence to help you achieve organizational resilience.
The Way Forward: Turning Intent into Action
In order to use proactive risk management, intention and action must be aligned. But this is often not the case: 44% of executives have no risk intelligence solutions, more than half have no security analytics, and 63% have no governance, risk management, or compliance management technologies. All the intentions of the world are irrelevant if you are unable to quickly identify and plan for critical events. The right technology brings intention and action together to achieve true proactivity.
To get the most out of a technology solution, your selection and configuration should prioritize:
● Speed: When a threat becomes a critical event, the faster you learn about it, the more opportunity you have to correct your course. Look for solutions that use artificial intelligence (AI) and machine learning (ML) to sift through data and review and identify real, evolving risks in real time.
● Relevance: However, quick recognition is not enough; You need powerful filters so that the information you get is free from distortion and noise. This means that AL and ML are used to scan and ingest messages across platforms to detect events, and then enrich the data to categorize the events by time and location and assess severity.
● Ease of use: An intuitive user interface is the key to the stress of a critical event. All users should be able to navigate the platform quickly and easily with minimal training and from any location when time is of the essence.
A unified solution that overcomes all of these obstacles also gives you a quantifiable ROI. By delving deeply into dynamic risk, aligning with teams on priorities and courses of action, and leveraging big data to give you the insights you need, you’ll be well on your way to mitigating and minimizing the impact of a crisis and increasing the resilience of the workforce to reach organization.
Prior to OnSolve, Matt served as Regional Security Director for the Americas at International SOS, where he led the security services business and advised key executives on risk management solutions. Prior to International SOS, Matt worked in Honduras as Security Director for Tigo Honduras, overseeing all physical security related matters. health, safety and environment; crisis management; and fraud investigations and as General Manager for I Solution Security, where he advised the Honduran President, Minister of Security and Minister of the National Emergency Commission on security matters. Previously, Matt had a distinguished 14-year career at the Central Intelligence Agency (CIA).