Assessing and mitigating risk
As we’ve looked ahead to the future in this column for the past 10 years, we’ve always tried to maintain a positive outlook. After all, we’re co-creating our own shared future state. So we do our utmost to achieve the best possible outcome.
At the same time, it’s important to keep in mind that things don’t always go as planned. There are bumps, even serious setbacks along the way. That’s why no matter where you are in your strategic planning cycle, you should always be keeping an eye on what risks you may encounter and how best to avoid, mitigate or, if necessary, respond to them.
A sound risk management strategy also includes an assessment of your most critical assets. Those usually consist of your people, infrastructure and customers. That means looking at risk from both the physical and human side of things. Not separately, but as an integrated whole. You can begin by focusing on three essential elements: physical safety, cyber-physical infrastructure and social amplification.
While not exactly widespread, recent events have exposed the physical vulnerability of many organizations, including the possibility of personal injury or loss of life, brought about by individuals and organizations bent on destruction.
If you work for a government agency or large enterprise, especially where physical security is a priority, your personal safety is better than it would be in many other situations. When destructive forces are planning their next move, they usually avoid heavily fortified structures and instead look for what are called “soft targets.”
But if your organization doesn’t have the budget for concrete and steel barriers, security guards, strong access/egress controls and the like, take heart. A little knowledge goes a long way.
For example, the Red Cross has been accumulating and making available a large, multilingual knowledge library on prevention and response to all types of disasters, including terrorism and civil unrest (redcross.org/prepare/disaster-safety-library). It includes mobile apps and a wide assortment of training modules for you and your fellow employees.
Browsing through the knowledgebase, you’ll see that physical safety doesn’t always involve human threats. Recent storms, earthquakes and even health hazards such as the Zika virus have shown that nature can be just as or even more dangerous.
KM’ers fully understand the value of human capital. We invest heavily in training, mentoring, career management and the like. But if you aren’t already doing so, you also need to start paying attention to the physical well-being and protection of your workforce.
In addition to physical security, most people are aware of the need to guard against cyberattack and systems failures in general. But many don’t realize just how tightly coupled cyber and physical systems have become, to the point where the boundaries between the two are nearly indistinguishable.
Think about how “tethered” you are to everything: the power grid, communications and transportation networks, fuel/charging stations, food and medical supplies, indoor environmental systems. A growing part of daily activities that take place in your home, neighborhood, workplace, exercise room are all tied to what’s now being called the cyber-physical infrastructure. And the growing number of interconnections and interdependencies are creating serious risks and vulnerabilities.
That means your “need to know what you know” has greatly expanded beyond human capital to knowing: 1) what “smart” components are part of your critical infrastructure, 2) how they are all interconnected, and 3) how much, if any, human control remains. That third part can be a real eye-opener, especially as the Internet of Things (IoT) continues its rapid expansion. As you build that extended knowledge asset inventory, pay particular attention to those critical interconnections that, if taken out, could shut down your entire operation.
Again, vast storehouses of knowledge are available to draw from. InfraGard has resources spanning 16 critical infrastructure areas. The U.S. National Institute of Standards and Technology (NIST) Engineering Laboratory has an entire site devoted to cyber-physical systems (nist.gov/el/cyber-physical-systems), along with a definitive Community Resilience Planning Guide. Those are just a few of the many knowledge resources available to help strengthen your resilience across a full spectrum of risks.
You’ve probably seen more than a few chaotic scenes unfold right before your eyes, either up close in person or from a safe distance on a screen. If you’re like many, you’ve likely asked, “How could this happen so quickly?” In today’s massively networked world of instantaneous communication, a tiny spark can quickly unravel into a major event. That’s what we mean by technology-driven social amplification.
In their book The Social Amplification of Risk (Cambridge University Press, 2003), authors Nick Pidgeon, Roger E. Kasperson and Paul Slovic provide a model of how hazards, whether actual or perceived, interact with psychological, social, institutional and cultural processes in ways that may amplify or attenuate public response.
This particular risk category tends to be the most problematic because the outcomes are highly unpredictable. From panic-induced boycotting of your products and services to shutting down your supply lines to rioting in the streets (making it unsafe for your employees to come to work), public opinion can change at light speed as a single phrase or “meme” becomes wildly exaggerated.
If you haven’t already done so, start thinking about what policies, plans and processes you need to have in place to stay on top of the constantly changing social discourse in all areas affecting your enterprise. With two-thirds of the U.S. adult population now getting their news from social media, that is a risk you can’t ignore.
Turning risk into opportunity
There are numerous other risks you need to be mindful of, such as political, legal and regulatory, economic, supply chain and perhaps most important of all, disruptive innovation. Many of those risks are interconnected and interdependent. One can easily lead to another and then another in cascading fashion.
Advances in technology can be both constructive and destructive, so be sure to use them to your advantage. For example, you can use an assortment of tools such as big data analytics, link analysis and semantic analysis to discover hidden trends and patterns that can help you better prepare for and respond to emerging threats as well as opportunities, both internal and external. Remember, you can be the one creating the disruptive innovation in your industry, rather than reacting to somebody else’s. Finally, make sure that access to your critical data, as well as to your key subject matter experts and decision makers, doesn’t have to pass through a single “choke point.”
It may be unpleasant to think about all the terrible things that can happen. But to do nothing exposes you, your organization and your loved ones to unnecessary risk.
Remain vigilant, armed with the right knowledge. So no matter what happens along the way, you’ll be able to continue blazing a trail to a brighter future.