Managing expectations: Communicating risk doesn’t occur in a vacuum
By Camille McKayFeatures Opinion C-suite risk
Communicating risk is problematic.
A solid security risk assessment is inherently detailed and comprehensive. It must be presented in a digestible manner to ensure the successful implementation of its recommendations.
The challenge today, when everyone is inundated with media images of protests, or sound bites about terrorist attacks, is to clearly explain “risks” about business operations, facility integrity or staff safety in a way that corporate leadership can understand for due diligence.
Unfortunately, decision makers often react to detailed threat-risk assessment (TRA) documents negatively as a needlessly complex and inflexible process. The challenge for security professionals is to overcome this perception and educate leaders to view TRAs as part of the underlying strength of the corporation.
To start with, right-sizing a risk methodology to fit each corporation is essential. A scaled, flexible risk assessment process should provide timely and accurate recommendations. Leaders need to be able to understand and absorb the key takeaways. These key results must be communicated in clear and concise business terms to allow leaders to quickly gauge the impact of risk and make informed decisions.
The security professional is instrumental in facilitating security and risk awareness. Leaders need to know more about security and risk in general. They need to understand that security measures cannot reduce vulnerabilities to zero but that risk can be effectively mitigated.
Describing the ongoing relevance of risk mitigation to the enterprise starts by familiarizing leaders with TRA terminology. Focus on key assets, determine vulnerabilities of current protective safeguards, protect against likely threats, justify appropriate measures, balance costs with benefits and prioritize future actions.
Security professionals can engage leaders by framing recommendations to safeguard assets (people, places, materials) within the corporate culture. Focus on priority risk categories: human, political, operational, reputational, procedural, financial or technical. In doing so, it is essential to understand the corporate risk appetite — is it adverse, neutral, calculating or seeking? Articulate the risk mitigation trade-offs: ranging from avoidance to assumption, limitation or transference. Translate risk management policies and approaches into day-to-day advice and guidance.
Also recognize that despite all attempts to neutrally communicate an evidence-based risk assessment, emotions play a very significant role in every decision-making process. Human beings, regardless of business titles or academic credentials, have a tendency to exaggerate risk during dramatic events (e.g. plane crashes) and downplay it during more mundane incidents (e.g. car accidents), where they are actually more at risk. We all have a bias that skews decision-making toward relying on our own experiences rather than on objective fact, probability or logic.
Therefore, it is necessary to anticipate and address your leaders’ emotions. Be ready to adjust your own analysis frequently as the situation evolves and change your communication strategy as needed. Ask yourself, how can the presentation of risk arouse emotion? Then, use that emotion to spur action or provide situational awareness to assuage unsubstantiated fears. Know that risk can be misinterpreted due to unintended emphasis on historical precedent. A past incident can be seen by a leader as a determinant of a future occurrence. When media soundbites purport growing dangers (e.g. mass shootings) consider how to effectively demonstrate any tenuous or nonexistent linkages to the actual security risk environment of the corporation.
Recognizing that risk is neither assessed nor communicated within a vacuum provides the proper framework to develop and transmit meaningful, relevant and accurate information about risks impacting a corporation.
Camille McKay is the manager, security risk at the City of Mississauga, Ont. (www.mississauga.ca).
This story appeared in the Spring 2019 edition of Canadian Security Magazine.
Print this page
- ASIS Update: A certification for new professionals
- What and when to buy: Security products are not problem-solvers