Driving Blind: The Problem with Skipping the Threat and Risk Assessment

Too many companies go straight from conducting a Business Impact Analysis to devising recovery strategies and building plans, skipping the step of conducting a Threat and Risk Assessment (TRA). In today’s post, we’ll look at what TRAs are and why they are important—and explain why organizations that skip them are driving blind.

Related on BCMMETRICS: The Top 7 Risk Mitigation Controls, in Order

The Annual Worldwide Threat Assessment

Did you see that the U.S. intelligence community just published its Annual Worldwide Threat Assessment forecasting likely threats to U.S. security over the coming years? The report found that global fallout from the COVID-19 pandemic will constitute a serious threat moving forward and that Russia, China, and climate change will also pose significant dangers.

The report makes for sobering reading—however, in this post I’m not concerned so much with what it says as with the fact that the people responsible for keeping us safe are obliged to conduct such an assessment every year.

I firmly believe that every organization should conduct just such an assessment of the risks facing them—doing so at least once a year for mission-critical facilities.

What is a Threat and Risk Assessment?

In business continuity, a Threat and Risk Assessment surveys the risk landscape, identifying threats to the organization, ranking them in terms of probability and impact, and noting any measures that are in place to mitigate each threat.

In tandem with the Business Impact Analysis (BIA), which identifies which business processes are most critical, the TRA provides the organization with a rational foundation for devising its recovery strategies.

The BIA and the TRA go hand in hand.

Conducting a TRA is equivalent to scanning ahead for potential trouble spots when you’re driving down the highway. Skipping the TRA means the organization is driving blind.

Companies That Omit the TRA

Unfortunately, many companies skip the step of conducting a TRA. They do a BIA then immediately begin developing their recovery strategies and building their plans—without bothering to analyze the dangers the company is facing.

Why do people omit the TRA? Sometimes they are afraid of what they will find out. Sometimes they are put off by the perceived complexity of doing a TRA (the task is actually pretty straightforward).

Often, management assumes they know what the threats are—even though their assumptions tend to be rooted in the past while the threat landscape is constantly changing.

The Cost of Skipping the TRA

The reason it’s important to conduct a formal TRA on a regular basis is because things change. The threat matrix and the company’s level of mitigation are both in flux.

If I had brought up some of today’s biggest threats even a few short years ago, I would have been laughed out of the room.

A global pandemic? That’s science fiction. Ransomware? Rolling blackouts? Out-of-control wildfires? Supersized hurricanes? Civil unrest? A barge blocking the Suez Canal and plugging up the global supply chain?

That’s all Hollywood stuff … But here we are in 2021, and those things aren’t Hollywood, they’re the headlines.

Companies that don’t conduct threat assessments run the risk of being impacted by dangers they haven’t anticipated and are not prepared for.

How to Conduct a TRA

Conducting a TRA is actually pretty straightforward. There are many ways to quantify the results, but here are the basic steps:

1. Brainstorm to come up with the list of relevant threats (natural, human and technological) facing your company. Seek input from a small number of savvy, knowledgeable people throughout the organization.
2. You don’t have to evaluate the threats to every single facility; look at the threats to your most mission-critical locations.
3. Rank threats based on the probability of the threat occurring (low, medium, or high)
4. Score threats based on the potential impact to the company (people, operations, technology) if the threat did occur.
5. Score the mitigation controls (emergency plans, business continuity, backup power, etc.) that are in place against each threat, consulting the relevant departments (facilities, security, IT, etc.) as necessary.
6. Crunch the numbers to arrive at a risk score for each threat.
7. Identify your top five threats (based on risk scores).
8. Present your findings to management, explaining the steps the company should take to further mitigate the primary threats.
9. Ask management to choose a risk mitigation strategy for each of the main threats (e.g., accepting, transferring, limiting, or avoiding the risk).
10. Update your TRA annually (at least) for critical facilities and at a minimum of every two years for less critical locations.

In conducting a TRA, it’s important to be realistic and use common sense.
The goal is not to make all risks disappear forever and ensure that your company never receives an unpleasant surprise. That’s impossible. The goal is to understand the probabilities, take rational steps to protect the organization, and make conscious decisions about dealing with likely threats, rather than having the company go through life with its head in the sand.

Driving with Your Eyes Open

Just as the U.S. intelligence community conducts an annual assessment of threats to U.S. national security, every organization should conduct regular assessments of the threats to its people, processes, and technology.

Conducting a Threat and Risk Assessment is fairly straightforward. It involves identifying the threats facing the organization, scoring them based on probability, impact, and existing mitigation controls, and consciously choosing a strategy to deal with the remaining risk.

It’s unfortunate that many companies skip conducting a TRA because by doing so they are driving blind through their organization’s threat landscape. It’s far better to drive with the eyes open.