Security people use the same words, but do they mean the same things?
Being a citizen of our digital corporate world, I am often reminded of the biblical tale of the tower of Babel! You know the one where everyone speaks a different language, and unable to communicate, they eventually collapse in ruins. You would expect that such a predicament has no place in corporate security, modern management, and the management of crises and disasters; but you would be mistaken in that assumption. In board rooms across the world, and in zoom meetings across the digital universe, confusion, bias, preconceptions, and miscommunication are hindering the efficacy and efficiency of even the most robust security thinkers. Part of this issue, if not the whole issue- stems from a lack of common ground and a common language between clients, practitioners, and compliance reviewers; and how could it not since these people could not come from more diverse backgrounds, have more different life histories, and share the best of intentions, but not the same tools apparently, not even the same words.
In order to address that, and as a chance to spark some lively conversations and an exchange of ideas on the subjects of security, safety, and risk management, I thought of doing a series of posts regarding the basic principles and tools of the trade, in order to bridge the gap between the corporate aspect of the industry, the client-side, and the community side which is essential for a holistic and sustainable sector.
In this first post, I would like to look closer to some of the most prominent terms in the industry and explore how they can be used to convey different aspects of the work, and how they should be treated with attention to detail, in order to ensure they reflect what they were meant to.
The most famous work in the trade is “risk” that we will examine today. Risk is not a term that can be used interchangeably with “danger” and it is definitely not the same as “threat” or “hazard”. Risk refers to ANY situation with an unknown outcome, so the characteristic of the term is uncertainty rather than a threat. And that is why risk can be prevented, foreseen, mitigated, and managed; because you are actually dealing with the uncertainty of outcomes, rather than an event. In this sense, it is essential to assess Risk according to the two aspects that affect the “uncertainty”: probability (statistically speaking) and impact. These two aspects can be used to quantify the risk and place it on a Risk Matrix or Risk Index.
Even if we could all agree on the statistical appraisal of risk, we would surely debate the impact! The impact can be assessed using a variety of aspects, most prominently financial impact and impact upon operations. However, the impact upon the human capital and the impact upon the local (or global) community should not be overlooked. No impact assessment is complete and thorough unless it addresses what the “Risk” is going to do both to the tangible and the intangible resources at hand. Will it rupture social bonds? Disrupt who communities? Compromise personnel or stakeholders? Alienate clients? Damage brand reputation? These and many more are issues that need to be accounted for in a proper impact assessment that will be a crucial component for assessing the risk at hand.
It is an issue that we take very very seriously at Al Thuraya Consultancy and ICESERVE24 always make sure to inform our clients on it and discuss the ramifications of risks with them, rather than presenting them in charts and making logistical calculations on them. If there was one case, where qualitative assessment rather than quantitative assessment was a matter of life and death, then Security and Risk Management is that case. And we are determined to stay on the right side of history on this one!