Risky business: What is risk? Risk lurks in all facets of daily life. Luckily, many risks are small: like crossing against the light when there are no cars or trying the new, Ethiopian restaurant down the block. Other risks are high: like quitting your job and doubling down on a new start up. Through our experience working with global organizations, we’ve seen it all. In spite of the ubiquity of risks, we rarely analyze them objectively. We are all imperfect, and we rely on past experiences and our emotions to understand the world around us and guide our decision-making. On the one hand, it makes sense that we are wired this way— if we didn’t rely on experience and emotion, we’d have to consciously evaluate every single situation anew, and we’d become paralyzed. On the other hand, there is a downside to the efficiency of this wiring: it makes us awful at objectively estimating risk. For example, bad experiences cloud our ability to accurately measure the impact of risks, as well as their relevance. Other factors, such as media attention, immediacy, control, and choice (Psychologist Paul Slovic) work to further compound that lack of objectivity. This five-post series will help you circumvent these pitfalls, reprogram you to look at risk objectively, and provide downloadable resources to implement these methods at your organization. But before we get to the meat of things, we need to ensure that we are speaking the same language. Risk: What is it? Why do we care about it? How do we measure it? And, most importantly, what are some of Lootok’s techniques and tools to facilitate risk assessments. What is risk? A risk has three ingredients: an asset, a threat, and a vulnerability. All three ingredients must be present for there to be a risk. If you are missing just one ingredient, there is no risk. Defining the language around risk and its ingredients is the first step towards an objective risk assessment. Let’s break down each ingredient. What is an asset? An asset is anything of value to your organization. It can be tangible or intangible. Examples include your building, employees, supply chain, IT, site access, intellectual property, and reputation. What is a threat? A threat is anything that can harm one of your assets. For example, a hurricane or other natural disaster can be threat. A labor strike can be a threat. A cyber attack or virus can be a threat. Remember, for something to be a threat it must be able to harm one or more of your assets. What is a vulnerability? Lastly, a vulnerability allows a threat to harm or disrupt an asset. Without a vulnerability, or weakness, your assets are safeguarded from a threat, and therefore there is no risk to them. Risk mitigation capabilities, such as a BCM program or fire suppression, can reduce or eliminate a vulnerability. A prime example of a risk is a fire at an office building. The asset is the building itself; the fire is the threat; and the vulnerability is a combination of missing fire suppression equipment and old electrical wiring. Another example is lost revenue due to a pandemic. The asset is your employees; the threat is the pandemic virus or absenteeism caused by the pandemic; and the vulnerability is poor access to vaccines and an inability to work remotely. Another way to look at this is that an asset is something we want to protect; a threat is something we want to protect against; and a vulnerability is something we want to fix. When doing a risk assessment, requiring that each of these ingredients is clearly defined for each risk will help avoid emotions and experience from getting in the way of an objective analysis. Without an objective analysis, you will have as many definitions of risk as there are participants in the room. With a sound understanding of these ingredients you are taking your first step towards a more objective risk assessment. Let me know what you think about this post. Was it helpful? Do you agree or disagree? In the upcoming post, I will unpack why you need to think about risk. Stay tuned. Looking for more guidance about risk assessments, or other ways to improve your BC practice. We can help. Contact firstname.lastname@example.org to speak with a Lootok expert.