#357 – ALL RISK IS PERSONAL – JIM TONEY

Isn’t it about time you became your own risk manager?  Whether we are aware or not, all risk affects us personally.  We need to know both what tasks to perform, and then how to perform those tasks to control risk.

How ridiculous and how strange to be surprised at anything which happens in life. Marcus Aurelius Antoninus(1)

We define risk as an uncertain future event that poses harm to individuals or business objectives.  A risk may be driven by a threat, e.g., danger or harm from malicious actors, events of nature, or technology deficiencies.

Risk may be exacerbated by vulnerabilities such as deficiencies in knowledge, people, procedures, and information systems that may be used by malicious actors to carry out nefarious deeds.  Once identified, risk is characterized as the combination of probability of occurrence of some event and the consequences should it occur.

For the purpose of this article, we discuss risk in the context of threats, whether they be to bodily harm to a person or business reputation.  A risk could be one that takes a long time to be realized, or realized in seconds.  The common denominator is a person, the individual, whether the risk is associated with a person, project, program, or enterprise.  Thus, our focus is on the individual.

Regardless of the nature of a specific threat, we have to first perceive it as a threat, then assess the probability of it occurring and consequences if it materializes.

After the risk is assessed, we next need to decide what to do, and finally take action to mitigate it.

Mitigation may include actions taken to directly confront and defeat a risk.  It may also include actions taken to lower the probability of occurrence or reduce the consequences should it materialize, or both.

Of course one might also avoid a risk entirely which may not always be feasible, or insure against it.

A risk might be time bound, e.g., a project or program with defined start and end dates, seasonal such as hurricanes, event driven, or operational with no time limit.

Evaluation of threats and vulnerabilities can include other factors in addition to the common probability of occurrence and consequences.

Risk velocity is an important factor for personal risk and in many business environments.  Risk velocity should be a consideration for any risk, and in particular personal risk.

Velocity may be thought of as having two components; (1) time to impact and (2) reaction time.(2)

First, time to impact – how fast will a risk materialize?

A driver while traveling at 60 miles per hour, reaches down to grab a cup of coffee, which diverts the driver’s eyes from the road.  Suddenly, a truck stops about 90 feet ahead in the road.  Time to impact is one second at 60 miles per hour. The uncertainty (risk) is whether or not the driver will look up in time to avoid an accident.(3) Both the probability of a collision and resulting consequences are high.

Second, reaction time – how fast can one react to a risk rapidly materializing?

While standing on a corner waiting to cross the street, an approaching vehicle suddenly veers in your direction about 90 feet away.  The car is approaching about 40 miles per hour or 60 feet per second.  You have 1.5 seconds to take action. The uncertainty (risk) is can you get out of the way in time?  Both the probability of being struck by the vehicle and resulting consequences are high.

Tying threat, vulnerability and risk together – the threat is a speeding car, the vulnerability is poor situational awareness, and the risk is whether or not you will be run over.

Reacting to threats requires (1) detecting the threat; (2) processing the threat and vulnerability to comprehend the risk; and (3) responding to the risk.

You have 1.5 seconds to take action.  It may take 0.5 second to detect the car approaching.  Another 0.5 second to process what you observe to reach a decision, and finally another 0.5 second to execute the decision, e.g., move out of the way.

You might survive, unless too much time elapsed in the sequence of detect, process, and respond.

What can you do to stay ahead of personal risk?  Is there anything that can be learned from body of knowledge of enterprise, program, project, and operational risk that might be useful for dealing with risk to the person?

Traditional risk management methods rely on tools, frameworks, guidance documents and standards, e.g., ISO 31000 Risk Management Guidelines(4) and COSO Enterprise Risk Management.(5)  Cybersecurity related resources include NIST publications on risk Information Systems security (SP 800-37 and 800-53).(6)  And there are skills training and certifications.

Inherent to most of these is identification of controls for each risk.  Controls might be policies, procedures, checklists, reaction training or similar that serve to reduce or eliminate conditions that enable risk occurrence.

Then there are also other resources such as Excel templates from ALARM, (7) and enterprise software tools such as Risk Radar®(8) and ARM(9).

Another framework that can be used for assessment, either by an enterprise or malicious actors, is the CARVER Risk/Vulnerability Prioritization Matrix, from the military.(10)  The CARVER framework considers Criticality, Accessibility, Recuperability, Vulnerability, Effects, and Recognizability and can be used to both select targets as well as identify vulnerabilities and risk.

All of these references provide some form of structure to identify potential risk.

Personal risk management is largely ignored in the business press.  Identifying potential threats and risk are key to both personal risk and business risk management.  Both personal and business risk management deal with environments.

Personal risk environment might mean the home, travel outside the home, insuring against certain risks like accidents, cyber events including hacking and identity theft, public and commercial areas, and work.  For personal risk, the focus is personal safety and security.

Business risk environment might mean supply chain, competitors, regulation, obsolescence, cyber, reputation, loss of key personnel theft, project failure, and litigation.  For business risk, the focus is on mitigating risks that threaten achievement of business objectives.

For personal risk, the phrase “situational awareness” is used to mean being attentive to the environment in which one is at the moment.  The goal is to identify immediate threats and risks.(11)  In practice this means observing and being aware of what is going on around you, e.g., in the shopping mall, the parking lot, the airport, or on the street.

The personal objective is to stay safe by anticipating bad events in sufficient time to do something about them.  This mimics the business environment where risk officers and managers are charged with evaluating internal and external environments for prospective risks that may adversely affect achievement of business objectives.

In business risk, situational awareness may take the form of real time news feeds tailored to specific business sectors, e.g., supply chains, pending legislation, and labor issues.

Whether personal or business, the task is to be constantly looking into the future – which may be a few seconds, or hours, days, weeks, months or years. The task is identifying threats, assessing their risk potential, and deciding what to do. Of course, realistically it is not possible to accurately predict future events, but one may learn to recognize the conditions that might signal a future risk.

Effective practice of personal risk management is aided by a framework or lens to examine and evaluate environments.  A personal risk framework may be adapted from business risk frameworks and coupled with awareness to create a personal risk management system.

Knowledge of situational awareness levels is critical.  This is often characterized as having four to five levels, depending on the source.  The levels form a hierarchy, from an unaware state (“white” or relaxed state) to the highest, most critical – an imminent threat with a risk in process of materializing.  This highest level is focused on preparing for and taking immediate action (“red” state).(12)

Panic causes tunnel vision.  Calm acceptance of danger allows us to more easily assess the situation and see the options.  Simon Sinek(13)

In addition to situational awareness skills, one expert proposes that threats to personal safety progress through four-stages – potential threat, actual threat, pre-attack behavior, and attack behavior.  This last phase, attack behavior, then has five sub-steps.  A malicious actor looks for victims, chooses a specific victim, and like in the animal kingdom – stalks the victim, closes in, and then attacks.(14)

In one sense there is little difference between the threat-response process between personal risk and business risk.  They both depend on skill and experience to detect and identify threats, assess the associated risk, and respond.  The stakes for personal risk are possible property and financial loss and injury or death, whereas the stakes for business are largely financial.

Acquiring skills to recognize conditions and threat precursors buys time to respond before the situation becomes critical, whether for individuals or businesses.

Regardless of whether the focus is an individual’s personal risk, or business risk, the common denominator remains the individual.

For business risk, a risk management process is employed that includes risk identification, risk analysis, evaluating and selecting risk control techniques (decision making), and implementing a control appropriate to a specific risk.

This process might involve a number of different departments in a business, finance, operations, IT, marketing, Human Resources, as well as numerous people from these departments. Mitigation decisions might require multiple sign-offs and expenditure of funds.

For personal risk, the process is simple and direct – perceive a threat/risk, take action – if one is to be successful.  The focus is clearly on taking action (decision making).

To be skilled at dealing with personal risk, it is best to have thought in advance about what might happen.  This is done using a “what if” process that primes one for action without delay.  Of necessity this is a quickly acting mental process supported by an action-oriented mindset.

Not surprisingly, some propose humans have two systems of thinking.(15)  The faster, “System1,” is said to be automatic, fast, emotional, intuitive, and subconscious. (3) The slower, “System 2,” is calculating, conscious, and useful for problem solving.

When System 1 is presented new information, a sudden threat for example, it relates new information with patterns already established in the mind.  This is why conducting “what if” exercises can be used to respond quickly when exposed to a rapidly unfolding – high velocity – personal risk that has already been imagined.

System 2 is well suited for making complex or difficult decisions, e.g., involving project, program, and enterprise-level risks.  It requires conscious thinking about complex tasks.  System 2 processing is slower than System 1, the risks involved may be more complex and of lower velocity.

You do not have to be engaged as a full-time risk practitioner in a corporate, government or non-profit to adapt some of these professional’s knowledge and skills in your personal life.  On the other hand, professional risk practitioners might be well served by studying personal high velocity risk/threat situations and required rapid decision making.

Everyone is a risk manager now.  Developing a risk mindset for personal use needs to be internalized to the level of a System 1 habit.  For business use this might be some System 1, but will be mostly System 2.

So, how do you put all of this information to use?

For personal risk management, start by brainstorming a list of threats and associated risks.  They can be categorized by your environments, e.g., home, office, travel, shopping, etc.  In a business environment, an equivalent list may be referred to as a risk breakdown structure.(16)

Once you have your lists, practice “what ifs.  What happens if someone tries to car jack me in the parking lot?  What happens if we cannot hire talent needed to sustain and grow our business?  What happens if the project cost and schedule estimates are inaccurate?  What happens if my on-line accounts are hacked? What happens when the power goes out?  What happens if internet connectivity is lost?

Then decide on a response to each “what if”, test your response, practice it, constantly refine it, and have it stored in memory for instant recall.

These two tools, a list of potential threats/risks and “what if” scenarios are a start.  “What ifs” can be performed anywhere and at any time, it just takes research, some imagination and is free.  “What ifs” have broad application from the basic physical risk level to the enterprise level, and all applications between the these two.  They help decrease your decision-making time.  Know what you will do if “x” happens.  It is all about your mindset!

Bio:

His career has been enriched through education, training and experience beginning in the early 1970’s as an investigator, and later as economist, statistician, operations researcher, adjunct professor, business owner, newsletter publisher, consultant, quality award examiner, risk and QA manager, and contractor.

The common thread throughout this time has been gathering, reducing, assessing, summarizing, and presenting findings to enable decision making.  With the arrival of COVID-19, it was recognized that methods and tools used for decision making in a business setting, particularly involving risk, can be adopted to individuals.

Toney is also an aspiring business fiction writer where his future works will be published on vucanites.com.

Bio:

His career has been enriched through education, training and experience beginning in the early 1970’s as an investigator, and later as economist, statistician, operations researcher, adjunct professor, business owner, newsletter publisher, consultant, quality award examiner, risk and QA manager, and contractor.

The common thread throughout this time has been gathering, reducing, assessing, summarizing, and presenting findings to enable decision making.  With the arrival of COVID-19, it was recognized that methods and tools used for decision making in a business setting, particularly involving risk, can be adopted to individuals.

Toney is also an aspiring business fiction writer where his future works will be published on vucanites.com.

References:

  1. Roman Emperor. https://wisdomquotes.com/marcus-aurelius-quotes/.
  2. Risk Velocity. Risk assessment measures cited include impact, likelihood and velocity. Velocity described two factors (1)time to impact and (2) reaction time. https://riskmanagement.georgetown.edu/enterprise/riskassessmentmeasures/#.
  3. Miles per hour conversion to feet per second. Example: At one mile per hour, an object travels 5,280 feet in 3600 seconds (60 seconds per minute x 60 minutes = 3600 seconds) or 5,280/2,600 = 1.47 feet per second (FPS) (rounded to 1.5).  Multiply MPH x 1.5 for FPS.  At 60 mph, FPS = 60×1.5 = 90.
  4. ISO 31000 Risk management – guidelines. https://www.iso.org/iso-31000-risk-management.html.
  5. Committee of Sponsoring Organizations of the Treadway Commission (COSO). Both the COSO 2017 Enterprise Risk Management – Integrated Framework, and the COSO Internal Control Integrated Framework, updated in 2013, pertain to business risk management. https://www.coso.org/Pages/default.aspx.
  6. Draft NIST Special Publication (SP) 800-53A, Revision 5, Assessing Security and Privacy Controls in Information Systems and Organizations and NIST Special Publication 800-37 Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy Revision 2.
  7. ALARM organization from the UK publishes guidance documents including a Risk management toolkit, June 2021, and has downloadable risk templates in Excel format. https://www.alarmrisk.com/guidance-documents.
  8. Risk Radar®. An enterprise risk management software application. https://proconceptsllc.com/risk-radar-enterprise-software/
  9. Active Risk Manager (ARM). https://sword-grc.com/active-risk-manager/ An enterprise risk management software solution.
  10. CARVER in FM 3-24.2 (FM 90-8, FM 7-98) Tactics in Counterinsurgency, Headquarters, Department of the Army, Distribution Restriction: Approved for public release, distribution is unlimited, April 2009 https://armypubs.army.mil/epubs/DR_pubs/DR_a/pdf/web/fm3_24x2.pdf
  11. Situational awareness. https://en.wikipedia.org/wiki/Situation_awareness. For example, three components of situational awareness:  perception of the elements in the environment, comprehension of the situation, and projection of future status.
  12. Scott Stewart. A Primer on Situational Awareness. https://worldview.stratfor.com/article/primer-situational-awareness.
  13. Tarani, Steve. PreFense The 90% Advantage. Tarani Press, 2nd Edition, 2014, ISBN 061596236/8. Simon Sinek quote on page 7, and is also found at:  https://www.brainyquote.com/quotes/simon_sinek_568159
  14. ibid
  15. Kahneman, Daniel. Thinking Fast and Slow. Farrar, Straus, and Giroux, (ISBN13: 9780374275631), 2011.

Leave a Reply

Your email address will not be published. Required fields are marked *