5 Tips for Measuring the Effectiveness of Your Risk Management Program and Why It’s Important
I’ve had several conversations lately with corporations and thought leaders about whether it’s possible to measure the efficacy of a risk management program. After all, if your program successfully helps your company avoid the consequences of that next attack at the airport, or that kidnapping that might have happened in Mexico City, who will know about it? Measuring the effectiveness of programs is not only possible (if not challenging) it’s essential to attempt wherever possible. In all other aspects of business we measure KPIs against goals and routinely assess the effectiveness of strategies. We must know how well we are executing our strategies, how well the tools are performing, and in risk, the stakes could not be higher. The argument that it’s not possible to measure the effectiveness of risk management efforts is a weak one and lacks imagination. I would go as far as to say that those marginalizing metrics have ulterior motives for doing so. Here are 5 ways to look at risk as a series of metrics and performance indicators.
Timeliness of Information and Intelligence
Yes, you can measure time. Intelligence drives decision making processes. How quickly you get relevant and useful information has a direct impact on how fast you can make decisions, how much time you have to respond and react, and your ability to limit second order effects and do damage control. Based on the tools, software, and internal processes you are using, start measuring the time and date you receive your first notification of an alert or event and then compare it to when the incident or event actually happened. This “threat latency” matters and minutes matter. Does your intelligence ever “beat the media?’ How often? Conduct spot checks from time to time with a sample of data that is statistically significant and arrive at an average “threat latency” score. Does this number meet you risk management needs? Is there a further delay in getting this information to your employees or clients?
Relevancy, Noise, and Quality of Threat Data
Equally important as the speed is the nature of the intelligence and information you receive. Does it matter to your risk management goals? Is it more of a distraction than a blessing? Is it granular (localized)? Is it actionable? Does it help you make decisions? Is it accessible? Is it vetted? If it’s vetted, how is it vetted? Does it fit into your processes and procedures? Does it provide clues as to impact? These are just a handful of the questions that must be asked and responses measured frequently. If your tools and processes are not making risk management relative to your organizational goals and exposure, it might make sense to re-evaluate execution capabilities.
Changes in Risk Exposure
In order to measure changes in risk, you need to measure risk in the first place. You can do this internally with analysts, outsource this, or both. However, if you’re not measuring the risk at locations important to you and the risk of your assets worldwide, how can you possibly have an effective risk management program? Once you are able to measure the risk baseline, you should then discuss with stakeholders what risk is acceptable and what actions will take place when certain risk thresholds are realized. This takes a joint effort, cross-department coordination, and executive level buy-in; therefore, not easy to accomplish. Once you accomplish the above, all you have to do is monitor changes in risk over time and across assets. This can be measured in relation to decisions and responses to also monitor how much your program lowers risk. This should be reported and recorded to help with assessments of tools and practices, as well as act as a positive feedback loop for future risk management decisions.
Stakeholder Communications and Event Processing Efficiency
The two-way communications and crisis response infrastructure should also be tested regularly. How quickly can you communicate with your personnel, get their current status, and manage a crisis? How long does it take to inform stakeholders of a key event? Are there public relations and other second order risks that develop from the crisis response process? Do your crisis management steps provide decision making support, subject matter expertise, and emergency planning capabilities? Is there a way to confirm communications? How long does it take to get messages and alerts out to your network? Is the approval process for necessary actions well defined and tested? Are all stake holders and departments involved?
Strategy and KPI Assessment
Although we could continue discussing the metrics of risk management for quite a long time, we will leave you with this. Once you have established tangible goals and key performance indicators for your program and third party solutions, actually measure how well you achieve them! Did the enterprise limit disruptions? Did you avoid more than 5 petty crime events in Mexico City? Were all travelers notified of disruptions and disaster within 1 hour? 30 minutes? Did your risk ratings consistently go down all year once threats were identified and managed? Measure the bottom line as well. Get your CFO involved. How much in capital outlays were due to risk related activities? What is the total cost of risk (TCOR)? What was most expensive and what was the return on investment? What facets of enterprise risk management were the most problematic and suffered the most losses? Operations? Human Resources? Logistics? Travel?
It is our hope that these tips provide a great start for those wondering how to measure the effectiveness of risk management programs. There are many more methods and as technology continues to evolve with the risk management industry, what was once an impossible task will become data driven, relative, and generate great efficiencies. Feel free to reach us at firstname.lastname@example.org for more information on measuring the efficacy of your program.
CEO & Founder
Toby is a risktech and ESRM futurist who earned two Master’s degrees in Biology (Neuroscience) and International Relations in addition to becoming a member of the US Army Special Forces, more commonly known as the Green Berets. After leaving the military with over 10 years of risk management and intelligence experience, Toby founded Alpha Recon to be a risk technology innovator in enterprise security risk management (EsRM). Focused on rapidly changing and diverse risk management challenges across traditional corporate boundaries, Toby is a proponent of strategy and intelligence-focused risk management, limiting liabilities while advancing opportunities and outcomes for business with the help of machine learning/AI. Toby is an unconventional thinker who believes that solutions have remained siloed, irrelevant, and rarely lower risk or provide opportunity for organizations and their assets in a measurable and proactive way.
Toby served around the world in high threat areas advising senior military, foreign governments, and U.S. government officials and dignitaries. Engaging with local communities he gained first-hand security and risk management experience in complex environments. During this time, Toby became an expert in risk management, intelligence operations, and threat mitigation with an appreciation for proactive and practical methods. His equal appreciation for deep learning and risk models to synthesize multi-variate data and make it valuable is evident in Alpha Recon’s software approach. Toby’s theories and ideas about holistic risk understanding and strategic management challenge the status quo and will no doubt result in better practices and solutions to help the performance of enterprises around the world. Toby enjoys speaking about innovations in risk technology, measurable risk management, and building consensus for enterprise security risk management around the world.
Toby is currently on the technical committee and working group for ESRM on behalf of ASIS, developing the Enterprise Security Risk Management guideline.