Many business leaders are utilizing a diverse array of planning concepts to help them with decision making and to help them manage risks. A concept often forgotten or under-emphasized is that of future or innovation risk. This emerging term is used to describe the risk the future can bring depending on the impact and the certainty of events. Failing to look at threat assessment projections or conducting scenario planning can leave the luckiest security and risk managers in situations they are not prepared for and greatly impact the organization. These approaches are easy and important to use and there are a growing number of tools that can help implement plans once complete. 

   The origin of scenario planning probably goes back several hundred years and has a root in military campaign planning. While preparing for battles or political coups, stakeholders determined what the enemy’s most likely and most dangerous courses of action were and this prepared a series of preconceived responses for these situations. Recently, scenario planning was brought into the limelight again due to the emerging risks and challenges businesses face in our interconnected and quickly evolving world. One such thought leader, Woody Wade, has put together a process for companies to distill their most likely high impact “challenges” into 4 scenario “quadrants” that help them realize what the company must be prepared for in the future if certain conditions develop. This is useful to do in security risk management as it will help a security officer to understand how to develop the security and risk program across the company and to focus on likely scenarios as an anchoring context. Until you think in detail of an environment under different conditions, it is difficult to design the best courses of action for those situations. Scenario planning cannot be used in a vacuum, however, as data and information is needed to fuel the process. Uninformed scenario planning can quickly devolve into fantasy land and arrive at unlikely outcomes. Of course, the determination of the major impacts and the data to support likelihood is needed, which brings us to projections. 

   Projection models and forecasting the future is easily the hottest topic in technology today. When business or organizational security leaders are trying to determine plans, resources, and operations, it is helpful to know quantitatively what the main impacts are, the likelihood of threats, or where threats may emerge. It is equally important to know opportunities that could be missed. Projection models in business intelligence are usually extrapolated by existing data sources and continue trend analysis of historical observations. This can help leaders understand possible outcomes under similar conditions. However, when used in isolation, rigid models and analysis can lead to wild inaccuracies and contribute to failed security programs. There is no question that the advent of predictive analytics will change the security risk management landscape (for the better), but we need to use it as a tool to better understand threats and risks, impacts, probabilities of situations, and measure program performance (among other things). Forecasting is a combination of sensing, data capture, and focused analysis, while scenario planning helps us think of what we know in a more uncertain context. 

    Whether Woody knows it or not, his program to help businesses plan for future scenarios is actually an exercise in risk management. Yes, opportunities can be addressed in scenario planning, but I would argue that failing to find or seize opportunity is yet another risk to monitor and manage. The beauty of using a combination of forecasting, projections, and scenario planning, is that it forces security stakeholders to evaluate all known data as it comes, to extrapolate likely events and trends, and to envision their organization under different constraints and environments. Planning is an important part of a security professional’s work. Waiting for the future to come with no thoughts on emerging environments or contexts can quickly lead to a sedentary and under performing program. Monitor the threats and risk of today with current assumptions and data science, but plan for tomorrow with the added understanding that the operating environment might be much different. Technologies are emerging to support security and risk professionals. Alpha Recon is helping organizations with its ESRM platform. Find out more at www.alpharecon.com