You’ve just moved from Arizona – where you were in the habit of walking the short mile to work and back in a wide-brimmed hat, sunglasses, SPF-15, and loafers – to Seattle, where you plan to continue the practice.
Being cautious, however, you decide to use the traditional risk model to calculate how much damage the Pacific Coast rain might cause. So, you first identify the likelihood of rain and find that it rains about 42% of the time, averaging 152 days a year.
Seems like a reasonable risk, so you set off confidently.
Naturally, you’re soon in the lobby, your soaked and bedraggled new suit in need of reshaping. The loafers are brimful after that bus hit the puddle just right. Your I.D. papers and the company handbook were in a pocket and will need to be replaced, and you’re juggling the apple, sandwich, and cookies which broke through their soggy paper sack. Security is eyeing you suspiciously.
Aside from self-respect, and the bad first impression you’ll make at the office – what we call ‘submerged’ risk, which we’ll discuss later – the actual damage is about a hundred bucks.
Using the classic model, we now have the equation:
The Vulnerability Model
But the model above is incomplete. It identifies bad things that could happen, certainly, and it tells you how expensive the outcome will be if they do. But it doesn’t account for vulnerability.
Unlike Likelihood – an external phenomenon not in your control – vulnerability is internal, something you can manage. (Magnitude is a combination of factors. Some costs of damage may not be in your control while, as we’ll see below, there are ways to control and minimize magnitude.)
Let’s reset the above scenario. As you’re walking out the door in Seattle, you grab an umbrella and set off down the street to go meet the team.
This won’t impact the likelihood of rain at all, so the level of threat is still the same 42%.
External Threat Level: 42%
However, your umbrella has dramatically reduced your vulnerability to a rain shower. Only a major downpour, heavy winds, or an umbrella failure, can seriously damage you now. Collectively, you calculate, the chances of one of those happening is around 7%.
You can also reduce the magnitude by protecting certain specifically vulnerable areas. Rubber boots or overshoes for your loafers; a raincoat for the suit, and a waterproof valise for documents, will limit potential damage greatly. Your protection isn’t perfect, and if the umbrella fails you’ll get wet here and there, but you will still arrive at the office in good condition. You might have lost the lunch, and your trousers will need pressing, a total of about twelve bucks.
Now we’re talking! The risk has been reduced dramatically.
This is how things generally work. Most people understand there are basic vulnerabilities and that they can protect against most of them. But they don’t always do the work to assess their level of vulnerability. This model forces an examination of vulnerability and it can illuminate risk in ways that the old ‘likelihood’ model can’t.
In Arizona, where the likelihood of rain is minimal, you might get away with using that model even though it’s incomplete. Yet even there, downpours do happen and vulnerability in the context of specific risks should be accounted for. The threat/vulnerability/magnitude/risk model takes this into account.
A mismatch between the above elements is where the risk meets the road. As we’ve seen, a low level of threat paired with high vulnerability is probably fairly safe. High threat with very low vulnerability is also a reasonable risk. But high threat paired with high vulnerability is a recipe for disaster. That is a mismatch and action must be taken to protect assets.
Submerged Risk / Submerged Value
When you arrive for the meeting, dry and looking good, your reputation – so at risk in the first instance – will not suffer, thus wiping out the submerged risk. In fact, as others see how well prepared you were for Seattle’s inclement weather, your reputation will be enhanced. This, of course, is submerged value, secondary and tertiary value from the actions you take that, like submerged risks, are buried under the surface, invisible until raised.
Rain, even in Seattle, is not a constant. It is often possible to walk to work unscathed, safe and dry. But what about when the threat never goes away?
Let’s place you in your brand-new Pacific Coast office. Your new laptop isn’t ready, so you pull out your own and hotspot your way to the internet. You are now at a 100% level of threat from malware, ransomware, security breaches, data loss and equipment damage.
How do the two models compare now? When the risk is constant it’s not even close.
Okay, but is that a realistic assessment? How many people in 2020 don’t have some sort of protection on their systems? This model, once again, does not specifically account for that. Under the new model, the risk looks like this:
Of course, the costs of reducing vulnerability and magnitude must be factored in as well, whether an umbrella and galoshes, or antivirus protection and cloud backup. The total now becomes:
This is not just a huge difference in total risk from the likelihood model, it’s also a far more accurate description of the way the world works. All organizations know the chance of an unprotected computer being compromised is 100%, and none just resign themselves to suffering the full magnitude of the damage.
Since every organization takes precautions, and since they do so to varying degrees – and have varying degrees of sensitive or damaging equipment and data – they don’t share the same levels of risk. The likelihood model simply doesn’t match reality.
The vulnerability approach does reflect the real world, and it also works better when it comes to sustainability-related risks. The chance that global temperatures go up by, say, 1˚C, is 100%. That could have all sorts of ramifications, and vulnerability must be reduced accordingly. Facilities, supply chain, water availability, working conditions, and more: all must be adjusted for climate resilience. Using the likelihood model means not accounting for this (or mistaking it for part of magnitude), making it a bad fit for today’s world.
Once threat, vulnerability, and magnitude have been separated, you’re immediately better off. And you can take this a step further through actions that reduce not only vulnerability, but also magnitude.
In the computer example that means lowering the losses if you do get infected and reducing the time and expense of recovery. Backing up regularly, keeping sensitive information encrypted, etc., would reduce the damage if malware did get through your defenses.
In the climate risk example, it might mean better building designs for cooler spaces, or faster-cooling infrastructure to keep heat-related disruptions short. It could also mean extra inventory to keep downstream operations running in case of a shutdown, or a new process to shift production between facilities in case of climate-related slowdowns in one area. All these reduce the magnitude of risk and they complement your efforts to reduce vulnerability.
Another problem with current models of risk is that, within vulnerability (and for the Likelihood x Magnitude model, within magnitude), they often miss key elements.
First, as we’ve seen far too much recently, there’s an enormous difference between knowing what to do, having the capacity to do it, and actually doing it. When you don’t separate these, you miss areas of vulnerability. Second, as discussed above – and as will be the topic of an upcoming article – submerged risk, by its very nature, is almost always overlooked.
In order to build a true model of risk for any project or initiative, the meaningful potential threats and vulnerabilities must be identified. The magnitude must be calculated along with costs of mitigation. Done manually, this process can be complex and taxing.
When something is both necessary and difficult, making it less difficult is powerful. This is why we developed our Risk Tool, which encompasses the model described above: identifying threats, searching for vulnerabilities, calculating loss magnitudes, and diving beneath the surface to find and account for submerged risks.
Once connected to your internal systems, the tool can do in a few hours what used to take days, and gives us a thorough, comprehensive, and concise view of risk. And, as you can see, it makes risks visible, sortable (by geography, threat type, time horizon, and business unit) and, most importantly, more actionable. (If you’d like to know more, drop us a line).
We will deal with submerged risk in… well, in depth, in an upcoming article. For now we’ll simply say, using an incomplete model for assessing risk carries big risks of its own.