3 Steps to Enhance Your Risk Assessment Process

Most security leaders we speak with are trying to bring more governance to their corporate security programs.  Part of that process is defining SOP’s for commonly performed tasks to build more consistency and reliability in their execution.  One of the most commonly performed tasks across industries is the risk assessment.  

In working with companies across industries we’ve collected three best practices that enhance the value of any assessment, scale support for different use cases, and bring more consistency and credibility to the security program.

Take time to define your security requirements

1. What is the nature of the assessment? City severity rankings, a traveling executive, site assessments, or safe routing all have very different goals
2. What risks or consequences am I most concerned with? The intent being to protect a physical asset vs keep people safe vs. make them feel safer will impact the deliverable.
3. What decisions will this threat assessment inform? Go/no-go, investment in fortification or deterrent measures, informational briefing.  Each one of these requires analyzing data through a unique lens.

Tailor the scope of your risk assessment

1. What are the norms within your company? Are there any relevant policies in place (legal duty of care)? What’s the risk tolerance of leadership for this type of use case?  Are there any reputation risks to consider?
2. Who are the consumers of the report? Internal to security vs ELT vs. broader employee base should look and feel very different.  This will help establish relevance and gain buy-in for decisions or recommendations
3. What resources do I have at my disposal? Whether it's google, an in-house platform, or a SaaS product, defining which tools should be used for what type of assessment helps streamline information gathering and maintains accountability.

Make data-driven security recommendations

1. Use visualizations where possible. Charts, graphs, maps, all help paint a picture and make intel easier to consume
2. Let the data highlight the decision. Security is often tasked with finding ways to say “yes” in the safest manner possible.  Let your data-backed intel tell the story so stakeholders understand the why.
3. Add context to create actionable recommendations. Blanket recommendations have a tendency to get overlooked.  Context helps with relevance and credibility and gives stakeholders a tactical next step on behalf of the business, to keep themselves, or keep others safe.

Consider these best practices in the next review of your corporate security governance.