Foundations & Fundamentals: Asset Identification and Characterization - Part I

“Wise men say, and not without reason, that whoever wished to foresee the future might consult the past.”
- Machiavelli

“Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning.”

- Albert Einstein

So where do we start? To this point we have discussed Initiation, The Value of Risk Assessment and Critical Thinking. Prior to beginning any type of assessment, it is essential that each entity within an organization is aligning itself with what is being directed with the strategic mission, vision, and objectives of the organization. Common Language is the key element. There are a number of practical implications that support improved and consistent risk language and communication, such as delivering the accurate level of treatment and guaranteeing that the right treatment and countermeasure is delivered to meet an organization’s specific needs. Consistent scales and classifications in risk assessments will assist with establishing agreements on questions such as what treatment(s) and/or countermeasure(s) to use, how much of each treatment and/or countermeasure an organization needs, and the duration of each treatment and/or countermeasure.

The primary purpose of a common risk language is to enable management with the ability to gauge the thoroughness of its efforts in identifying events and scenarios that merit consideration in a risk assessment. Management has the option of either beginning a risk assessment with a blank sheet of paper with all of the start-up that choice entails, or common language that enables people with diverse backgrounds and experience to communicate more effectively with each other and identify relevant issues more quickly.

RISK = KNOWLEDGE

LACK OF KNOWLEDGE = UNCERTAINTY

RELIABILITY OF INFORMATION PRESENTED IS ESSENTIAL

This needs to be the first step in the risk analysis and assessment process. A level playing field must be established. This points directly to nomenclature, teamwork, and setting of expectations. One has only to point to the US Department of Homeland Security when it was establishing its program in reviewing critical infrastructures – educational institutions being one area. Their initial step in identifying risks was to create a framework and guideline in order to have a clear and relevant comprehension of terms: “to support integrated risk management for the Department, the DHS Risk Lexicon:

• Promulgates a common language to ease and improve communications for the Department and its partners;

• Facilitates the clear exchange of structured and unstructured data, essential to interoperability amongst risk practitioners; and

• Garners credibility and grows relationships by providing consistency and clear understanding with regard to the usage of terms by the risk community across the Department.”[1]

Terms are important as they can literally define how one is to proceed with the task at hand. This is why it is necessary to ensure, especially within an educational environment, that the definition of risk is well defined early in the process. Bear in mind that each elementary, secondary, high school, and higher institutions of learning have completely varying degrees of how to define risk and what that means to their particular environment. That must be taken into account prior to any type of process beginning.

Risk and Risk Assessment should be defined and based on the “process of managing uncertainty of exposures that affect an organizastion’s assets and financial statements using the five steps of: identification, analysis, control, financing and administration,” as stated by Stacey Corluccio, an Academic Director of Risk Management Programs at The National Alliance for Insurance Education & Research.Security practitioners should further their scope by including best practices as well as established standards and guidelines such as those put forth by ISO 31000:2018 Risk Management – Principles and Guidelines and ANSI/ASIS International/RIMS Risk Assessment Standard.[2]. Both documents serve as excellent guides to defining risk, establishing a risk assessment process and forming a risk analysis and assessment program that meets the set objectives of the organization.

[1]US Department of Homeland Security website, http://www.dhs.gov/dhs-risk-lexicon.

[2]ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies. The American National Standards Institute (ANSI) is a private non-profit organization that oversees the development of voluntary consensus standards for products, services, processes, systems, and personnel in the United States. The Risk and Insurance Management Society, Inc. (RIMS) is a professional association dedicated to advancing the practice of risk management.