Threatening Behaviour
As a terrorism analyst, risk assessments were simple (methodologically, at least). We’d start by considering “threat actors” in a given location (or sector) and then examine their intentions. Different groups had different agendas and targets for their rage. Some were intent on the horrors we’re all now well accustomed to, while others were more like organised criminal groups (money-focused).
I’m simplifying for brevity’s sake. But with this analysis of who they might want to hurt, the sea of would-be ‘baddies’ became manageably smaller. It’s like establishing what in the ocean might be harmful without considering the location and context (are you a seal in South Africa or a rig diver in contested waters near The Philippines).
With the ocean of evildoers segmented, we could move to examine that other component of threat: capability. A terrorist group might want to overthrow the government but settle for shopping centre massacres. In other words, we didn’t take them at their word. We’d examine the rhetoric but focus on the modus operandi, track record, and gather intelligence (e.g., uncovering that freelance former IRA worked with FARC, dramatically increasing the latter’s potency in the 2000s).
Next, we’d map the vulnerability of potential targets, a function of security, predictability, and resilience. For instance, after 9/11, airports and aircraft went very heavy on security measures. These steps – threat then vulnerability analysis – gave us a more accurate view of risk. With a higher degree of accuracy than I’ve seen in much risk assessment work since one could guide a hotel resort in Egypt through an incident or secure a hydropower project in Peru.
I migrated these methodologies into the financial/economic crime (and human rights) domains. But there was resistance (from some). Viewing stakeholders (public officials, third-parties, employees, regulators, etc.) as potential threats can be uncomfortable. But it’s indispensable. How else can you calibrate appropriate controls if you don’t understand the threat?
In Indonesia, acquiring certain visas and work permits can be perilous. In one commonly needed visa, there are ~13 steps involving 11 interactions with government officials. If you try to process this visa in some more decentralised areas (where much of the resources, energy, and manufacturing are found), the threat level is high. The intention is to extort (generally), and the capacity is high (weak regulatory oversight and police complicity). Processing that visa through Jakarta is a low-medium threat (much closer to scrutiny and transparency-minded allies, like the KPK, the anti-corruption commission).
Once we correctly map the threat, it becomes easier to rightsize the controls (reduce vulnerability). Trying to manage the S and G elements of ESG without calibrating threats leaves us vulnerable, like the seal vs rig diver.
Get in touch if you’d like a simple template to create such a risk assessment tool.