Part 1: Defining and Categorizing Threats for your Organization
When I learned that the Crisis Ready™ Community Monthly Mastermind session for July will discuss threat and risk assessment from a law enforcement perspective, I registered for the event immediately. Primarily because I am always interested in learning how other people approach threat assessment, but the fact that Deputy Chief of Police, Chris Hsiung, is an engaging and expert speaker who is a master of his craft may have played into that decision as well.
Threat and risk assessment is a crucial piece of becoming Crisis Ready™, but it is essential to remember that the assessment is only one step in a more extensive process of threat and risk management. To maximize the value of investments in threat and risk assessments, organizations should consider a proactive and prevention-focused Threat Management Program. This approach can help to define specific threats, detect and identify those threats within a particular environment or context, assess the risk that they pose, and manage that risk before the threat creates a hazard or manifests in an incident.
What you can expect from an effective Threat Management Program
Comprehensive and effective Threat Management Programs:
- Tailor their approach and risk appetite to the unique mission, culture, assets, and threat environment of an organization.
- Build a culture of shared accountability and prevention that reinforces a positive organizational focus on the health, safety, and well being of its people, as well as its overall operational effectiveness and resilience.
- Employ multi-disciplinary capabilities based on the characteristics of the organization and the operational ecosystem.
This is all accomplished through a structured process that clearly defines possible threats, establishes a methodology to detect and identify a threat within the organization’s ecosystem, assesses each threat and its associated risk, and then actively manages the threat.
Today I am going to talk about Defining a Threat. This is the first of five planned articles discussing threat management as a component of a Crisis Ready™ Program. In the coming weeks, I will also discuss Detecting and Identifying a Threat, Assessing a Threat, Managing a Threat, and then Developing and Maintaining a Threat Management Program. For today, let’s begin with diving into what a threat is and means for your organization.
What is a Threat?
The basic definition of the word threat, as presented in the DHS Lexicon is an “indication of potential harm to life, information, operations, the environment, and/or property.” The critical element of this definition is the word “potential.” A threat exists in the future. It is something disruptive that may happen.
Some common pitfalls to avoid when defining threats
Expecting future threats to look like past threats
Focusing solely on what has happened in the past when defining the threats that will be included in a Crisis Ready™ Program is a frequently occurring mistake that can result in significant blind spots in the related planning and preparedness activities. When you are defining your threat environment, it is imperative to think broadly about the realm of the possible – what could happen vs. what is likely to happen. Limiting the scope of your environment based on probability comes later in the process when you begin assessing the identified possible threats.
Solely associating threats with negative events
Another point to recognize in the definition of threat is the word “harm.” In large part, people consider a threat to be associated with adverse incidents or events (e.g., natural disasters, the collapse of infrastructure, or targeted violence) and the related destructive consequences. From a holistic point of view, there can be threats associated with positive occurrences as well. Think about things that people look forward to – landing the most significant contract that your business has ever targeted, the birth of a child, or a local Super Bowl or World Series victory, to name a few. All of those experiences can be disruptive as well – an immediate demand for services or products exceeds existing capacity, a senior executive takes a maternity or paternity leave without delegating their authorities, or celebrations for a sports team that turn into riots and do tens of thousands of dollars in damage to buildings and infrastructure. That potential for disruption can harm “life, information, operations, the environment, and/or property.” This is your threat associated with what would otherwise be thought of as a positive incident or event.
Interchanging the terms ‘threat’ and ‘hazard’
When a threat is actualized and interacts with your operations, it becomes a hazard. Sometimes the terms threat and hazard are used interchangeably, but they are not the same. A hazard is always associated with a threat, but a threat does not necessarily always become a hazard. Consider the example of a flock of birds at an airport. If the birds are close to an aircraft attempting to take off or land, then they are both a threat and a hazard. If there are no aircraft in the area, then the birds are a threat – representing the potential to cause harm, but they are not a hazard because their potential has not been realized.
Types of Threats
Threats can be natural, technological, or human-caused.
Natural threats are naturally occurring incidents or events caused either by rapid or slow-onset processes. Those processes can be geological (earthquake, landslide, tsunami, and volcanic activity), hydrological (avalanche and flood), climatological (extreme temperature, drought, and wildfire), meteorological (lightning, wind/tornado, hail, hurricane/cyclone, and storm/wave surge) or biological (disease epidemic/pandemic and insect/animal plague).
The continued expansion of the human/nature interface as the human population grows and technology allows people to live places that were too inhospitable or difficult to build means that our collective exposure to natural threats is increasing.
There is a growing school of thought that there are no natural threats. Nature is following its established pattern. The potential for harm is centered on humanity and our interactions with our environment. This approach holds that all threats are human-caused because of a collective failure to exist in harmony with nature.
Technological threats are related to technical problems or failures with infrastructure and its ability to provide planned and desired technical functionality (mechanical failure/structural collapse, software or application failure, and hazardous materials release). With modern society’s increasing dependence on technology to support daily life, these threats are becoming more prevalent. The dynamic and emergent nature of technology means that depending on history to predict future threats is particularly problematic.
Human-caused threats are incidents or events that are caused by humans and occur in or close to human populations. This can include environmental changes (pollution), business incidents or occurrences (loss or gain of business, changes to reputation, change in employment status), behavioral concerns (criminality, targeted or intimate partner violence, insider activities, and physical/emotional/mental health concerns), and accidents (complex emergencies/civil unrest, violence/warfare, famine, displaced populations, theft, industrial accidents, and transportation accidents). Yes, civil unrest, violence, and warfare are considered to be accidents. Scholars have suggested that behaviors leading towards any of those types of actions are, for the most part, not intentional. Therefore, they classify them as unintentional, or accidental occurrences.
While there are a variety of types of threats that we must be aware of and take into consideration when developing and utilizing a threat management strategy, the commonalities are essential to note:
- A threat is an indicator of the potential for harm – it is not based on past events or what is currently happening (that is a hazard).
- Consider threat in terms of what is possible. Probability comes later in the process.
- How a threat evolves into a hazard will depend on the nature of the threat (natural, technological, or human-caused) and the point of intersection between the threat and an organization’s mission and operational practices, and how prepared the organization is to deal with that actualization.
Your first step in structuring an effective Threat Management Program
Clearly characterizing and categorizing the range of threats faced by your organization is the first step in structuring an effective threat management program. A threat is an indication of the potential to do harm to life, function, information, the environment, or property. We live in a world where the potential for harm, resulting in crisis, is complex and dynamic. It is my hope that this article has helped explain what a threat actually is, and what it is not, and that you step away with a better understanding of the fundamental role that defining threats plays in creating your Crisis Ready™ Program.
Read the other parts of this 5-part series on developing your Threat Management Program:
Part 2: Designing the Ability to Properly Detect a Threat
Part 3: Properly Assessing a Threat and Analyzing its Risk
Part 4: Best Practices for Threat Management
Part 5: Building Your Threat Management Program