Part 4: Best Practices for Threat Management
When it comes to threat management:
- Recognizing that a threat exists—that there is the potential for harm—is a sound beginning.
- Assessing the potential threat(s), to identify likely consequences and their impacts on your organization, is an essential next step.
- Proactively managing the threat(s) in order to mitigate associated consequences can change or arrest the trajectory or course of events from a harmful outcome to effective mitigation—which is precisely what we will discuss in this article.
Best Practice is to Manage a Threat Before it Becomes a Hazard
Threat management is accomplished through interventions intended to reduce the risk posed by identified threats and hazards. It’s important to always keep in mind that preventing an incident from occurring in the first place is far more preferable to needing to respond to and recover from an incident or event.
For example, to address the threat associated with a hurricane predicted to make landfall at your location in the next 72-96 hours, you could take active steps to minimize risk by evacuating personnel, boarding up windows at your facilities, and relocating potentially vulnerable equipment. Another option would be to choose to wait and reassess the threat over the next 24 hours before making the decision to act.
Both approaches are valid, and both may effectively mitigate risk associated with the coming hurricane. There is risk associated with each action, and you should consider that risk when you are creating your plans or applying them. The key point to recognize is that the decision on how to respond to the elevated threat represented by the hurricane should be made before the threat becomes an active hazard.
By the time your organization is responding to an incident, most of the opportunities to make good decisions are already past, and you’re left doing the best you can with whatever information and resources are available. Effective threat management focuses on maximizing the ability to make those good decisions before adrenalin and circumstances make that more difficult.
Characteristics of Threat Management Strategies
Threat management is the implementation of carefully planned passive and/or active interventions focused on a specific threat or hazard.
With the goals of prevention and protection, a threat management program should develop and recommend intervention strategies to prevent incidents or events, and mitigate their effects if the prevention effort is not successful. These strategies should incorporate actions directly involving the threat itself, any elements of an organization that may be vulnerable to the threat, and the overall organizational environment or setting in which the threat could manifest.
It is vital to remember that while it’s important to standardize your processes for threat identification straight through to the assessment and risk analysis phases of your program, your management strategy for each threat should be tailored and unique in each instance.
Be aware that, while offering a solid starting point, best practice or previously used threat management strategies may not provide the best answer for your organization. Threat management strategies are only limited by your imagination, the laws of physics, and the statutes, rules, and regulations that your organization operates under. Innovative thinking allows your organization to stay adaptable and provides opportunities to mitigate risk in ways not previously attempted.
Effective Threat Management Strategies:
- Are holistic in considering the threat, the vulnerabilities, and the organizational environment
- Sometimes involve multiple, concurrent intervention strategies
- Require accurate and effective communication (both internally and externally as appropriate)
- Can be short-term or long-term
- Are either active (i.e.: directly engaging with the threat), or passive (i.e.: monitoring the threat and gathering additional data)
- Require continual reassessment, adjustment and follow-through
- Take advantage of multi-disciplinary teams
- May not always work as planned
- Must be flexible
Threat Management Intervention Strategies
Take no action – only advisable if the threat assessment and risk analysis reveal that there is no imminent threat, and the associated risk is acceptable to the organization.
Watch and wait – used when there is a possibility for harm, not enough information to confirm the threat, and the associated risk is acceptable to the organization.
More detailed threat and risk assessment – used when additional expertise is needed to understand threat and risk. This may involve engaging subject matter experts outside of your organization.
Administrative actions – addressing the human element of vulnerability by establishing or updating policy and practice to deal with specific aspects of the threat or related consequence. For example, when specifically dealing with an insider threat, this might include HR actions such as restrictions, suspension, discipline, expulsion, or termination.
Physical actions – addressing identified vulnerabilities and hardening potential targets through architectural changes or the introduction of additional protective measures.
Consequence planning – recognizing that prevention and protection may not be 100% effective, and creating plans for your organization to respond to and recover from the incident or event. Planning should absolutely cover emergency interventions for those threats that are determined to be immediate or imminent.
Preparedness activities – training and exercising the people within and around your organization to maximize threat awareness, educate them regarding response and recovery plans, and validating that the plans are appropriate and that the people understand expectations, roles, and responsibilities within those plans.
Avoid These Common Pitfalls
Underestimating threat management duration: Threat management can be short-term or long-term, with some strategies requiring engagement ranging in duration from days to years. Threats that initially seem suited for short-term management may ultimately turn out to be long-lasting. They may appear to be resolved or mitigated, only to require reassessment as new facts and circumstances emerge.
Fatigue: After a while, individuals supporting a threat management program could end up feeling exhausted, or worse, desensitized. Consider rotating threat management responsibilities among personnel to promote fair workloads, and monitor schedules to allow for downtime or vacations. Also, new threats may emerge while existing threats are being addressed, so be sure to weigh the priorities and demands for each threat management activity.
Misguided expectations or assumptions: Threat management is much more nuanced and prevalent than the instances that become highly publicized and involve significant physical or economic consequences. Only a very few number of organizations will ever experience incidents of that kind, while a far greater number will face other forms of threat. Your organization’s leadership is ultimately responsible for the protection of the organization and its members to the fullest practical extent by taking measures to mitigate identified threats.
Harmful response and management strategies: An important consideration is avoiding a circumstance where threat management activities may actually enhance the threat instead of mitigating it. When implementing threat management strategies, your organization should consider how threat management interventions could affect other elements of the organization or brand.
Your Organization’s Resilience Depends Largely on its Threat Management Program
Organizations with effective threat management programs plan well, share information, and understand when urgency is needed. They act with care and provide clear guidance and oversight for those implementing solutions. They continually re-evaluate the threat environment, re-assess when necessary, and understand that patience and persistence may be needed throughout the process.
There’s a lot involved here, which is why taking the time to establish a robust, scalable and practical threat management program is so essential. Implementing the tactics and strategies outlined in this 5-part series will give you a solid start—and the Crisis Ready Institute team is always here to help guide and support your efforts when you hit some roadblocks or have further questions.