Using The Indications and Warning (I&W) Analysis to Manage Organizational Risk

Copy of RESOURCE DETAIL MAIN - [asset-type]_[name] (1)

The Center for Protective Intelligence partnered with Scott McHugh who works for the Institute for Homeland Security at Sam Houston State University to develop this piece. 

One of the key reasons we created the Ontic Center for Protective Intelligence (CPI) was to share industry tools, best practices and lessons learned to help those who protect be more successful. 

Since we created the CPI, we’ve talked to numerous organizations working to expand their focus beyond just tactical and operational security risks, creating a more mature risk analysis program that includes strategic risks. One of the most interesting and useful strategic analysis tools we’ve seen is the use of the Indications and Warning (I&W) Analysis methodology applied to managing organizational risks. 

The I&W technique is not new – it has been used by the U.S. intelligence and defense community for years as a means to quantify risks and understand threats posed by emerging geopolitical situations around the world. An I&W framework is not meant to predict whether a specific event is going to occur – instead, it’s meant to warn decision-makers that the probability of a risk event is increasing or decreasing, creating a quantifiable and proactive way to determine when an organization should change its risk posture to avoid surprises and prevent loss.

In the private sector, Scott McHugh is a corporate security leader who has pioneered the use of indications and warnings analysis for organizational risk analysis. While leading corporate security teams for large multinational companies in the retail and petrochemical industries, Scott implemented I&W frameworks to help decision-makers understand and contextualize geopolitical and supply chain risks that could disrupt business continuity. His I&W deliverable  gave corporate decision-makers a quantifiable early warning about potential risks that could interfere with achieving corporate goals. He’s now at the Institute for Homeland Security at Sam Houston State University training security professionals responsible for protecting critical infrastructure about how to implement the I&W methodology as part of their security management program.

The methodology itself is an advanced analytical technique. Even though I&W frameworks are created to be easy to understand and to transparently depict the reasons underlying their conclusions, the methodology can be complex to implement.

Analysts first identify their most pressing intelligence questions (requirements) and identifies the component parts (indicators) within the intelligence questions. The analyst then determines the best way to collect and evaluate information related to the indicator and determines whether the indicator is an “active” or “dormant” component of the intelligence question.  

After the analyst has created a robust indicator framework the inputs can be displayed to decision-makers via a risk dashboard in a transparent and quantifiable way, which helps decision-makers understand when indicators are activating (or deactivating) and thereby provides a warning to consider implementing measures to mitigate the risk. 

Key Benefits to the Indications and Warnings Methodology

Contextualize Analytical Information 

Many decision-makers struggle to integrate and accept analytical findings if they don’t have a concrete understanding of the underlying data and the rationale that underlies the conclusions. An I&W analysis methodology helps analysts and decision-makers clarify the specific factors impacting a situation, the scope and scale of the risk triggers that are causing changes and the ultimate impact of how those triggers might impact the risk environment. An I&W framework creates a clear account of the context of the risk factors and the steps analysts take to reach their findings, giving decision-makers more confidence in the process and its conclusions. 

Quantify the Probability of Risk Events 

The subjective nature of many strategic and geopolitical risks makes it very difficult for many organizations to quantify the impact of these problems, especially when dealing with the incomplete and ambiguous information that is typically encountered. An I&W methodology allows the analyst to break a problem into its component parts and create the means to measure how potential changes may impact the situation over time, potentially also identifying the financial impacts of the change on the organization. The act of specifically identifying and measuring the potential impact of various trigger points helps a decision-maker see the potential significance of each shift before an escalation becomes a critical problem, avoiding surprises and enabling changes to be made as early as possible. 

Decrease Analytical Bias

Overcoming human bias within analytical products is a traditional problem within intelligence analysis, due to the biases of both the creator and the reader. I&W frameworks can help to mitigate this problem by breaking down a requirement into its component parts and explaining 

the specific reasoning behind each element. Analytical biases can be checked by carefully evaluating each of the criteria, then determining and using the most objective data and measurements available to monitor the risks. Similarly, understanding the component parts of each problem helps an analyst to understand their analytical gaps, working to fill them or to incorporate an appropriate level of uncertainty into the analysis. 

Establishing an I&W framework in your organization requires substantial effort, but the payoff can be transformational in terms of understanding and responding to the evolving risk landscape and doing so in a manner that decision-makers understand.  

For organizations seeking to create a more mature analytical framework to proactively support decision makers, the I&W methodology can be a critical part of the risk management toolbox to promote analytical transparency and confidence while generating quantifiable conclusions that reliably identifies emerging risk which in turn drives security risk management decision-making.  

Looking for more ways to manage organizational risk? Check out our solution for anticipating and reducing corporate liability.