What’s a Threat? That Depends on What Your Job Is
Extreme weather can stop trucks on the road and prevent key personnel from getting in the office, disruptions that can cost millions. Failure to comply with regulations can damage a company’s reputation and drive up operational costs.
These situations present real risks to the business.
Too often, executives in charge of managing one type of threat don’t grasp the wide range of threats faced by their colleagues in other lines of the business. I’m not just referring to specific instances of these threats, but to how different departments define threats themselves. Since threats have the potential to impact an organizations personnel, operations, assets, image and reputation, the spectrum is wide and can change without warning.
When executives don’t have a common understanding of how to define threats to their organization, there’s a good chance that they aren’t sharing information that could help to avoid or mitigate these situations.
How Executives Define Threats
Twice a year, the Ontic Center for Protective Intelligence surveys executives whose job it is to keep companies and their employees safe about the risks their companies face, how often they face these threats, what they perceive as the biggest threats to their organization, and a host of related questions.
These surveys reveal enterprises frequently miss threats that could have significant consequences – often because of a failure to organize and share threat information.
For the Mid-Year Outlook 2022 State of Protective Intelligence Report, one of our focus areas is how executives in different lines of business describe and define threats. We found some interesting differences.
We asked, for example, whether respondents defined “hostile written, verbal or physical actions with the potential to compromise individuals’ mental or physical well-being at the workplace or while on duty” as threats to the company.
More than two-thirds of physical security and human resources executives considered these threats. But those figures dropped off in other departments: 55% of legal and compliance and 45% of cybersecurity and IT executives defined these actions as threats.
When it came to “negative actions or events that compromise the security of your company’s IT and network systems,” not surprisingly, cybersecurity executives were most likely to define these as threats to the company, at 70%, while close to half that level of physical security executives (36%) saw them as such.
Human resources teams, overall, were most likely to see regulatory compliance and extreme weather as threats to the company, while legal and compliance teams were a close second.
The point here is not the percentages themselves, but what it means when the teams that are responsible for reducing risk aren’t on the same page. If the team cannot agree on what constitutes a threat, imagine how many opportunities may be missed to counter emerging situations before they pose a serious threat to the company.
During my time as a counterterrorism investigator, after nearly every major incident, I realized that there were a series of missed clues that – if they had been noticed – could have been used to prevent violence. Failure to properly notice these threats represented a failure of intelligence gathering, tactical analysis, and threat assessment.
This brings us to another data point in the survey regarding which departments respondents believed had responsibility for threat assessment, and which department they thought should have responsibility for threat assessment. Each of the four departments surveyed – physical security, cybersecurity and IT, human resources, and legal and compliance – were more likely to identify their department as one that had responsibility for threat assessment. But in most cases, fewer respondents said their department should have responsibility. (Human resources executives were more likely than the other three to say that their department should have oversight.)
The survey results show a real opportunity for enterprise-level collaboration and information sharing among various stakeholders that could help to avoid threats and mitigate risks before they impact the bottom line.
For example, more than a third of survey respondents – 38% – said an employee was threatened or harmed while working at company facilities and that they also believe the incident could have been prevented if departments worked together.
No organization should have to wait for someone to get hurt to learn this lesson and act. Executives need to foster collaboration and communication across the organization – so that everyone is on the same page about what counts as a threat to the organization, and who is responsible for addressing and mitigating the associated risks.