Only Measuring Deficiencies? Then You Aren’t Truly Measuring Risk

By Daniel Young | November 16, 2023 | 2 min read
Compliance and deficiency

When you bring a consultant in to conduct a risk assessment at your site you expect that they’re going to present you with a list of problems that will need to be corrected in order to improve your security posture. What you don’t expect is that they will also document the things you’re doing well — well-lit parking areas, for example, or well-marked doors.

A good consultant, though, will include your security strengths in their risk analysis. This isn’t to make you feel better about your security or your site. It’s because your strengths are as much a part of your risk profile as your weaknesses are. If you are only documenting your deficiencies, you are not actually measuring risk.

To get the whole picture of your site’s inherent risk, you must also be aware of your strengths.

What is inherent risk?

Inherent risk is all risk that’s intrinsic to the site itself. For example, if your site is right next to a busy street, or if it’s located in a tornado-prone area, the risks of a car ramming the building or a tornado are built right into the site’s overall risk.

Inherent risk includes several factors, such as location, your mission, time of year or day, historic considerations, and other issues that can’t be separated from your facilities or organization.

Inherent risk goes beyond vulnerabilities, however. It also includes the strengths of a site. If your location is on a hill and can’t be flooded, that also contributes to your inherent risk, for example. You can’t get an accurate risk score unless you document both compliance and deficiencies.

The benefits of documenting compliance

When you measure risk across your organization — especially when you use a tool like Circadian Risk’s platform, which allows you to document risk in a consistent way — you’re able to compare your sites.

However, if you’re only comparing the deficiencies at every site, you’re doing your organization a disservice. For one thing, it’s helpful to see the positives at each site because if one site is doing something right, others may be able to learn from it.

For another, being able to see the compliances at each site helps give you a better idea of which site actually needs the most remediation.

I often tell the story of a multinational company that I worked for. While the Europe site was security-conscious and consistently in touch with the security division, the South America office had several security issues, but did not ask for help from the corporate office. As a result the Europe office got the attention and resources that the South America office needed. If the company had been able to see at a glance which office was doing things well, the South America office would have been given more resources.

How can you start measuring inherent risk correctly?

When you rely on consultants for subjective risk analyses, you often lose out on valuable data. Many consultants either rely on subjective criteria (like their own experience) or measure the wrong things, giving more weight to deficiencies than to compliances.

To truly measure inherent risk, you need a tool that can help evaluate risk in a uniform way. Circadian Risk’s digital platform enables your team to document both what you’re doing right and what you are doing wrong across your entire organization. This lets you see your enterprise’s risk at a glance, track remediations, and better understand how to use your resources.

Do you need to better understand your inherent risk? Schedule your personalized demo today.

Are you ready to improve your organization’s risk management?

See Circadian Risk In Action Now
Schedule FREE Demo