6 Components of Risk Intelligence & How to Boost Your Company’s “RQ”
Learn how to increase your company’s risk intelligence so you can anticipate, plan for, and respond to a wide array of business threats.
You need to be ready for countless threats to your business processes and people. Potential risks include security risks, financial risks, environmental, cyber, and more. But there are ways you can prepare, mitigate, and patch up vulnerabilities so you are less likely to suffer major damages when risks become realities. It’s all about your intelligence.
We aren’t talking about test-taking or word puzzles. What’s in play is a different kind of intelligence: risk intelligence. Having high risk intelligence is key to navigating the modern risk landscape and protecting your business from harm. It is also a major competitive advantage that will enable your business to keep going when your competitors need to stop and re-assess.
In this article, you’ll learn about the six components of risk intelligence and how they work together to boost your overall risk management. We’ll break down how to measure and improve so you can keep your people safe and your business running smoothly through any disruption.
What Is Risk Intelligence?
Risk intelligence is your organization’s comprehensive ability to anticipate, plan for, and respond to a wide array of risks. It’s not a measure of your preparedness for any single threat but rather your organization’s overall ability.
Specifically, there are six components that constitute risk intelligence:
- Risk awareness — Recognizing the wide array of risk types
- Risk understanding — Displaying a detailed knowledge of a given threat
- Risk evaluation — Identifying the severity of a given threat
- Risk projection — Forecasting how a given threat will likely develop
- Risk assessment — Calculating the people and assets impacted by a given threat
- Risk response — Knowing how to effectively respond to a given threat
Risk intelligence can be measured by calculating your RQ (risk quotient), which gives a simplified and trackable number value to your business’ level of preparedness. If you have good risk intelligence (i.e., your business has a high RQ), you have a firm grasp on relevant risk data and are prepared for all possible threats to your business—be it a hurricane, winter storm, cybersecurity attack, or active shooter event. Whereas if you have a low RQ, you’re likely missing some key factors that would impact your decision-making, putting both your bottom line and employees’ health and safety at risk.
Calculating your RQ is as simple as ranking your business from 1–10. Here’s what you need to do:
- Go through all six components of risk intelligence (explained below)
- Rank your business on a scale of 1–10 for each (we’ve suggested ways to determine your rank)
- Add up the scores, and divide your total by 60 to calculate your RQ
Use the final RQ as a general measure of your risk intelligence—and your individual scores to determine where you have room for improvement.
Next, we will walk through each of the six components of risk intelligence in more detail to support your assessment. We’ll also give suggestions for improving in each area as you work to increase your RQ.
The 6 Components of Risk Intelligence
Risk awareness is the ability to recognize the wide range of threats that could impact your business. This is a measure of the breadth of your preparation, not the depth. In practice, has your organization considered all the different types of risks that are out there?
Signs of LOW risk awareness
Organizations with low risk awareness are often too focused on one or two specific types of risks. This is typically a function of location. For example, companies in California are very prepared for wildfires but may not have considered other potential threats, like active shooters or tornadoes. Companies in the northeast, like New York, are often very aware of the threat of winter storms—but perhaps not fires, which happen to spike during the winter. Small companies are especially likely to have low-risk awareness.
Signs of HIGH risk awareness
Organizations with high risk awareness consider all the types of risks that can impact employee safety and business continuity. Many of these companies have implemented an all-hazards approach to form the basis of their risk preparedness. Obviously, it’s impossible to create detailed contingency plans for every potential threat, but by identifying every major threat type and creating flexible plans backed by actionable intelligence, you boost your risk intelligence and position your company to make better decisions when responding to unexpected events.
Start by performing a business threat assessment rather than relying on guesswork. This will immediately improve your risk awareness and indicate which threats you need to focus on.
You should also implement a threat monitoring system that can track different threat types. Even once you have identified all the different threat types that can impact your organization, you need a way to monitor those threats for when they emerge. Doing so manually—by watching the news and tracking weather reports—is not an option when you have more than one or two employees. Manual monitoring is especially unreasonable when you have remote workers and frequent business travel. A threat monitoring system will track threats for you worldwide—automatically and reliably—and notify you of potential emergencies.
Risk understanding is the ability to display a detailed comprehension of a given threat. This is the component of risk intelligence that is the most grounded in experience. Stakeholders and managers with years of experience working in business continuity often display very high levels of risk understanding. They have a working knowledge of risk data and mitigation strategies.
Signs of LOW risk understanding
Organizations with low risk understanding are often simply underprepared. For the most common risks (like inclement weather, workplace fires, and hurricanes), it takes time and preparation to understand the unique nature of each threat. Companies that do only the bare minimum to prepare for these threats (e.g., install fire alarms or watch the news for hurricane warnings) will have low scores for risk understanding.
Signs of HIGH risk understanding
Organizations with high risk understanding have specific plans and infrastructure in place for every major risk type. This doesn’t just go for those who work in the business continuity and disaster recovery (BC/DR) department—it goes for the whole company. These organizations know the value of practicing their response through tabletop exercises and regular fire drills to keep every employee prepared and informed.
Put in the time to understand the nuances of the major threat types. These downloadable resources from AlertMedia are a good place to get started:
Understanding the nature of your most common risks will go a long way toward improving your risk understanding (and consequently, your risk intelligence). But for more obscure threats, it’s good to have a system and resources in place for learning threat details quickly once the threat emerges.
Compile a list of places to go for details about large-scale threats, like the CDC website for pandemic updates or CISA for cyber risks. But you should also invest in a threat monitoring system that provides comprehensive threat details and even gives you access to reliable risk professionals who can talk to you directly about active threats.
AlertMedia’s threat monitoring system, for example, pulls in threat details from trusted sources and analysts to provide you with a several-paragraph summary of the key details you need to know for every threat that emerges. Oftentimes, risk intelligence means relying on experts and their analysis rather than your own.
Risk evaluation is the ability to analyze the severity of a given threat once it emerges. At a certain level, this can be intuitive. An active shooter situation is obviously a high-severity threat. A thunderstorm is usually low severity. But sharp risk evaluation plays the biggest role when assessing situations where threat severity isn’t so simple.
Signs of LOW risk evaluation
Organizations with low risk evaluation capabilities struggle to consider how seemingly far-off threats may impact their operations. For example, imagine a hurricane started brewing off the east coast. Companies directly in the path of the storm would rightly start evaluating the severity of the threat. But companies located in, say, Kansas might assume the threat has no relevance to them.
Often, this could not be further from the truth. Is the company going to have any business travelers to the east coast in the next month? Or, for that matter, leisure travelers? Any trips that are scheduled need to be reconsidered. What about the company’s larger supply chain? If any suppliers are located in the path of the storm, or if their logistics pass through a port on the coast, they need to prepare for disruptions. The storm could also impact demand for the company’s products or services. Even though the storm might be 1,000+ miles away from headquarters in Kansas, it could end up being a high-severity threat.
Signs of HIGH risk evaluation
Organizations with high risk evaluation capabilities are always thinking “two steps ahead” as to how various risks might affect their people and operations. Taking the hurricane example, a company with exemplary risk evaluation would immediately recognize the severity of the risk. The company would reevaluate any business trips to the east coast and warn all employees of the dangers of leisure travel to at-risk areas as well. They would immediately open a dialogue with suppliers that could be impacted so they’ll know what to expect and prepare for. Identifying these connections early would allow the company to mitigate the impacts of the risk before anything materialized.
Improving risk evaluation is easier said than done. Navigate this process one step at a time to improve your organization’s risk evaluation if it’s an area where you struggle.
Start by asking these questions:
- Could this threat jeopardize the physical safety of our employees?
- > At headquarters
- > At other office locations
- > Traveling for business
- > Traveling for leisure
- Will this threat impact our suppliers?
- Will this threat impact the demand for our product/service?
- What is the worst-case scenario for this threat?
Having a good threat assessment and access to threat monitoring systems is the best way to quickly improve risk evaluation—because these resources do the hard work for you. By relying on expert sources and trusted analysts, the system assigns a “risk severity” to every identified threat. This means you don’t have to do the difficult work of researching each threat and manually determining severity; instead, you can take the severity as determined by the analysts and simply assess how that translates to your organization.
Risk projection is the ability to forecast how a given threat is going to develop. This can look very different depending on the situation. If the threat is weather-related (e.g., hurricanes, winter storms, tornadoes), there are clear sources to turn to: weather forecasters. Risk projection of weather events is their entire job! But for other types of risks, it can be much more difficult to find accessible risk professionals.
Signs of LOW risk projection
Organizations with low risk projection capabilities often display either an unrealistically optimistic outlook for how a threat is going to develop or a misunderstanding of the underlying causes. If an office is forced to close due to winter weather, these companies may be tempted to set unrealistic expectations for when the office will be able to reopen. If a forecast changes, they may be inflexible or in denial of what the experts conclude.
Signs of HIGH risk projection
Organizations with high risk projection capabilities know when to rely on outside expertise. When it comes to weather-related threats, the best course of action is always to stay up-to-date on the latest forecasts and plan accordingly. Effective risk projection also means not being overly optimistic. If the forecast gives a 30% chance of landfall for an approaching hurricane, that means you have a 100% obligation to prepare for the worst-case scenario. Organizations scoring high in risk projection apply similar best practices, including expert insights, to other types of threats.
For common threats, rely on trusted sources. Here are a few sources you should have bookmarked for frequent threat types:
- Severe Weather: National Weather Service
- Health Concerns: Center for Disease Control (CDC)
- Workplace Hazards: Occupational Safety and Health Administration (OSHA)
It’s also important to make sure you know how to correctly interpret the analysis from these sources. For example, do you know what it means that there is a 40% chance of rain in your city? It turns out, most Americans don’t.
For more obscure threats, it will not always be clear how a threat will develop—or what outside expertise to turn to. Consider integrating real experts into your risk management as often as possible. An external intelligence team that analyzes and reports on all manner of threats may be your best option.
Risk assessment is the ability to determine the company-specific impact of a given threat. In risk intelligence, this is the practice of going from the general to the specific. A threat has emerged—now, how exactly does it impact us?
This may sound similar to risk evaluation, but it is distinct. Risk evaluation asks, broadly, about the severity of a threat. Risk assessment requires you to quantify the specific impact of that threat to your company—no matter the severity. Typically, this amounts to determining which people and assets are at risk.
Signs of LOW risk assessment
Companies with low risk assessment capabilities typically err in one of two ways.
Some companies assume too narrow of an impact. For example, if a winter storm is coming through the city of their headquarters, they may tell all the employees who work in that office to stay off the roads and not come into the office. But they may forget about how the blizzard could impact their business travelers who are coming in or flying out that day. Or they might fail to consider the impact on assets—like equipment—that need to be protected from the cold.
Other companies assume too broad of an impact. This is certainly better than the former, but it is still problematic. When a threat emerges, these companies will default to always contacting everyone—no matter which office or department they’re based in. This may seem like “playing it safe,” but the reality is that this poor internal communication practice will cause notification fatigue over time. If your employees are constantly getting alerts for risks that don’t impact them, they will become desensitized to the warnings.
Signs of HIGH risk assessment
Companies with high risk assessment capabilities have processes in place to determine the precise impact of every threat. This allows them to zero in on the specific people and assets they need to focus on. These companies avoid notification fatigue but also don’t let at-risk employees slip through the cracks.
Improving risk assessment is best accomplished by automating the process—especially if you have business travelers. By loading all your people and assets into a threat monitoring system, it’s a solution that automatically quantifies the impact of every threat.
When a threat emerges, the system will cross-reference the radius of the threat with the real-time locations of your employees—to determine who is at risk. The system will then automatically alert you that a threat has emerged and that X, Y, and Z people are potentially impacted. This automatic system for quantifying impact will boost your risk intelligence immediately.
Risk response is the ability to effectively react to a given threat. This obviously starts before a threat emerges—with planning, drills, and other preparation. But it also involves equipping your organization with the tools to respond effectively.
Signs of LOW risk response
Companies with low risk response scores typically rely on outdated communication methods in an emergency—like a phone tree. Their emergency response plan may be more of a formality than a thoughtful tactical approach. These companies might not expect to ever put response plans into action.
Unfortunately, if a threat does emerge, these companies are inevitably caught flat-footed. Phone trees are clunky and inefficient—close to worthless in a time-sensitive emergency. Employees aren’t accustomed to running drills so the “response” becomes largely improvisational and inefficient. Communication comes slowly and is confusing when it does come.
Signs of HIGH risk response
Companies that have high risk response scores are the exact opposite. They rely on the latest technology—emergency communication systems with threat monitoring capabilities. They have pre-built message templates that allow them to quickly send effective messaging, and they communicate over multiple channels to ensure that at-risk employees get the alert as quickly as possible.
Ultimately, these companies understand that the first five components of risk intelligence aren’t worth much of anything if you can’t respond effectively.
Improving risk response requires time to prepare and adopt the modern technology necessary to communicate effectively. Building emergency notification templates is a good start. You should also make sure that you run periodic fire drills and tabletop exercises to hone the finer points of your response plan.
You also need a mass communication system with multi-channel communication capabilities. Dated solutions like phone trees simply aren’t appropriate for emergencies—especially given the advances that have been made in emergency technology. Risk intelligence necessitates robust technology to support your robust preparation.
Putting It All Together
The six components of risk intelligence are each crucial. Even if you are strong in four or five of the areas—your overall risk intelligence will suffer if the weak areas are left unaddressed. As the saying goes, a chain is only as strong as its weakest link.
Identify where your organization is weak, and focus there. We have given actionable steps you can take to improve in each area. These are the most efficient ways to boost your organization’s RQ for each component of risk intelligence.
Boosting your company’s RQ won’t happen overnight, but it can be changed. With time, preparation, and the proper technology, you can level up your organization’s risk intelligence to better protect your team and operations.