Risk Intelligence: How to Boost Your Company’s “RQ”
Read this article to learn how to boost your company’s risk intelligence so you can anticipate, plan for, and respond to a wide array of different risks.
Whether you know yours or not, everyone knows what IQ is. A high IQ score can be a source of bragging rights, or a qualification for membership in societies like Mensa. The lesser-known sibling of IQ is EQ, or “Emotional Quotient,” which is a measure of emotional intelligence.
What you might not have heard of before, though, is RQ—a measure of risk intelligence. Unlike IQ or EQ, RQ measures the “Risk Quotient” of organizations, not individuals. In this article, we will discuss what risk intelligence is and how you can boost your company’s RQ.
What Is Risk Intelligence?
Risk intelligence—although different than IQ and EQ in important ways—also shares substantial similarities. RQ is not a measure of any one aspect of risk preparedness. Just like how IQ doesn’t measure your competence at law or medicine, RQ doesn’t measure your, say, workplace fire preparedness.
Rather, risk intelligence refers to your organization’s comprehensive ability to anticipate, plan for, and respond to a wide array of different risks. An organization with a very high RQ will no doubt be well-prepared for a fire if it were to arise—but they would also be prepared for a hurricane, winter storm, or active shooter. Risk intelligence cannot be reduced to any one type of threat or aspect of business continuity.
Specifically, there are six components that go into risk intelligence:
- Risk awareness: Recognizing the wide array of risk types
- Risk understanding: Displaying a detailed knowledge of a given threat
- Risk evaluation: Identifying the severity of a given threat
- Risk projection: Forecasting how a given threat will likely develop
- Risk assessment: Calculating the people and assets impacted by a given threat
- Risk response: Knowing how to effectively respond to a given threat
These six components come together to calculate a given organization’s RQ, or risk intelligence. While some companies are better at certain aspects than others, you should try to identify where your organization is weakest. Focusing on those areas is the fastest way to boost your organization’s RQ.
Next, we will walk through each of the six components of risk intelligence in more detail.
The 6 Components of Risk Intelligence
#1) Risk awareness
Risk awareness is the ability to recognize the wide array of different threats that could impact your business. This is a measure of the breadth of your preparation, not the depth. Essentially: has your organization considered all the different types of risks that are out there?
Signs of LOW risk awareness
Organizations with low risk awareness are often too focused on one or two specific types of risks. This is typically a function of location. For example, companies in California are very prepared for wildfires but have not considered other potential threats (like active shooters or tornadoes). Companies in the northeast are often very aware of the threat of winter storms—but not fires (which actually spike during the winter). Small companies are especially likely to have low-risk awareness.
Signs of HIGH risk awareness
Organizations with high risk awareness consider all the types of risks that can impact employee safety and business continuity. Many of these companies have implemented an all-hazards approach to form the basis of their risk preparedness. Obviously, it’s impossible to create detailed contingency plans for every potential threat. But by identifying every major threat type and creating general plans that are flexible enough to respond to all the different threat types, you boost your risk intelligence and better position your company to respond to unexpected events.
Start by performing a business threat assessment. This will immediately improve your risk awareness and indicate which threats you need to focus on.
You should also implement a threat monitoring system that can track many different threat types. Even once you have identified all the different threat types that can impact your organization, you need a way to monitor those threats for when they emerge. Doing so manually—by watching the news and tracking weather reports—is not an option except for very small companies with one office and no business travelers. Otherwise, you should implement a threat monitoring system that will track threats for you worldwide, automatically.
#2) Risk understanding
Risk understanding is the ability to display a detailed knowledge of a given threat. This is the component of risk intelligence that comes the most from experience. Managers with years of experience working in business continuity often display very high levels of risk understanding.
Signs of LOW risk understanding
Organizations with low risk understanding are often simply underprepared. For the most common risks (like winter weather, workplace fires, and hurricanes), there is a critical amount of time and preparation that is necessary to understand the unique nature of each threat. Companies that only do the bare minimum to prepare for these threats (e.g. install fire alarms, watch the news for hurricane warnings, etc.) will have low scores for risk understanding.
Signs of HIGH risk understanding
Organizations with high risk understanding have specific plans and infrastructure in place for every major risk type. This doesn’t just go for those who work in the BC/DR department—it goes for the whole company. These organizations know the value of tabletop exercises and regular fire drills, to keep every employee prepared and informed.
Put in the time to understand the nuances of the major threat types. These resources from AlertMedia are a good place to get started:
- Winter Weather Preparation Kit: DOWNLOAD
- Workplace Fire Safety Kit: DOWNLOAD
- Hurricane Preparation Kit: DOWNLOAD
Understanding the nature of the most common risks will go a long way to improving your risk understanding (and consequently, your risk intelligence). But for more obscure threats, it’s good to have a system in place for learning threat details quickly once the threat emerges. Sometimes, there are clear places to go to get these details (the CDC website, for example, for disease outbreaks like Coronavirus).
But sometimes it is less clear where to get the details you need. In these cases, it’s good to have a threat monitoring system that provides comprehensive threat details. AlertMedia’s threat monitoring system, for example, pulls in threat details from trusted sources and analysts to provide you with a several-paragraph summary of the key details you need to know for every threat that emerges. Oftentimes, risk intelligence means relying on experts and their analysis rather than your own.
#3) Risk evaluation
Risk evaluation is the ability to evaluate the severity of a given threat once it emerges. At a certain level, this can be intuitive. An active shooter situation is obviously a high severity threat. A thunderstorm is relatively low severity. Companies differentiate themselves, though, in situations where threat severity isn’t so simple.
Signs of LOW risk evaluation
Organizations with low risk evaluation capabilities struggle to consider how seemingly far-off threats may impact their operations. For example, imagine a hurricane started brewing off the east coast. Companies directly in the path of the storm would rightly start evaluating the severity of the threat. But companies located in, say, Kansas might assume the threat has no relevance to them.
In reality, this could not be farther from the truth. Is the company going to have any business travelers to the east coast in the next month? Or, for that matter, leisure travelers? Any trips that are scheduled need to be reconsidered. Or what about the company’s larger supply chain? If any suppliers are located in the path of the storm, or if their logistics pass through a port on the coast, they need to prepare for their operations to be disrupted. The storm could also impact demand for the company’s product or services. Even though the storm might be 1,000+ miles away from headquarters in Kansas, it could end up being a high-severity threat.
Signs of HIGH risk evaluation
Organizations with high risk evaluation capabilities are able to always think “two steps ahead” as to how various risks could affect their people and operations. Taking the hurricane example, a company with exemplary risk evaluation would immediately see the severity of the risk. Any business trips passing to the east coast would be reevaluated, and all employees would be warned of the dangers of leisure travel to the at-risk area as well. They would immediately open a dialogue with suppliers that could be impacted, asking what to expect. Identifying this connection early would allow the company to mitigate the impact of the risk before anything materialized.
Improving risk evaluation is easier said than done. All the same, it’s a critical aspect of risk intelligence—so you need to take steps to improve your organization’s risk evaluation if it’s an area where you struggle.
Start by asking these questions:
- Could this threat jeopardize the physical safety of our employees?
- At headquarters
- At other office locations
- Traveling for business
- Traveling for leisure
- Will this threat impact our suppliers?
- Will this threat impact the demand for our product/service?
- What is the worst-case scenario for this threat?
Threat monitoring systems are the best way to quickly improve risk evaluation—because they do the hard work for you. By utilizing expert sources and trusted analysts, the system assigns a “risk severity” to every threat the system identifies. This means you don’t have to do the difficult work of researching each threat and manually determining severity; instead you can take the severity as determined by the analysts and simply assess how that translates to your organization.
#4) Risk projection
Risk projection is the ability to forecast how a given threat is going to develop. This can look very different depending on the situation. If the threat is weather-related (e.g. hurricanes, winter storms, tornadoes), there are clear sources to turn to: weather forecasters. Risk projection regarding weather is their entire job! But for different types of risks, it can be much more difficult.
Signs of LOW risk projection
Organizations with low risk projection capabilities often display either an unrealistically optimistic outlook for how a threat is going to develop or a misunderstanding of the underlying causes. If an office is forced to close due to winter weather, these companies will be tempted to set unrealistic expectations for when the office will be able to reopen. If a forecast changes, they may be inflexible, or in denial of what the experts conclude.
Signs of HIGH risk projection
Organizations with high risk projection capabilities know when to rely on outside expertise. When it comes to weather-related threats, the best course of action is always to stay up-to-date on the latest forecasts and plan accordingly. Effective risk projection also means not being overly optimistic. If the forecast gives a 30% chance of landfall for an approaching hurricane, that means you have a 100% obligation to prepare for the worst-case scenario. As the old saying goes, hope for the best, plan for the worst.
For common threats, rely on trusted sources. Here are a few sources you should have bookmarked for frequent threat types:
- Severe Weather: National Weather Service
- Health Concerns: Center for Disease Control (CDC)
- Workplace Hazards: Occupational Safety and Health Administration (OSHA)
It’s also important to make sure you know how to correctly interpret the analysis from these sources. For example, do you know what it means that there is a 40% chance of rain in your city? It turns out, most Americans don’t.
For more obscure threats, it will not always be clear how a threat will develop—or what outside expertise to turn to. By adopting a threat monitoring system, you can once again outsource this difficult aspect of risk intelligence to experts in the field. For each threat—even more obscure ones like political riots or travel disruptions—the analysts will provide projections for how the threat is likely to develop and over what time frame.
#5) Risk assessment
Risk assessment is the ability to determine the company-specific impact of a given threat. In risk intelligence, this is the practice of going from the general to the specific. A threat has emerged—now how exactly does it impact us?
This may sound similar to risk evaluation, but it is distinct. Risk evaluation asks, broadly, the severity of a threat. Risk assessment requires you to quantify the specific impact of that threat to your company—no matter the severity. Typically, this amounts to determining which people and assets are at risk.
Signs of LOW risk assessment
Companies with low risk assessment capabilities always err in one of two ways.
Some companies assume too narrow of an impact. For example, if a winter storm is coming through the city of their headquarters, they will tell all the employees that work in that office to stay off the roads and not come into the office. But they will forget about how the blizzard could impact the travel plans of their business travelers coming in or flying out that day. Or they will fail to consider the impact it could have on assets—like equipment—that needs to be protected from the cold.
Other companies assume too broad of an impact. This is certainly better than the former, but it is still problematic. When a threat emerges, these companies will default to always contact everyone—no matter what office they work at or which department they work in. This may seem like “playing it safe,” but the reality is that this practice will cause notification fatigue over time. If your employees are constantly getting alerts for risks that don’t impact them, they will become desensitized to the warnings. The story of the “boy who cried wolf” illustrates this problem perfectly.
Signs of HIGH risk assessment
Companies with high risk assessment capabilities have processes in place to determine the precise impact of every threat. This allows them to zero in on the specific people and assets that they should focus on. These companies avoid notification fatigue but also don’t let at-risk employees slip through the cracks.
Improving risk assessment is best accomplished by automating the process—especially if you have business travelers. By loading all your people and assets into a threat monitoring system, you give the system the ability to automatically quantify the impact of every threat.
When a threat emerges, the system will cross-reference the radius of the threat with the real-time locations of your employees—to determine who is at risk. The system will then automatically alert you that a threat has emerged and that X, Y, and Z people are potentially impacted. This automatic system for quantifying impact will boost your risk intelligence immediately.
#6) Risk response
Risk response is the ability to effectively react to a given threat. This obviously starts before a threat emerges—with planning, drills, and other preparation. But it also involves equipping your organization with the tools you need to respond effectively.
Signs of LOW risk response
Companies with low risk response scores typically rely on outdated communication methods in an emergency—like a phone tree. Their emergency response plan is often more of a formality than anything else. These companies don’t expect to ever have to actually put it into action.
Unfortunately, if a threat does emerge, these companies are inevitably caught flat-footed. Phone trees are clunky and inefficient—close to worthless in a time-sensitive emergency. Employees aren’t accustomed to running drills so the “response” becomes largely improvisational and inefficient. Communication comes slowly and is confusing when it does come.
Signs of HIGH risk response
Companies that have high risk response scores are the exact opposite. They rely on the latest technology—emergency communication systems with threat monitoring capabilities. They have pre-built message templates that allow them to quickly send effective messaging, and they communicate over multiple channels, to ensure that at-risk employees get the alert as quickly as possible.
Ultimately, these companies understand that the first five components of risk intelligence aren’t worth much of anything if you can’t respond effectively.
Improving risk response requires putting time in to prepare ahead of time and adopting the modern technology necessary to communicate effectively. Building emergency notification templates is a good start. You should also make sure that you run periodic fire drills and tabletop exercises to hone the finer points of your response plan.
You also need a mass communication system with multi-channel communication capabilities. Dated solutions like phone trees simply aren’t appropriate for emergencies—especially given the advances that have been made in emergency technology. Risk intelligence necessitates the robust technology to support your robust preparation.
Putting It All Together
The six components of risk intelligence are each crucial. Even if you are strong in four, or five of the areas—your overall risk intelligence will suffer if the weak areas are left unaddressed. As the saying goes, a chain is only as strong as its weakest link.
Identify where your organization is weak and focus there. We have given actionable steps you can take to improve in each area. These are the most efficient ways to boost your organization’s RQ, for each component of risk intelligence.
Finally, consider how up-to-date your organization’s risk management technology is. If you implement an emergency communication system with threat monitoring capabilities built in, like AlertMedia, you can bridge the gap between the first five elements of risk intelligence and the last. The threat monitoring capabilities will automate the trickiest aspects of risk intelligence—monitoring for threats worldwide, pulling in threat details and severity from trusted analysts, and assessing the impact on your people and assets. Then you can use the same system to communicate with those at-risk employees, all without having to switch between systems or manually enter anything besides your message.
Boosting your company’s RQ won’t happen overnight. But—unlike IQ and EQ—it can be changed. With time, preparation, and the proper technology, you can level up your organization’s risk intelligence.