When assessing threat, know your sharks from your mosquitoes

The success of a threat assessment depends on the criteria you use.

Imagine a life-threatening animal. What came to mind? A shark, lion, bear, or snake? Are any of those animals nearby!? If we add all the human deaths each year from those animals, it pales into statistical insignificance against mosquito deaths (2-3 million per annum) or pandemics following animal-to-human transmission.

In integrity risk terms, a shark attack is a monitorship after a massive scandal. Mosquitoes and pandemics are the weak growth, or 5% (minimum) you’re losing from your bottom line each year because of fraud, poor treatment of suppliers, petty extortion, staff attrition (harassment, discrimination), lost customers (scared or disengaged employees), and on.

It is important to identify the genuine threats inhibiting your opportunities.

Threat assessments

When thinking of threat assessments, security might come to mind. The system also works for integrity risks to sustainability. Conducting a threat assessment will help reduce risks, get leadership attention, and increase frontline buy-in.

Various surveys (including those by the Association of Certified Fraud Examiners) and my anecdotal experience suggest that the primary driver of risk is behavior, not the absence or override of controls. Why are we spending most of our time building more controls? Threat assessments push us out of this audit-style thinking. To calibrate threat, we must:

  1. Consider sources of threat – mostly people (and their actions), but increasingly environmental and health issues emerge.
  2. Estimate intentions – what those sources of threat might wish to do.
  3. Assess capability – understand where that intention meets reality.

Using a recent example, tax officials in a North African country use audits as a premise for extortion (in around 20% of cases I’ve worked). They use opacity and legal interpretation to cover these demands, making them seem plausible. Their requests might infer avoiding harm (fines, more audits, escalation) or gaining (reducing tax exposure).

The officials’ intentions are relatively straightforward – get money or equivalent value. Their capability, at first glance, would appear quite strong. But when you investigate a little, you’ll see that some sectors have (admittedly clunky and not well-publicised) e-filing options, where you can link certain transactions directly with the tax department—for instance, property transfers. In other cases, the government is keen to clamp down on petty bribery – a cynic might argue to detract from grand corruption – and polite qualification or escalation can lead to a hasty retreat.

If you’re also keen on reducing your vulnerability to threats, it becomes much easier when you’ve assessed the modus operandi. In this example, flawless filings (online, wherever possible).

Leaders care about threats

If you ask most leadership teams about risk assessments, the responses will range from blank faces and boredom to a swift reaction about “this year’s top five risks”. The latter often follows enterprise risk assessment – aggregating many issues into a digestible summary, like “cyber attack”.

If you ask the leaders about strategy and opportunities, their eyes might light up. The flipside to opportunity is threat (of SWOT fame). Positioning yourself as the person who helps manage threats to increase opportunities is potentially a more compelling proposition than being the “steamroller sent to crush the business” (one sales manager’s description of the compliance function).

If you’re thinking, “What’s the difference between threat and risk?” – no one, except us, cares. Think of it as a linguistic slight of hand that psychologically reframes an issue. Threats haven’t happened yet, and glass-half-full leader types prefer them to codified risks sat on a register. The risk gets assigned some misguided impact variant and a hopefully more accurate version of probability. We add a rating for the effectiveness of controls (another potential headache for leaders) and memorialize “net/residual risk”. No one likes that sort of residue.

Bringing threats to leaders sparks more creative responses than risk. I’ve seen leadership teams conjure innovative solutions around strategy, routes to market, alternate partners, collective action, leveraging influential stakeholders, and more. When faced with a risk register, our thinking gets hemmed in by the “existing mitigation measures” on the rows above. Facing threats is somehow more visceral and sparks another mode of thinking.

Your people care more

To assess threats, you need frontline perspectives. Your people live where you operate; they see threats multi-dimensionally. Specifically:

  1. societal, social, and political context;
  2. intentions;
  3. capability; and
  4. mitigation.

I’ve seen how insurgents and terrorists extort those operating on their turf. I’ve asked locals why proximate communities aid, abet, or tolerate actions frequently driving away much-needed investment, support, or infrastructure. Reasons vary, but a theme tends to emerge – you’ll be gone before they are. Now we know.

We could ensure our activity creates lasting benefits – building capacity and stable livelihoods beyond the expiry of our activity in that region. The insurgent groups need the local community’s support, compliance, or silence. You become a much harder target when focusing on the threat context.

Local knowledge

You don’t get those insights without local knowledge. Similarly, your frontline allies will understand how systems work. For example, in much of Indonesia, police extortion is a pyramid scheme – cops channel a significant portion of their haul up the chain of command. If you break that chain, finding other ways to incentivise or work together, life gets easier.

Your first line of defence colleagues also know what controls, tactics, and training will and won’t work. A fancy new expense-scanning app falls flat in countries where receipts are handwritten in a non-Roman alphabet script.

All these benefits of calibrating threats with first-hand perspectives are great. But the true value is connection. When listening to the people facing the issues that authors of regulation seem never to have met, you develop empathy, and they feel heard. Speak up increases, and we get buy in.

Threats or fences?

We can continue to build more fences, but I’m convinced that’ll fail. We must build more capacity – better risk ownership and a more robust first line of defence. We cannot do that without an accurate calibration of the threat. Try it. You’ll also find that threat analysis shrinks and sharpens your risk focus as you filter out the less credible (doomsday) scenarios we fixate on.

Rupert Evill is the founder of Ethics Insight, providing risk assessment, program implementation, and investigative support. He has operated in over 50 countries in his 22-year career, spanning investigations, ethics & compliance, intelligence gathering, due diligence, and crisis response. He is a Certified Fraud Examiner and author of Bootstrapping Ethics: Integrity Risk Management for Real-World Application.