I am nearing the end of the autumn quarter, teaching enterprise risk management to University of Washington Informatics majors. One question that recurs is the subtle difference between a risk and a threat. The Oxford English Dictionary defines a threat as “a person or thing likely to cause damage or danger” and a risk as “a situation involving exposure to danger.” We spend a fair amount of time in discussion of how an organization’s control structure can offset or mitigate both threats and risks. By the time we are at the end of the quarter, we will have looked at these risks by type: information and cyber risk, risk from the Internet of things (IoT), innovation risk, privacy risk, reputation risk, law enforcement risk, and business resilience risk. This has certainly proved to be a useful way for me to organize frameworks and methodologies around each type of risk. Threats, on the other hand, are discussed with current event examples.
Later this month, I’ll be an invited participant to discuss both when New York University convenes its 12th global forum, this one focused on urgent threats. I’ve been attending these events since 2007 and find the rich mix of roughly 50 international experts, senior government and NGO leadership and corporate business continuity and security leaders quite stimulating. The forum is closed to media and operates on Chatham House rules, so the mix of perspectives is generally without pontification. In advance, we know that we’ll be discussing topics as challenging as real world cyber impacts, extreme weather and climate change, civil discords and threats to democracy, infectious disease, domestic terrorists, multiple threat vectors, and corporate social responsibility.
The first order of the day at the forum is a lightning round, for each participant to identify urgent situations (risks) via a radar sheet that is updated each time we meet. We are usually asked for the top three risks that we see.
I have put some thought into what my list will look like this year, and wanted to share it with you here.
#1 Unprecedented Violence
Under this single mega-risk, I would lump active shooters, violent nationalism, domestic terrorism and explicit hate speech. We have always had mentally unstable persons who perform terrible acts, but we have never had such a magnifier of hate speech as social media, which offers white nationalists and others the opportunity to aggregate like-minded fanatics who cheer one another on. Murdering congregants in their Pittsburgh synagogue or Charleston church is a type of violence that takes us back to the Birmingham bombing in 1963. We see other parallels to civil rights struggles in the 1960s in the defacement of places of worship, the heckling and stalking of victims, and the willingness of some groups of law enforcement to turn a blind eye. We have never had a president who explicitly incites and cheers on such groups, either indirectly or by failing to say anything at all. Then, too, federal law enforcement has relaxed its monitoring of such individuals and groups. For a detailed analysis of changes in law enforcement’s approach to such group’s, see Janet Reitman’s powerful analysis in “How Law Enforcement Failed to See the Threat of White Nationalism” (New York Times, November 11 2018). Grouped into this mega-risk also is the failure of this country to have enacted meaningful gun reform, the lack of which shows us time after time that guns are easy to purchase and use.
#2 Unchecked Power of the Executive Branch
Until the mid-term elections it seemed clear that we are operating with a one party system. From nationalist rhetoric and pugilistic name-calling to the design of executive orders that reduce civil liberties and reduce our historic commitments to our allies, to immigration and migration, the president and his team offer a vision of simultaneous greed and anger. The restoration of the U.S. House of Representatives to a Democratic majority should provide some checks and balances. We need to move forward on important civic concerns, including health care reform, veterans' administration reform, and disaster response.
#3 Nation-State Cyber Threats to Infrastructure
Incursions by Russian or Chinese players into our social media platforms have taken most of the headlines. Cyber threats to our military intelligence and industrial research, along with breaches of security across the private sector by nation-state actors have never been higher. Trade secrets and intellectual property are being stolen regularly. Right now, the Director of National Intelligence, the FBI and Homeland Security all work on aspects of the situations, but our emerging threats are not being handled in a streamlined, coordinated manner.
So that’s my list for the forum. I’m interested to know if you would group the top three threats differently. Please drop me a line if you wish, at email@example.com.
“Reprinted with permission from ASA News & Notes, November 12 2018 issue.”