Dealing with Extreme Security Threats

How you deal with extreme security threats will vary, depending upon your organization’s situation:

  • Well-Prepared
  • Partly-Prepared
  • Unprepared

Use the following checklist chart to rate your organization’s extreme security threat preparedness.

Organizational Status Description
  •  Business resilience is actively being established as part of an enterprise security risk management program
  •  Recent risk assessment has been performed that includes analysis of extreme threats and potential impacts on critical business personnel, critical facilities, and key material assets
  •  Appropriate extreme threat response preparations are in place (roles & responsibilities [including alternates], plans, awareness, communications capabilities, response training)
  •  Response exercises are performed and rated at appropriate intervals
  •  Periodic re-evaluation upon organizational changes and as warranted by indications of changes to the threat picture
  •  A named individual on the Board of Directors has an assigned corporate risk oversight role and reports on the status of business resilience as well as extreme security threats (or an Owner is actively tracking resilience progress and threat data)
  • The Partly-Prepared status items have already been achieved
  •  Facility protective measures are established based upon facility risk assessments
  •  Business Continuity/Disaster Recovery measures are current, are appropriate for risks based upon business sector and geographical location, and have been tested
  •  Traditional facility security measures are in place based upon business sector and company-specific factors
  •  Emergency communication capabilities are established and regularly tested
  •  A sound executive protection program is in place and is followed
  • No significant consideration has been given to extreme security risks
  • Only basic facility security measures are in place (access control, video, intrusion detection, alarm monitoring)
  • No Business Continuity/Disaster Recovery measures are in place, or the BC/DR plans and are outdated


Organizational resilience measures a company’s ability to, and the speed at which it can, return to its normal performance levels following a high-impact/low-probability disruption.

Many U.S organizations began looking at their vulnerability to large disruptions after the events of 9/11. However, many random phenomena such as earthquakes, floods, accidents, social or political unrest, and partner business failures have just as much impact on a company as a terrorist action. The ability to respond effectively to a high-impact event does not derive from a collection of ad-hoc actions, no matter how well-intended or highly motivated. It comes from identifying potential extreme threat impacts and building sufficient operational strength that effective recovery is feasible based upon organization-specific plans.

Although the impact may be caused by a security threat—recovery is achieved not by a security department response but by a broader organizational response using strengths that already exist.

This is why establishing the organizational ability to deal with extreme security threats—including natural hazards—is a high-level company concern and requires the strong support, if not the active involvement, of senior executives.

What to Do

For very large national or international organizations, it is likely that preparedness status varies across facilities and geographical regions, in which case what to do will vary across different parts of the organization.

What to do depends of course upon which preparedness category your organization (or your part of it) is in.

If your organization’s status is Well-Prepared, then forwarding this article or sending an email note to your senior risk manager should be enough to ensure that appropriate consideration has been or will be given to extreme security risks.

If your organization’s status is Partly-Prepared then determine if developing an organizational resilience program can be easily taken on as part of a current risk management role or function—or if someone will have to be specifically assigned responsibility. If it’s the latter case, share this article with your CEO, COO, CFO and Chief Security Officer or Corporate Security Director if you have one.

If your organization is Unprepared, find an appropriate way to bring the matter to the attention of both your CEO and CFO. It’s not possible to go from Unprepared to Well-Prepared overnight. Fortunately there are industry-specific sources of advice (such as trade associations) as well as guidance from management associations and security associations that can get you moving up to the Partly-Prepared status, putting some organizational strengths and response capabilities in place with immediate and short-term actions, while senior management develops the plans for those improvements that involve longer-term implementation.

Making the Business Case in Plain Language

If you want to prepare yourself to make the business case that your organization should strongly consider the development of a resilience program, the following three references will help. If you are already an experienced risk management or security professional then read on and discover how these references will help you easily explain the key concepts to your business colleagues in plain, business-relevant language.

  1. View the Online Video from MIT: The Resilient Enterprise: Overcoming Vulnerability for Competitive Advantage, by the author of the book of the same title: http://bit.ly/resilient-enterprise-video.
  2. Get book #1: The Resilience Enterprise in print or eBook format and read the first chapter: “Big Lessons from Small Disruptions”.
  3. Get book #2: The Failure of Risk Management: Why It’s Broken and How To Fix It in print or eBook format. Read the first page of Chapter 2, and the section that follows titled, “The Entire History of Risk Management (in 800 words or less)”.

This is a less-than-$60 investment with a very high return. For a taste of some of the material, see the definitions below.

What Counts as Risk Management?

These definitions and comments are extracted from Chapter 1 of The Failure of Risk Management: Why It’s Broken and How To Fix It. They are not too different in spirit from the myriad definitions found in other sources.

Definition of Risk

Long definition: The probability and magnitude of a loss, disaster, or other undesirable event

Shorter (equivalent) definition: Something bad could happen

Definition of Management

Long Definition: The planning, organization, coordination, control and direction of resources toward defined objectives

Shorter, folksier definition: Using what you have to get what you need

There are a couple of qualifications that, while they should be extremely obvious, are worth mentioning when we put Risk and Management together. Of course, when an executive wants to manage risks, he or she actually wishes to reduce it or at least not unduly increase it in pursuit of better opportunities. And since the current amount oif risk and its sources are not immediately apparent, an important part of reducing or minimizing risks is figuring out where the risks are.

Also, risk management must accept that risk is inherent in business and risk reduction is practical only up to a point. Like any other management program, risk management has to make effective use of limited resources. Putting all of that together, here is a definition (again, not too different in spirit from the myriad definitions found in other sources):

Definition of Risk Management

Long Definition: The identification, assessment and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor and control the probability and/or impact of unfortunate events

Shorter definition: Being smart about taking chances


If your organization is not well-prepared to deal with extreme security threats, don’t just sit there—take an effective action now!

Leave a Reply

Your email address will not be published. Required fields are marked *