Risk vs. Threats
Part VI: Risk Vs. Threats
Talking about duty of care immediately brings attention to the dangers that employees face when travelling the world. When talking about these dangers, it has come to my attention that ‘risk’ and ‘threat’ are often used synonymously. While some would brush it off as semantics, I see the interchangeable use of these words as a large problem. Not only for organisations with travelling employees, but also for the security risk management industry as a whole. This article makes the argument that this distinction is important to our understanding of the organisational role of mitigating threats that travellers are facing, and clarifies how an organisation can seek to attain a risk level that fits both the organisation’s and traveller’s risk appetite. As dessert, I will argue why risk should not always be used in negative terms, but should actually be reframed and used positively.
At the start of the century, a number of events occurred that changed the risk landscape, and the way that we perceive of and talk about risks. This is highly evident in the media’s portrayal of terrorism, crime, and crises, which has contributed to a greater awareness, and often sensationalisation, of different threats. One of the most significant of these events was the 9/11 terror attack in 2001, which changed not only the perception of terrorism, but also its relation to Danish foreign policy. After the attack on the Twin Towers, international forces were deployed and Danish troops became a part of the US-led coalition that invaded Iraq. In 2005, the Danish newspaper, Jyllands-Posten, printed a series of cartoon drawings of the Prophet Muhammad, which led to an international crisis with Denmark placed at the centre. In 2008, the drawings were reprinted and Denmark was once again made the centre of attention in the international sphere. This suddenly placed Danish organisations in an unfamiliar position, where they had to constantly relate to newly occurring threats that arose in the slipstream of these events.
So do these new threats bring new risks? That depends. The literature offers many definitions of risk; but in my world, risk is a combination of threat and vulnerability. ‘Threat’ is the external element, while ‘vulnerability’ is the internal, which combined make up the risk. When measured, we call this the risk level. As an organisation, you can’t change the threats. They are there, they are extremely dependent on geography, and they can be highly dynamic due to some of the factors mentioned above, as well as other outer circumstances. And while they can’t be changed, threats can be avoided, e.g., by choosing not to travel to a certain location or engaging in a certain activity. Vulnerability is also dynamic, but this is an element that you can exert some control over. There are many variable factors that define vulnerability, but, ultimately, it is the traveller’s behaviour and choices that determines the outcome. However, the traveller is only in a position where she or he can make the right choices if they are appropriately equipped by their organisation. Because one’s vulnerability can be altered, and because risk is a combination of threat and vulnerability, risk exposure can therefore also be increased or decreased.
An example that illustrates this distinction could be that a terrorist group has announced a specific threat towards Danish citizens in country x. The threat is only applicable, and thus a risk, if the terrorist knows that the travelling employee is Danish. When working with your vulnerability, e.g. by not stating openly that you are Danish, the risk is effectively reduced. The threat to Danish people remains present, but risk of the individual becoming a target is minimised.
It is possible to mitigate risk by reducing vulnerability. I argue that it is this risk mitigation that forms the core of duty of care. Because threats are external, organisations are only able to fulfil their duty of care responsibility when they lower the vulnerability of their travelling employees. Hence, in order to reduce vulnerability, and therefore risk, it is imperative that you know the threats that you are faced with. Naturally, if you are unaware of the threats that you face, it will not be possible to mitigate them, and as a result you effectively increase your risk profile.
As Søren discussed in the article Legal perpectives on duty of care, there is no law that dictates that content of duty of care. However, there is a distinct public expectation that organisations are responsible for the wellbeing and security of their employees and other stakeholders, as demonstrated by trends in corporate social responsibility. If an incident occurs, and an organisation hasn’t taken measures to mitigate obvious threats, then the court of public opinion could be quick to judge the organisation, which could result in irreversible repetitional damage. While duty of care should primarily be seen as a responsibility, not complying with the expectations related to an organisation’s duty of care, presents a risk in itself.
Decreasing vulnerability can be attained through the implementation of various measures, but at a basic level it starts with the company travel security policy. This should include plans and procedures for travelling employees that are dynamic and differentiate between low- and high-risk destinations. Mitigating measures should be realistic and 3
appropriate, and function as a tool to reduce the overall risk level to one that is appropriate and that fits the risk appetite of both the traveller and organisation.
Leveraging the phenomenon of globalisation is fundamentally about hunting risk. It goes without saying, that with higher risk comes higher reward, which means that risk is also (potentially) a good thing. Like investing in risky shares or bidding on the underdog in a football match, the return on investment will be equally higher if things go your way. It’s not for everyone to hunt risk and the organisation needs to be equipped to respond to both the ups and downs. Otherwise, it can be potentially devastating. When investing in risk, it necessitates that, one, everyone involved knows the terms and conditions, and two, that the involved parties are ready and equipped to undertake this additional risk.
Referring this back to duty of care, it is also possible to divide it. When talking about organisation responsibility, informed consent is a vital element. This means that the organisations need to provide appropriate risk assessments to travellers, which includes an overview of the threats, as well as measures to lower the travellers vulnerability. However, this is not sufficient. Organisations should also go the extra mile and demand that travelling employees receive security training so that they are empowered to make the right choices and can play an active role in reducing their own vulnerability. Organisations should also ensure that management has the right procedures in place and are properly trained in case of a potential crisis. When ready and prepared, risk can offer opportunity of a great magnitude. When managed, risk can be a good thing. Semantics.
If you have questions or comments, please contact Søren Bisgaard Vase (sbv@guardian-srm.com), Head of Analysis at Guardian-srm or Isha Pinto (ish@guardian-srm.com), Consultant.