Getting threat categorization right

Photo by Ula Kuźma on Unsplash

To manage your risk management system, you need to have a way to categorize your threats. This is a key part of being able to structure your risk assessments and you need to identify a set of imaginary buckets or folders into which you can group similar threats.

But this also helps with information gathering as data on a specific threat category might be grouped together. It also assists when it’s time to address the risks as one action could help mitigate a whole category of threats. Finally, these categories will also help you identify trends and patterns and start to develop an overall picture of your risk environment.

It’s worth spending some time getting this right as it will have an influence on your risk management system and once you have set up a set of categories, changing these is going to be messy.

But deciding upon these categories can be deceptively difficult. There are three reasons for this.  

Firstly, categorization can be interpreted as reflecting ownership.  So if you have a category called ‘financial’ then it’s not going to be a surprise if the CFO assumes that this is her responsibility. Sometimes, as with the CFO example, ownership could be straightforward but sometimes it leads to turf wars over who owns a set of risks. Trying to get people to agree can therefore become complicated.

The second reason is possibly the more problematic. Depending upon how you describe the threat category you can end up talking about the impact and not the threat itself.  For example, if you have ‘flooding’ as a category, you’re talking about the effect (the impact), not the cause (the threat from hurricanes). This will influence all of your thinking throughout the process and it can make discussions very complicated and sometimes result in you talking around in circles.

This happened to me once when a co-worker and I sat in a room for two days with a whiteboard and lots of sticky notes, trying to design a series of threat categories.  By the end of day one, we were confusing ourselves, going around in circles and had stopped talking to each other so we had to quit for the day. 

When we came back in on day two, we realized that we had stopped talking about threats at one point and had started to add effects and impacts.  We had flummoxed ourselves by mixing threat categories in with impact descriptions. Once we identified this problem, we were quickly able to fix things and built a system that’s still valid today, more than 15 years later. 

Thirdly, it can be hard to get the right balance between categories that are too broad and categories that are too specific. There’s a ‘Goldilocks’ point at which the categories are specific enough to keep similar items together but not so specific that you end up with a list of individual threats.  Imagine you needed a way to categorize sports teams. ‘US Sports teams’ would be a very broad category, but ‘The New York Giants’ or ’The Mets’ are specific teams. Instead, ’NFL Teams’ and ‘MLB Teams’ might be useful categories.

A simple way to help keep things under control is to just count the number of categories.  If you only have two (e.g. Internal or external threats) it’s probably too few.  On the other hand, if you have 25 categories, that’s probably too many.  

I think that somewhere between six and ten is usually enough. When I designed DCDR, I felt that the six below covered most eventualities

  • Market / Financial
  • Statutory (regulatory) / political
  • Safety / security / health
  • Environment
  • Licence to operate / reputation
  • Infrastructure
  • There’s also an ‘other’ option for users to add their own.

This isn’t a hard and fast set of categories but I don’t think I have had to use the other category so far: most of what I’ve been considering can be slotted into one of these categories. 

So spend some time thinking about what the right categories are for your organization.  Getting this right will help shape your discussions and make it easier to analyze the results without becoming too specific: that’s what the individual threat description is for.  

And whatever you do, don’t mix up your threats with your impacts. Keep those sticky notes separate!

What do you think? Leave a Reply