Risk Assessment
Risk assessment goes by various names, including risk management, threat modelling, or risk analysis, but they all refer to the same general process. We often informally conduct ‘risk assessments’ in our daily lives, such as evaluating whether a dark alley is safe to walk through at night or if our homes are securely locked. In this unit, however, risk assessment is approached in a more formal and structured way.
Step 1: Identify the risks
The first step is to identify a list of potential risks. To pinpoint threats, it's helpful to use actor and context analysis, as they often reveal common recurring risks, particularly in human rights and LGBTQ advocacy work. This step may require significant research and analysis, and we recommend consulting human rights reports that monitor current situations.
💡For instance: a risk assessment for a queer event during Ramadan might look very different from one held at another time. News reports in recent years have shown that LGBTQ events are often politicized more during the holy month.
Step 2: Prioritize the threat / risk to address
We commonly operate in a context where we have limited time and resources. We may be able to come out with a hundred different risks, but realistically we can only address limited number of threats. Hence we usually prioritize the risks we are addressing. To prioritize risks, think about:
- What is the probability of this risk to happen?
- What will be the impact on me, the organization, or the community if this risk happens?
For instance:
† See section: “Conclusion: Balancing risk attitudes in a collective setting”
Step 3: Develop a security plan to reduce risk and vulnerability
Once you have identified and prioritized the risks, you may start developing security strategies. There are generally two types of mitigation strategies:
- Preventive: reduce the probability of an incident happening
- Reactive: reduce the impact should an incident happen
For instance, using the same example, I chose to expand the mitigation strategy on “leakage of event participants’ personal information” as it has high impact, even though it is medium probability.
Conclusion: Balancing risk attitudes in a collective setting
In the section above, the statement marked † states “I am an openly LGBTQ activist, my personal data are publicly available”. This individual likely has a higher risk tolerance and believes they have little to hide. However, when working as a collective, it's also important to recognize that others in the collective may have different risk attitudes. Some may be more risk-averse and prefer to operate in a lower-risk environment. Regardless of whether we are risk-averse or risk-tolerant, understanding our colleagues' risk attitudes helps balance the collective approach to risk management.
Therefore, before beginning any planning for risk assessment and mitigation, it is worth sitting down with our colleagues involved to discuss what is our collective risk affordance level, and to consider if we are taking too much risk or too little. This article by the Global Interagency Security Forum introduces the practice of developing an organizational risk attitude statement, as a way to be transparent with the amount of risk the organization is willing to accept to achieve its objectives.