Why You Need to Do a Business Vulnerability Assessment

“Risk is a function of how poorly a strategy will perform if the ‘wrong’ scenario occurs.”

— Michael Porter

“Everything that can be counted does not necessarily count; everything that counts cannot necessarily be counted.”

— Albert Einstein

“Managers are not confronted with problems that are independent of each other, but with dynamic situations that consist of complex systems of changing problems that interact with each other. I call such situations messes. Problems are extracted from messes by analysis. Managers do not solve problems, they manage messes.”

— Russell L. Ackoff

“The superior man, when resting in safety, does not forget that danger may come. When in a state of security he does not forget the possibility of ruin. When all is orderly, he does not forget that disorder may come. Thus his person is not endangered, and his States and all their clans are preserved.”

— Confucius

This post addresses what seems to be an almost complete gap in management practices – those aimed at reducing or eliminating the consequences on a business of a major adverse event or situation. This is different from standard risk assessments and from typical vulnerability assessments in that it deals with:

  • low-probability-high-impact cause(s) unknown and/or unforeseeable
  • full business impacts rather than on one of its constituent systems

A basic full-business vulnerability assessment can be done simply on a few sheets of paper (if anybody still uses that stuff) or spreadsheets. What follows are the main steps for doing a critical assessment of this nature.

First, some essential terminology: risk and vulnerability

A risk is an adverse event that has an identifiable cause, a probability of occurring that can be at least roughly estimated, and a specific business system or unit as its likely target. Risk assessment is part of the well-established business practice of risk management. The simple table below illustrates the output of a typical risk assessment exercise. These can of course get much more detailed and complex.

Note that the primary components here are identifiable cause, probability that can be estimated, and point of impact known.

Vulnerability today deals mainly with specific business systems and threats to the integrity or security of these. Examples of systems for which vulnerability assessments are performed include: information technology systems, energy supply systems, water supply systems, transportation systems, and communication systems. IT systems are presently the primary focus, however.

These assessments, besides being system-specific, tend to address threat sources and impact mechanics. Output aims at threat elimination and impact prevention or mitigation.

Vulnerability & Cyber Security Assessments – InfoSight, Inc.  

Business vulnerability
Unlike a system-specific vulnerability, a business vulnerability is a point of weakness in the business itself. Something adverse happening that doesn’t hit a point of weakness or where the impact hit is minimal is not of concern here. Source of the adverse happening is not relevant in this assessment but the points of impact – weaknesses – are of central concern.

The focus here is resilience – how much of an impact can the business as a whole withstand without experiencing serious or fatal damage. Cause or source of the impact is not fundamentally important, nor is the probability of any such impact occurring:

  • Probability of impact from any single event or situation: ~ 0%.
  • Probability of impact from the many possible events: ~ 100%.

Even though we have no idea of exactly what is out there that might hit us, we can be pretty sure, over some period of time, that something nasty will hit us.

This is the essence of a business vulnerability assessment. We need to know both points of weakness and the severity of an impact that the business can withstand and survive.

Revenue Loss Impact Scenarios

Let’s get specific with an example – perhaps the most important class of impacts possible: those that seriously reduce sales. Lots of possible causes:

  1. Economic recession/depression
  2. Big supply chain disruption
  3. Major facility loss
  4. Major customer loss
  5. Major product recall
  6. Truckers strike
  7. Major competitive threat
  8. Major supplier goes bankrupt
  9. Major regulatory change
  10. Major new product market failure
  11. Recession/depression

You will of course be able to come up with a much longer list of possible causes of a serious revenue drop. Likelihood of each of these? Who knows? Likelihood of the full set of these over even a near-term timeframe? Pretty high for most businesses. Timing? Another big “who knows”?

How should you respond to this set of possible adverse events and situations? Simply by identifying both the points of major weakness if a big sales drop hits and the magnitude of the impact that is sufficient to damage your business seriously or fatally.

The time to identify significant points of business weakness and their degrees of likely impact damage is today. Measuring the hole in the hull after the shell hits is not a good management practice but one widely observed.

What does a business vulnerability assessment look like?

Our simple revenue loss example above might be a decent place to start. Revenue, so it is rumored, seems to be the most important aspect of a business. No revenue, no business – yes?

The fundamental assessment question is:

How much damage (revenue loss) and for how long can your business sustain itself and ultimately survive?

Seems like a pretty important question but I’ll bet that 99.9% of businesses have no real idea of where their revenue loss survival demarcation lies.

Business vulnerability assessment in practice

While it is very easy to make this assessment very complex, the underlying principles are quite simple and can be implemented in a spreadsheet or two.

What you need to track here is the cash flow impact of each revenue loss scenario that you want to include.

For many businesses, you just need a set of financials that cover a timeframe of interest – say, monthly for a year. The financials are of course income statement, balance sheet, and cash flow statement.

Oh yes, and you need a way to link figures in each time period to your revenue loss pattern and duration. This linkage in turn depends on how your business might respond to a major revenue loss over this year-long period.

Those of you who do such analyses routinely will see a business simulation model lurking the background. You don’t actually need such a critter but it makes the assessment process so much easier. There are approximately a zillion consultants out there who would be more than delighted to help you out if you don’t have the appropriate internal expertise.

A while back, I sketched out three example revenue-loss scenarios (Figure 1 below) that can be set up so as to reflect some quite realistic happenings. In particular, each of these businesses goes bankrupt under certain scenario assumptions (Figure 2 below).

Note here that you can also set up the parameters so that none of the businesses goes bankrupt under its revenue-loss assumptions. This is very important: a business can survive some very major revenue hits if it is prepared financially and actionably. Bankruptcy is not inevitable by any means but is instead a function of how the business is managed. Bankruptcy is optional in other words.

Figure 1. Three example revenue loss patterns over a year

Figure 2. Three example scenarios that include management responses

Every business is different

You will no doubt be surprised to read this but it seems to be especially true at the nitty-gritty level and in a vulnerability context. Identically-structured-and-financed businesses can perform very differently because of management differences. And of course, situational differences. What works well for some businesses at some times may not come close to working for yours – ever.

This means that you have to develop your own vulnerability assessment and an appropriate set of response options. There is no one-size-fits-all here.

Vulnerability response options should be highly flexible

Just as there is no one-size-fits-all response set, situational and opportunity differences across any time period will restrict the effectiveness duration of any set of responses. What works well today may not work at all tomorrow.

Response details must therefore be tailorable to the situation as it exists when the revenue hit occurs. Buying a competitor may be just right for today as another round of lockdowns appears imminent but it may be exactly wrong six months from now.

You may want to develop a list of potential new revenue sources as part of your vulnerability mitigation plans. You may for example want to develop relationships with potential partner businesses. Building your business much more around ecommerce channels is another popular approach.

A simple example: Imagine a business that has 80% of its revenues generated within a single metropolitan area. Should something nasty hit that area and these revenues disappear, can the business as a whole survive? If not, then might it be possible to focus on developing a distant customer base (or buying a business with these) so as to cut the 80% concentration to around 50% where survival seems reasonably assured?

Bottom line:

The biggest threats to businesses today are not those that are likely or identifiable but instead those that are unknown and/or highly unlikely. Think 2020. However, the available points of impact on your business from unknown threats are both evident and certain. Big question: which of the points of impact in your business are most vulnerable to such events or situations, whatever and whenever they may turn out to be?

Risk assessment and vulnerability as practiced today are quite different from what has been outlined above. You might want to check out the Invenisis article on “Risk Assessment vs Vulnerability Assessment: How Companies Should Perform Both”:

“Companies use risk assessment to identify all hazards and risk factors that can cause harm to the company. This is also known as hazard identification. The risk assessment includes the analysis and evaluation of the risk that comes with the hazard and then coming up with strategies to eliminate or control the risk when it cannot be eliminated. “

“A recent survey conducted by Gartner with 388 strategic initiative leaders stated that it cost a total of $5 billion in loss of opportunity because of untimely risk responses for their projects. This is why assessing risks in a timely manner so that companies can prevent or manage them is important. It helps prevent the loss of revenue.”

Wikipedia offers additional definitions:

“A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. Examples of systems for which vulnerability assessments are performed include, but are not limited to, information technology systems, energy supply systems, water supply systems, transportation systems, and communication systems. Such assessments may be conducted on behalf of a range of different organizations, from small businesses up to large regional infrastructures. Vulnerability from the perspective of disaster management means assessing the threats from potential hazards to the population and to infrastructure. It may be conducted in the political, social, economic or environmental fields.”

“Vulnerability assessment has many things in common with risk assessment. Assessments are typically performed according to the following steps:

> Cataloging assets and capabilities (resources) in a system
> Assigning quantifiable value (or at least rank order) and importance to those resources
> Identifying the vulnerabilities or potential threats to each resource
> Mitigating or eliminating the most serious vulnerabilities for the most valuable resources”

“Classical risk analysis is principally concerned with investigating the risks surrounding a plant (or some other object), its design and operations. Such analysis tends to focus on causes and the direct consequences for the studied object. Vulnerability analysis, on the other hand, focuses both on consequences for the object itself and on primary and secondary consequences for the surrounding environment. It also concerns itself with the possibilities of reducing such consequences and of improving the capacity to manage future incidents.” (Lövkvist-Andersen, et al., 2004) In general, a vulnerability analysis serves to “categorize key assets and drive the risk management process.” (United States Department of Energy, 2002)”

EC-Council in its blog “4 Steps to a  Successful Vulnerability Analysis” lays out some useful ideas about approaches:

“Vulnerability assessment or vulnerability analysis is a testing process that involves identifying, measuring, prioritizing, and ranking the system for vulnerabilities. The process either consists of manual or automated approaches with differing degrees of precision and complete coverage. The end goal is to protect systems from unauthorized access and data breaches.”

“Vulnerability assessment is not industry-specific. It is vital for various systems, including:Information technology systems:

> Communication systems
> Transportation systems
> Water supply systems
> Energy supply systems”

“A vulnerability assessment identifies, quantifies, and prioritizes the risks and vulnerabilities in a system. A risk assessment identifies recognized threats and threat actors and the probability that these factors will result in an exposure or loss.”

“Vulnerabilities are the gaps or weaknesses that undermine an organization’s IT security efforts, e.g. a firewall flaw that lets hackers into a network. Risk refers to the calculated assessment of potential threats to an organization’s security and vulnerabilities within its network and information systems.”