Use criticality to find important barriers
Which risk barriers are the most important? This question can be answered with barrier criticality. In this article we discuss why & how to approach barrier criticality as well as some challenges.
Which risk barriers are the most important? This question can be answered by assessing barrier criticality[1]. It allows organisations to prioritise their effort on barriers you really can't afford to fail. In this article, we'll discuss why & how to approach barrier criticality as well as some challenges.
Why use barrier criticality
So what problem does barrier criticality solve? First, all organisations have a limit on resources to invest in risk reduction. Those resources need to be distributed among all the possible measures to reduce risk. Barriers that are critical will get more resources. For example, critical barriers could be checked more often than others.
Another reason for criticality is focus. People can only deal with a limited amount of information, whereas risk analysis gives you a complete overview of all the relevant risks and barriers. Giving people a smaller set of critical barriers makes it more likely they will get managed. The counter argument is that it's extra easy to ignore everything that isn't critical. This is a good reason to make sure you think about how you will deal with all levels of criticality, including the lower ones (see the challenges below).
How to assess barrier criticality
Criticality is assessed using a combination of 3 components.
- Scenario size
- Barrier effectiveness
- Barrier redundancy
Scenario size
Barriers are built to prevent one or more scenarios. These scenarios (also called threats or consequences) are not all the same. They have different frequencies and power to cause negative consequences. The more a scenario contributes to the overall risk, the more critical barriers against that scenario become.
Barrier effectiveness
Not all barriers are equally effective in stopping a scenario. Some are more effective than others. A barrier that is more effective is usually also more critical, because losing it would mean a greater reduction in protection against the scenario.
Barrier redundancy
If a scenario is protected by multiple independent barriers, losing one of them is less of a problem, which makes it less critical. Of course it's still important to maintain the group of barriers, but it's less critical than a single barrier that is responsible for controlling a scenario or barriers that share dependencies, making them less redundant.
Combining them
You combine these three components to select barriers that are highly critical. In the picture above, we can see a critical barrier in the first scenario that is there because it's a) on a high threat scenario and b) it's very effective (shown by the green colour). The other barrier on that line is a little less effective (orange), so we decide not to make that one critical because we already have such a good barrier on that line.
The second line also has a critical barrier, even though the threat scenario is medium and the effectiveness is poor. However, it's the only barrier on that scenario line, so we still regard it as critical.
This shows that these three criticality components can combine in different ways to mark a barrier as critical. But in all cases, they are either on a high risk scenario, have few back-up barriers or are highly effective. In an assessment, you can combine this with the expertise in the room, because there might be other exceptional circumstances which make a barrier critical or not.
Challenges
Let's also look at two challenges when using criticality.
Too many critical barriers
The core use of criticality is to take a longer list of barriers, and make a short list to focus on. But what do you do if you still end up with a long list of barriers? The simplest solution is to increase the threshold of when you find something critical. For instance, you could decide to never regard a barrier critical on a medium sized threat, or to have at most 1 critical barrier per line. If you describe this in a method policy, it can make discussions with barrier owners easier, as they sometimes assess their own barriers as the most critical.
Only looking at critical barriers
One of the big problems with criticality, are barriers that aren't highly critical. It can be easy to forget about them. Make sure that your method policy considers how to treat each level of barrier criticality. Low criticality barriers should still be managed after all. An example could be to report on the performance of critical barriers monthly, whereas the full set is reported on quarterly or yearly.
Conclusion
Criticality can be a powerful tool to create a short list of important barriers to devote more resources and attention to. It is a combination of scenario size, effectiveness, redundancy and expert judgement. Make sure to have as few critical barriers as practicable, while at the same time having a plan to not forget about the barriers that have a lower criticality.
[1] Just to be sure, when we talk about criticality here, we mean it in a positive way (as in, this is critically important). We don't mean the criticality of a negative event (as in, this is critically bad) like in FMECA.