Risk
Tangible Vs. Intangible Items in Risk Analysis: What Is the Difference?
What is the intangible worth of your security organization? You can probably assign some rough figures to the physical countermeasures you use to protect your company, like cameras, lighting, and access control, but do you know the value of your policies? What about your staff’s institutional knowledge?
Intangible assets are often the most valuable property of any organization, and that’s true of your security organization as well. However, intangible assets often aren’t included in a risk assessment. If that’s the case for you, there’s a hole in your risk management program.
Ask the Expert: How Do I Identify If an Incident Is Probable?
Tangible and intangible assets in security: what are they?
Every silo in an organization has a combination of tangible and intangible assets that help the business function. For example, your IT department works with tangible assets (like computers) to manage your company’s data, which is intangible. Your security organization is no different.
Your tangible assets are the countermeasures you can see and touch: fences, cameras, badges, lighting, bollards — any physical countermeasures that keep your building safe are tangible assets.
Your security organization’s intangible assets are identifiable, non-monetary assets without physical substance. In many cases, they’re information-based: your security policies, processes, emergency plans, institutional knowledge, and any data pertaining to the security of your site are intangible assets. Intangible assets can be grouped into three categories: rights (such as contracts and other legal agreements), relationships (subject matter experts and trained personnel), and intellectual property (processes and policies).
How can you prepare for an active shooter? 5 best practices
How to assess intangible security countermeasures
It’s easy to inspect a camera, a door lock, or a fire extinguisher — a security expert makes sure it’s where it’s supposed to be, that it’s working, and that it is still able to achieve its objective. But how do you assess something that you can’t see, like a policy or a plan?
Find the intangible’s owners
The best way to assess an intangible asset during a risk analysis is by speaking to the people who know it best. Say you’re assessing a policy. We recommend that the security expert conducting the risk analysis send a questionnaire to whoever owns the policy or procedure. This could be the head of security, a site manager, or whoever is responsible for updating or educating the employees of the organization about the policy.
Know what you’re assessing
It’s not enough to simply have a policy. You want to be sure that an organization’s people are competent in that policy, that policies are updated regularly, and that processes actually work. If a company has done tabletop exercises or other simulations, looking at the results of those tabletops is helpful. You can also look at incident responses, and industry best practices to determine if the intangible assets are working.
The importance of intangibles
Intangibles often make up the bulk of an organization's value. Today they represent 90% of all assets for the S&P 500, a stark change from the past — in 1975, intangibles made up just 17% of the S&P’s wealth.
Within your security organization, intangibles often serve a specific purpose: while tangible assets are the countermeasures that reduce the probability of an incident, intangibles often help your business respond and recover when there has been an incident. Both need to be included in your risk analysis for your business’s continuity to be assured.
Need help with a risk analysis? Schedule your personalized demo today.
About the Author
