Meet CARVER : 6-Part Tool for Ranking and Assessing Risks
Sometimes war tactics really can help in business
Developed during World War II, CARVER was originally used by analysts to determine where bomber pilots could most effectively drop their munitions on enemy targets.
One of the most overused expressions thrown around by wannabe “Wall Street Rambos” is business is war. But sometimes war tactics really can help in business.
Among these tactics is CARVER, a system for assessing and ranking threats and opportunities.
Developed during World War II, CARVER (then one letter shorter and known as CARVE) was originally used by analysts to determine where bomber pilots could most effectively drop their munitions on enemy targets.
It can be both offensive and defensive, meaning it can be used for identifying your competitors’ weaknesses and for internal auditing. In addition, many security experts consider it the definitive assessment tool for protecting critical assets. In fact, the U.S.
Department of Homeland Security has recommended it as a preferred assessment methodology. (One of us, Luke, is so enthusiastic about CARVER that he cowrote a book on it.)
More recently, CARVER has converted a new community of believers in the business world, including CEOs, financial analysts, and risk management planners, not to mention any number of Fortune 500 security directors.
Since it draws on both qualitative and quantitative data, CARVER can be applied in almost any scenario that is analyzed and discussed in an organized, logical way. It can be highly useful if you need to, for example, defend a budget request or a strategic plan to company leadership. Because it helps you articulate an efficient story using numeric values, CARVER can be used to clarify mission objectives — whether on the battlefield or in the boardroom. You might say CARVER is a SWOT analysis on steroids.
CARVER is an acronym that stands for:
- Criticality: how essential an asset or critical system is to your company
- Accessibility: how hard it would be for an adversary to access or attack the asset
- Recoverability: how quickly you could recover if something happened to the asset
- Vulnerability: how well (or not) the asset could withstand an adversary’s attack
- Effect: how much of an impact there would be across your business if something happened to the asset
- Recognizability: how likely it is that an adversary would recognize the asset as a valuable target
To use CARVER — whether you’re assessing a system, a business goal, or something else — you assign scores from 1 to 5 (with 5 being “most essential,” “most likely,” and so on) for each of the six criteria above. The sum of the six scores is the total score for whatever you’re assessing.
Once you’ve calculated the total scores for a few things, you can compare them. For example, you could use CARVER to compare two business opportunities; whichever has the higher score is probably the better option to pursue.
Here’s an example. Let’s say the chief security officer for an oil and gas company is deciding how to allocate their budget across multiple locations and assets. At a strategic level, the CSO could use CARVER to think through the factors involved for each location and then allocate resources for each facility.
To start, the CSO would ask a series of questions related to the CARVER criteria. Beginning with Criticality, they might ask, “How critical is the oil pipeline in Abuja, Nigeria, to the company’s overall operations?” Because Criticality is based on the importance of the asset (in this case the pipeline), the CSO would need to determine if the destruction or compromise of this asset would have a significant impact on the output, mission, or operation of the company. The CSO would rank Criticality like this:
5 – Loss of the pipeline would stop operations
4 – Loss would reduce operations considerably
3 – Loss would reduce operations
2 – Loss may reduce operations
1 – Loss would not affect operations
Obviously, the higher the number, the more detrimental the loss of the asset would be to the organization. The lower the number, the less detrimental the loss would be, or there might be redundancies in place — other pipelines, for example. (Those redundancies would also affect the asset’s Recoverability score.)
To assess the Recoverability of that same pipeline (perhaps after a natural disaster, sabotage, or a terrorist attack), the CSO would rank it like this:
5 – Extremely difficult to replace; long downtime
4 – Difficult to replace; long downtime
3 – Can be replaced in a relatively short time
2 – Easily replaced in a short time
1 – Can be replaced immediately; short or no downtime
The CSO would then continue ranking the Abuja pipeline on the other four criteria. If the pipeline received a 5 for Criticality and Recoverability, for example, it seems likely that it would be a good candidate to receive more of the CSO’s budget.
To consider another example, say a hedge fund is looking to acquire a tech company that claims to have a leading-edge technology. In addition to simply auditing the company’s books, analysts could perform a CARVER assessment to determine how close the competition might be to catching up to this technology, thus balancing the risk of the investment. The tech company may score low (meaning good) on Criticality and Recoverability but score high (meaning bad) on Accessibility and Effect. That Accessibility score might mean a competitor could beat the product to market, and the Effect could be the fallout from a controversial marketing campaign.
One question the analysts might ask for Effect is: “What is the effect on us if the tech company’s competitors beat us to market?”
5 – Very high economic, political, or social impact on the organization
4 – High economic, political, or social impact
3 – Moderate impact
2 – Little impact
1 – No unfavorable impact
The important thing to remember is that this exercise is conducted to identify, categorize, and prioritize high-risk assets; to assess vulnerabilities; and to make recommendations around risk. Once a CARVER assessment has been completed, and material risks and threats have been identified, security and risk management professionals can determine the best approach to take. Even the smallest difference in CARVER scores could influence whether you open a store in one location versus another, or help you decide between upgrading an existing product line and opting to create something new.
Strategic decisions are being made in boardrooms everywhere, by executives who are looking for any advantage over the competition. Business leaders are looking for hard numbers to provide them with an edge in their decision-making process. CARVER can provide a quantified justification for standing by — or abandoning — a decision or initiative.