Dilute to waste

Either way, it's now a prudent commercial exercise for companies to take a much closer look at their operations in a bid to minimise risk. Legislation proposing to hold company directors responsible for their organisation's failures – 'Businesses face penalties under new corporate killing proposals', News, SMT, July 2003, p7 – is now beginning to concentrate minds among the highest corporate echelons.

The criticality of systems in post-modern societies has also played its part in the reassessment of the implications of their failure and any associated risks. A susceptibility highlighted by the recent instances of terrorist attack.

By demonstrating the vulnerabilities of a developed, post-modern society to such 'terror tactics', a far closer examination of risk and its management has been carried out by Governments and commercial enterprises alike. In turn, this has generated a demand for higher levels of security to safeguard vulnerable economic and strategic targets.

In order to correctly assess the nature of a potentially harmful situation, and then find a way to manage it, the security professional must first understand what is meant by the term 'risk'.

Technically, risk is usually taken to consist of two components. First, a numerical probability that a particular hazard will eventuate and, second, a numerical estimate of the consequences that might result. Of course, risk isn't always measured purely in mathematical terms, but also in perceptional or cognitive terms (thereby linking risk to commercial and economic concerns).

When dealing with security, the context in which there's exposure to risk may be problematic. The basic difficulty stems from the fact that, as an area of study, security management is a relatively new field. It's in a developmental state, and thus it's very difficult indeed to find a common standard or model which can be adopted by practitioners in the field. For this reason, security management is often linked to other activities (risk management among them) as an 'add-on'.

Risk and security management
The term 'risk management' is used in the commercial world to describe various activities ranging from crime prevention and financial management through to Health and Safety and corporate mergers and acquisitions. Although a collaborative medium, security management must be seen to be a distinctly separate discipline in its own right.

Security is viewed by the wider society as the fight against crime and criminality (including fraud and corruption). Consequently, security management must focus on crime prevention and policing. It's closely linked to criminology and the study of that area. To this end, the idea of security management as a stand-alone, systematic approach to crime control and prevention does indeed have its proponents, Professor Martin Gill of PRCI (and formerly The Scarman Centre) among them.

A somewhat broader perspective is offered by viewing security management within a wider range of activities that may or not be associated with criminal activity, but which are nonetheless related to losses being suffered. This approach is marked by an assumption that these losses are measurable, and that security actions might be implemented to quantifiably manage risk. Losses arising from accidents, fires, crime and all disasters would fall under this category. The concept is gaining ground, with security management often being 'attached' to other disciplines such as facilities and Health and Safety management.

A further approach still is to view security management as a branch of the discipline of risk management, looking at the overall situation from an applied or operational risk management perspective. This model has also gained widespread acceptance, particularly in the corporate environment.

With some of these approaches, there's always a possibility that security managers will be asked to take on responsibilities and functions presently performed by other members of staff, or that non-security staff are tasked with security-related duties. As security professional Simon Smith stated in a recent edition of the International Institute of Security's newsletter: "That, increasingly, both the private and public sectors are diluting security and (even worse) security management with the minutiae of care-taking and even building management is an appalling trend."

There's a real danger here, in that such developments may cause a blurring of the management and accountability of security. That could lead to security becoming less prioritised in comparison with other management functions, or simply being run by members of staff with a lack of knowledge in security as a discipline.

A case could be made that security managers are being forced to assume the role of corporate risk management, or that security management is being forced into becoming an integral part of the corporate risk management function. Therefore, the primary (and

It's a dangerous route for corporate concerns to take, since it's primarily aimed at reducing costs by loading several functions onto non-specialist operatives. A vicious circle will be created in that risks could be significantly increased, which in turn might result in rising costs in order to further reduce those risks! A case could be made that security managers are being forced to assume the role of corporate risk management, or that security management is being forced into becoming an integral part of the corporate risk management function. Therefore, the primary (and increasingly more significant) function of security management might disappear altogether, fully exposing corporate concerns to acts of terrorism and criminal activity. All due to the loss of preventative security measures and a major dilution of operational security.

Although support may be gained for more diversification of the security manager's role, at the same time there has to be a consideration of the remuneration associated with increased accountability and responsibility. At present, security managers aren't paid on a scale that's in any way comparable to that found in risk management sectors. The average salary for a corporate risk manager is around the £60,000 per annum mark, while that of a security manager is £25,000-£30,000. If companies want themselves to be taken seriously with respect to their commitment to security then this imbalance simply has to be addressed.

The background to change
Diversification of the role or parameters of security management has been taking place against a backdrop of commercial stimuli, as well as socio-economic and socio-political drivers. Globalisation has intensified competition, engendering smaller margins for profit, and so there has been a clamour to cut costs wherever possible.

That being the case, for profit-hungry organisations the hiring of risk managers to first identify and subsequently minimise risks to the business will pay major dividends relative to their cost. That's wholly in line with the corporate objective of value maximisation and increased profits. However, risk managers in financial markets may not be suitably qualified to assess risks associated with criminality or terrorist threats. Caution must be exercised in how best to assess the security risk. What's really needed is a more collaborative approach between those involved in risk and security management rather than a continued erosion and dilution of both roles.

An excellent example of successful collaboration can be seen within the NHS. Although working together with the NHS, the Department of Health has set up a separate Security Management Directorate as part of the Counter Fraud and Security Management Service – a special Health Authority within the NHS ('Healthier options', SMT, September 2003, pp23-24).

Here, the Security Management Directorate assumes overall responsibility for all policy and operational matters related to the management of security within the delivery of NHS services. It also works closely with all those involved in risk management throughout the NHS.

Such an approach should be recommended in all corporations, ensuring that risks (whatever they may be) are duly managed by appropriately trained and qualified personnel at all times.

Narrower margins for error
The growth in technology has been accompanied by an upsurge in pure risks (ie those risks where the outcomes are losses or no change). This has occurred due to a paradox whereby improvements in technology have increased the problems of vulnerability. Technological advance has realised major reductions in the frequency of accidents, but these same advances have also increased the magnitude or potential of damage. The more society embraces new technologies, the narrower the margins for error.

Threats to information security
Further threats to business in the form of 'cybotage' and 'cybo-terror' have also become reality, as evidenced by global computer virus attacks and Internet banking frauds. In spite of this, the e-commerce community has been slow to take on board the need for improved security measures. Worryingly, a recent survey conducted by Integralis among 150 corporate concerns suggests that only 25% of those organisations have any active Board level involvement when it comes to security issues. That's far from being good news.

In today's commercial environment, computer and data systems are vitally important to the smooth running of almost every business. It must be a priority to identify any risks posed to the security of electronically-held information, and take steps to minimise those threats. The rise in overall costs in risks and damages to modern businesses further supports the case that security management should be maintained as a separate discipline.

However, corporations exist in order to make a profit. The entire risk to which they're exposed becomes a choice, and is therefore speculative. Managers at many levels of businesses are embroiled in the assessment of speculative risk, while security managers – on the whole – are not part of this decision-making process, or are involved only on the periphery.

Caution must be exercised in how best to assess the security risk. What’s really needed is a more collaborative approach between those involved in risk and security management rather than a continued erosion and dilution of both roles

That status quo is beginning to change, though. As the role of security manager becomes more recognised, there now appears to be a paradigm shift in the corporate world. Widening the scope of security management to cover e-commerce, IT security and continuity planning, etc is all well and good. Costs will be cut and the bottom line improved, but will it reduce or minimise the risks?

Having recognised that risk management is increasingly more critical to the existence of any corporation, consideration must be given as to how managers actively deal with risk. Practitioners involved in security and risk management will normally use a variety of techniques within their role that will incorporate risk identification, risk measurement, the selection of appropriate management tools and the implementation of well-reasoned decisions.

In essence, risk identification involves the process by which internal or external sources of threat might ultimately be identified. Various types of analytical tool may well be deployed to identify shifts or uncertainties in the Physical, Environmental, Social, Technological (PEST), political, economic and/or cognitive environment as appropriate.

It's not as simple as all that, though. Normally, there are two elements to risk: a threat, plus a consequential harm. This may be expressed as a potential/likelihood and consequence/vulnerability. A change in either element will impact upon the overall risk exposure of the company. Measuring these risks can prove to be difficult. Primary costs (ie those of lost assets) are easily identifiable, but secondary or indirect costs which may be more than primary costs are harder to calculate since many such costs may be hidden (eg lost time through injury and reduced staff morale).

In dealing with crime risk, situational prevention measures (and in particular target hardening) have gained in popularity because of the results they produce. This is the most widely used technique among security managers, but social crime prevention methods (such as the building of community centres) are also being implemented.

'Situationalism' should also be considered as a loss prevention tool (by way of introducing CCTV, etc). Similarly, redistribution of the risk or 'loss reduction' – a post-loss solution involving linkages and interactions in the risk chain – may be another helpful risk management tool (eg the backing-up of software and data, the separation of potentially related losses and cross-training of staff as a contingency, and distributing exposure of the risk over several sites).

Risk avoidance: the concept
An alternative risk control method is that of risk avoidance which, from a security management perspective, is certainly a viable option if the situation deems it necessary. An example would be to pay employees via bank transfer rather than cash to reduce the risk of possible robberies. There's a potential loss of benefits that may have been derived from this strategy toward that risk. There is also the possibility that avoidance or abandonment of a risky project may create a new risk elsewhere.

At the present time, one of the most commonly practised forms of managing risk is to bear the costs of that risk internally (by way of loss retention or risk acceptance, generally referred to as 'self-insurance'). It's often the case that there's no choice but to accept a risk. Cash-rich companies favour that policy, but it doesn't guarantee continuity of operations. Only good planning and execution of contingency procedures will do that.

Another widely-used procedure is that of risk transference (the most commonly known form being via the use of insurance). However, it's important to remember that, by buying insurance, the organisation in question is only transferring some of the financial consequences of the risk to the insurer rather than the actual risk of loss itself. In other words, the risk will still need to be managed within the organisation.

The changing face of global markets has led to the recognition that traditional insurance methods need to be adapted to meet new demands. As business needs have become more complex, the insurance market has reacted with more innovative products – often referred to under the umbrella term of Alternative Risk Transfer (ART), a term used for products that are non-traditional.

At present only a small percentage of insurance business is conducted using ART techniques, but the figures are likely to rise in the future as new products flood the market.

Generally speaking, organisations don't rely on a single risk management strategy. They'll use a mixture of different approaches, but cost-effectiveness will always remain a major driver.

A false and dangerous economy
Ultimately, there's a danger that instead of using risk management as an aid to security management, short-term economic considerations will entice companies to bolt-on security management to existing functions – building management, IT or insurance risk departments. Consequently, security becomes focused on other areas besides crime prevention, leading to a dilution of function and a weakening of overall security.