Sifting possibility from probability...

At the macro level, hardly a day passes by without the national media carrying stories of crisis, whether engendered by disasters (such as Hurricane Katrina), acts of terrorism or civil unrest, robbery or cyber crime.

For the practising security professional all of these scenarios are almost inevitable. That being the case, sifting possibility from probability necessarily underpins the focus of strategic corporate security planning.

At the site or project level, how many of us have heard, for example, a security professional advise the client as follows: “You need to have X number of close protection teams, and an airlock front gate for your compound.” The question that needs to be asked is: “How was that conclusion reached, and exactly what methodology was employed to determine the resource commitment?”

In the case of the airlock, is there not a greater possibility that we are exposed to the threat of attack while contained in the airlock as opposed to moving straight through a barrier system? And as far as close protection’s concerned, what is the client’s risk profile? Does it warrant close protection, or will this in fact just make the client more appealing as a perceived high value target?

These are generic but also somewhat frequent examples, particularly in certain places within the Middle East.

What, then, is the bottom line? All risk elements are in some way measurable. They need to be defined in order to shape the necessary resource commitment and response. Equally, no two enterprises are the same, and thus neither are their security requirements. When undertaking a security survey, it follows that each situation will require a different set of parameters. There can be no ‘One Size Fits All’ template. Each scheme simply must be tailored to the client, the industry in which that client’s business sits, the environment and the nature of the project.

Every site is vastly different. For instance, you are unlikely to be robbed in Saudi Arabia. However, the incidence of robbery is high in Nigeria. That said, the likelihood of being involved in an attack by insurgents or being injured in a car accident is much higher in Saudi. Thorough risk analysis is intended to remove the intuitive approach to security planning, while also enabling better design of the security risk management programme.

Prior to the Olympic Games in Athens, we pre-deployed a reconnaissance team to prepare an evacuation plan which required a thorough assessment of the security environment. The analysis of potential threats and subsequent prioritising shaped the plan.

The assessment itself was formed through a combination of on-the-ground observation and raw information collection, as well as contacts with official sources of security information such as the police and diplomatic channels. Understanding where potential flashpoints of civil unrest were most likely to occur – or the potential impact of major security incidents – had an important influence on all means of evacuation from the city and country.

How do you define risk?

Risk is defined as the probability that a threat (composed of capability and intent) will act on a vulnerability to cause an impact or some form of harm. A high threat environment does not automatically equate to high risk, as measures can be taken to decrease vulnerabilities and mitigate against these threat sources.

The security professional needs to look at the environment and identify the range of threats, then make a risk assessment of the harm likely to be caused if a threat is manifested. Following this, one is then able to identify the measures needed to mitigate those threats. These can normally be categorised as personal security, physical site security, IT security and so on.

In producing a plan, it is vital to distinguish which threats may conceivably happen or a given client organisation will spend a vast – and quite unnecessary – amount of time and resources insuring against every possible risk by adopting a ‘ring of steel’-type mentality.

These past few years have demonstrated that risks to organisations can arise from a broad variety of sources, including deliberate (human) sources, natural and accidental causes. Environmental risks to organisations would include the outbreak of disease/pandemics, fire, flood, storms/high winds, drought, earthquakes, mudslides, tsunamis, hurricanes and tornado events. Risks arising from human sources would encompass bombings, shootings, chemical and/or biological attack, hacking and cracking, kidnap, extortion, arson, vandalism, theft, fraud, labour unrest, strikes and product contamination (to name but a few).

There are also risks in the equipment, utilities and transport arenas emanating from occurrences including IT failures, power outages, burst water mains, telecommunications failures, gas leakages and transport strikes.

Let’s not forget about possible accidental risks, either! Security professionals need to consider the possibility of road vehicle and aircraft accidents, ships capsizing, missing persons, mass casualty accidents, oil spillages and even building collapse due to structural failures, etc.

The human threat

Much has been written in the national media – and indeed within the pages of Security Management Today – about the risks posed by terrorism. To a lesser extent with the Madrid bombings, but certainly with London on 7/7, there has never been a shared belief among security professionals that major cities are ‘safe’ from the threat of terrorist acts perpetrated by various extremist factions.

Indeed, both the Mayor of London and the former Commissioner of the Metropolitan Police, Lord Stevens, repeatedly warned that in spite of anti-terrorist branch successes, there was a credible threat to London and that an attack was ‘inevitable’. The dynamism in the situation primarily comes from understanding the threat posed by the terrorists as a ‘franchise’ rather than as a centrally-controlled and directed threat (which has been the case until now).

Nevertheless, it is extremely unlikely that the security industry would receive quality intelligence during an event akin to the London suicide bombings. In such circumstances, what security professionals do receive is a vast amount of information (some of it contradictory). In respect of the London bombings, the analytical team was able to process information rapidly and issue an advisory notice to its clients – together with a reasoned assessment of the mid-term effect on London’s public transport system – within a mere two hours.

The team was also capable of assessing the situation within a wider and unbiased viewpoint. In this way, rumours and spurious reports are quickly filtered out. It’s true to say that corporations are far more capable of responding to crises if they have reliable information in front of them – regardless of its nature – than if they have to work in an information vacuum or deal with the dreaded ‘information overload’.

In the continuum of threats that may cause business interruption, terrorist attacks are widely regarded as falling into the majority (80%+) of threats that are considered a low (or very low) likelihood event. Terrorism is most certainly not the only ‘human-sponsored’ threat. That said, it does receive the most media and corporate attention.

Incidents are often incorrectly attributed to terrorism as a result of this approach. By way of example, at least one attack in Saudi Arabia during the past 18 months was widely thought to be the work of a terrorist cell but, in truth, the perpetrators were disgruntled former employees of the company.

Human sources of threat include such former members of staff, in addition to issue-motivated groups, the thief, competitors, vandals and, in some cases, host Governments. Their actions can arise from a vast array of different motivations, whether it be opposition to the manufacture of the latest product or perceived injustice at the hands of management. Again, this highlights the overriding need for accurate risk assessment.

The likelihood of some form of disruption to the business from a disgruntled employee is far greater than that from terrorist attacks (and should be treated as such when policies and procedures are being decided upon).

All risk elements are in some way measurable. They need to be defined in order to shape the necessary resource commitment and response. Equally, no two enterprises are the same, and thus neither are their security requirements. When undertaking a security survey, it follows that each situation will require a different set of parameters

How do we express ‘threat’?

The process of assessing threats from human sources is one that judges the capabilities of the group or individual, and their intent to inflict harm. Thus, threat is expressed through the following equation:

Capability x Intent = Threat

The measure of capability involves consideration of the resources and knowledge that the threat possesses. Resources can include people, finances, logistical support, weapons and ammunition. Knowledge includes not only the availability of information or intelligence, but also its ability to apply tactics, techniques and procedures.

Intent is a measure of the degree to which the threat source or entity has demonstrated its hostility to the company’s interests. It cannot exist without both the desire to inflict harm and the expectation that such efforts will yield a successful outcome. That desire can be demonstrated through a stated position, or alternatively past (or current) actions. Desire may also be indicated where it can be clearly shown that a given entity has close relationships with organisations or individuals that have posed a threat in the past, and it is reasonable to assume that the subject group is aware of this.

Expectation of success is largely dependent on the source’s perception of its ability to overcome the preventive security measures in place to protect the target entity.

The measurement of threat is expressed as an assessment statement. In essence, this is a combination of intent and capability, and is outlined as being high, medium, low and insignificant. The threat assessment matrix (table 1, below) provides a simple tool to achieve a qualitative assessment of threat.

As a first step towards measuring the threat from natural disasters, the location and probability of any occurrence of historical natural disasters is analysed and compared with the possible range of event severity. In this case the threat calculation would be:

Severity x Probability = Threat

Assessment of the threat from natural disasters is typically simpler than assessing the threat from human sources. Improvements in weather forecasting have also meant that there is generally a greater lead time and greater accuracy upon which company managers might make informed decisions.

The myriad of threats listed above indicates that the process of risk assessment, when carried out in a thorough and proper manner, may be a complex endeavour of some magnitude. The breadth and depth of possible risks also highlights the necessity of narrowing the range as early in the process as possible. A given site or facility may be less critical to an operation or organisation, and thus the overall risk to business continuity is not as extreme. That being the case, the key lies in identifying the critical assets, the threats most likely to occur and those most harmful to the organisation if they were to occur. This would enable a rational and cost-effective approach to risk management by prioritising the overall 'spend' on security. When completed in concert with project development, this will also reduce the (costly) likelihood of ‘retrofitting’ security procedures and resources.

The Intelligence Cycle

By virtue of its composition, a threat could change over time. Accordingly, risk assessments should be conducted periodically such that vulnerability might be measured against the threat environment.

Any analysis of capability and intent is carried out as part of The Intelligence Cycle, a fundamental processing tool which should be used by all intelligence analysts. Without having been through The Intelligence Cycle, collected data remains raw information and is not considered to be intelligence.

The first part of The Intelligence Cycle is direction. Without direction, the collection effort is not focused and is likely to fail in its bid to plug the gaps in information needs. As part of the cycle, direction is also provided when all other parts of the intelligence cycle are complete – new intelligence almost always provides new information requirements.

The second part of the cycle involves collection. In other words, the tasking of collection assets through a collection plan, ensuring that the most appropriate assets are being used to answer information requirements. The collection plan is largely influenced by the direction. Once information has been collected, it is then processed. This is the third part of the cycle, wherein all of the information collected is integrated, evaluated and graded for reliability and relevance.

This fusion of the collected data – and the subsequent assessment of it – provides an intelligent product which then enters the fourth part of the cycle, namely dissemination. The intelligence product reaches the right people in a timely manner.

Evolution of the threat

Emergency response and security plans developed will rely upon a clear and accurate picture of the evolution of threat if they are to be relevant. Modelling these processes against fully-developed threat scenarios will validate the procedure prioritisation established through the business impact assessment.

Typical would be the case of a company requiring a security risk assessment on a new aid project in Afghanistan aimed at constructing water supply systems and providing distribution facilities. That same company had never worked in the country before, and its Board members were concerned about Afghanistan’s high risk rating (second only to Iraq). The company contracted one of our crisis management consultants to conduct a risk assessment on the project. On the basis of our recommendations, the Board decided to proceed with the project.

Our consultant then developed the Project Security Plan, the Request for Tender for in-country security services, specified the required protective vehicles and body armour and assisted the client in selecting a quality security solutions provider.

In a subsequent phase, the consultant in question was deployed with the project team to Afghanistan in order to oversee the implementation of the security programme, and currently provides ongoing third party security advice and oversight.

The project has now been operating safely in Afghanistan for ten months, despite one near miss – an abortive attack on a convoy – and is delivering clean water to the Afghan people. It has also helped construction operations to continue through the use of intelligence and effective physical security.

The corporation’s Duty of Care has been fulfilled, while the company’s expatriate project team feels safe and secure in what is a high risk security environment.