The ‘science’ of managing risk

ONE SHORTCOMING OF THE SECURITY management profession lies in its very title. The term ‘security manager’ implies that the role of the incumbent is to manage security systems and responses. Indeed, many companies require that and nothing more. This is particularly evident in the contracted management of security services.

However, for many large multinational outfits such solutions-led security programmes are totally unacceptable. Security is a fixed cost, and it’s those fixed costs above all else which must be kept under constant review in order for the business to remain competitive. All fixed cost functions should be measured in terms of the quantifiable benefits they bring to the enterprise, and security can be no exception to that rule.

The corporate function which cannot justify its return on investment is doomed to obscurity (at best) and, at worst, disbandment.

Applying risk management

The ideal scenario is a risk-led security programme. The application of risk management provides the appropriate starting point for any security management programme. Security risk management offers a logical and accountable basis around which to plan security strategies for most situations. Importantly, when incidents and losses occur – as they invariably do – the security manager who can demonstrate graphically that his or her judgement was informed by a thorough risk analysis will be most likely to survive!

It’s simply unprofessional to implement security activities or measures just because they appear to be the norm or simply because everyone else does so and yet, mainly through a lack of any appropriate training, so many managers are guilty of precisely that ‘offence’.

Risk management lies at the very heart of all Health and Safety and environmental protection programmes, and thus it’s hardly surprising that in industries such as the oil and gas sectors – where those elements underpin almost all activities – it has witnessed its widest acceptance as a mandatory security management tool.

Security risk management methodologies can vary greatly. Most, however, revolve around one common core concept – the measurement of risk is achieved by combining (in some way) the likelihood of a threat (probability) with its potential consequences (or impact), then measuring the result against a third criterion such as controls, manageability or vulnerability. The final stage of the process sees the implementation of mitigating strategies, such as risk transfer, risk retention and risk reduction, etc.

In practice, a basic matrix can be used by the security manager (figure 1). That said, there’s an obvious weakness to such a methodology (ie the terminology used in the scales). Terms such as ‘Unlikely’ may mean different things to different people, so any risk analysis should always be undertaken as a collective exercise.

In some cases it may be possible to use quantitative values for both scales (for example, frequency ‘2’ could equal “every five-to-ten years” and impact ‘3’ might equal “between £50 and £500,000”. This may well be appropriate in both manufacturing and retail environments where persistent and predictable theft problems prevail, but only where there has been accurate recording of all incidents. In many businesses 100% recording and collation of security incidents is rare (in direct contrast to safety incident reporting) – and disappointing.

At this point, it’s worth reminding ourselves that as far as security incidents are concerned, the fact that something hasn’t occurred previously must never be taken as a true reflection of its future likelihood. For instance, although Al-Qaeda hasn’t yet succeeded in attacking a US or UK airliner with a shoulder-launched missile, should this be taken as an indication that such an occurrence will not happen in the future? After all, who would have predicted that ‘Batman’ would one day adorn the façade of Buckingham Palace?

Figure 2 sees the product of the probability/impact chart measured against a further criterion (ie controls). This allows us to prioritise the urgency of the mitigation measures. By using simple computer programmes like MS Excel, all information may be kept up-to-date and cross-referenced to specific line management action plans.

The risk management process must be an ongoing activity, not something that’s completed and then filed away. For it to succeed, it must attract the involvement of company management at all levels.

Risk mitigation treatments

The final stage of the risk management process is the selection of the most appropriate risk mitigation treatment. Here, it’s important to be reminded that the security manager is there to increase the company’s profits, so any expenditure on security must be fully and continuously justifiable.

What, then, are the risk mitigation options? You can remove the risk (by removing the target) or accept it (for example, petty theft of stationery). You could retain the risk (by self-insuring) or reduce it by implementing appropriate security measures.

Transferring the risk is a further option open to the security manager, this time via insurance, outsourcing and subcontracting, as is substitution (replacing attractive items in the business with less attractive options which fulfil the same purpose).

Security managers could also choose to concentrate the risk (and afford special protection), or spread the risk (which is akin to not having all of one’s eggs in the same basket). Available contingency (or redundancy, so as to lessen the impact of any incident) is a possibility, as is mutual aid (ie the ability to call on the services of a neighbour or sister site in the event of a crisis).