Periodically, security professionals are expected, by standards of good governance, to conduct a physical security risk review at a facility or a whole portfolio of facilities. These might be offices, an airport, power station, water supply dam, a hospital, railway network, sports stadium or a shopping centre. No matter what type of facility, the process of conducting a risk assessment should be quite well understood by security professionals and is documented in standards or guidelines such as ISO 31000:2009, Australian Handbook HB 167:2006, and the new risk assessment standard designated as ANSI/ASIS/RIMS RA.1-2015.
On the face of it, risk analysis and assessment should not be difficult. The equation for calculating risk is simple enough:
Risk = Likelihood (of a security event) x Consequences (of the event)
The analyst needs to consider the security events or incidents of concern, estimate the likelihood of them happening and then calculate or describe the consequences that would arise from each event. These might be consequences for the facility owner or operator, for a tenant, for people in the facility, for the community that relies on the facility for its services, or for a whole supply chain of businesses.
Reducing the likelihood or consequences of a risk event will reduce the magnitude of the risk. Fundamentally, controlling risk so that it is within acceptable limits is the primary aim of risk management. Acceptable risk would preferably be at a level that the business or operation can tolerate or to which it may be resilient.
A security manager will usually seek funding for security measures needed to control the risk; for example, when there are new threats, vulnerabilities and risks. Conversely, when certain threats are removed, there may be scope to reduce the security necessary.
While security managers and consultants may have a precise focus on probable security events and what needs to be done to mitigate the risks, other more generalist managers, who control funding and resources, usually also need to think about other categories of risks. For example, they may be concerned about how best to achieve corporate, program or project objectives within the allocated budget and prescribed time schedule. Thus the risks with which they will be concerned are those that would prevent achievement of those objectives.
The more senior a manager is in an hierarchy, the greater the breadth and diversity of the risks that need to be addressed and the more complex the decision problem may become.
The security risk analysis and assessment needs to be understood by the decision makers in senior executive positions. The broader context of business operations and objectives needs to be understood by the security manager. Without such understanding, miscommunication and poor decision making can occur. Decision makers need to be given the information necessary for them to compare security risks with other business or operational risks. They must determine which risks need action and when; and which risks need monitoring. However, all of the risk information needs to be in a form that does not overload the decision maker.
Risk management failures can occur for many reasons. Poor analysis is a common cause. Another is a weak decision process that has not been designed to compare risks and assess them to determine priorities, budgets and resources required to implement necessary mitigating measures. A third cause is when decisions are not implemented in the time frame necessary to have the desired effect on the identified risk. Importantly, and often forgotten, risks can and do change, sometimes rapidly.
Sometimes the organisation will change its goals, which in turn can change the risk ‘appetite’ or alter the resilience of the organisation. The organisation’s risk policy statement should be clear about the objectives of the risk management framework and the processes that are required.
Risk is a simple concept, but managing risk is a juggling act that requires good analysis and exceptional corporate governance. The more issues that are being juggled the more complex risk management becomes. The greater the complexity the greater the undesirable uncertainty and the harder it becomes to make an informed decision. It is possible for a security professional to correctly predict a security disaster but, for all sorts of reasons, the organisation fails to act in time.
Achieving highly reliable risk management operations requires professional levels of knowledge, skilful analysis, excellent corporate governance and the agility to respond to changing threats and opportunities in the business environment.