Security professionals are often required to conduct risk assessments. Sometimes the security risk assessor might focus on vulnerabilities that he or she notices in his or her employer’s facility or operations. For example, if the risk assessor has an electronics background, he might make quite a few suggestions about how to improve access control systems, intrusion alarms and CCTV. Of course, it might be useful for decision makers in organisations to understand how security could be improved in their facility or organisation. However, there is an important question that needs to be asked: is an upgrade of security really necessary?
To answer this question, it is important to understand the context of the decision problem. In this article, I will try to explain this concept for people who are new to the risk assessment process and perhaps remind others.
Context is usually defined in dictionaries as the circumstances that form the setting for an event, statement, or idea. In security reviews this generally refers to threat events that might present unacceptable outcomes or unwanted impacts on the objectives of the decision makers. It seems that after any major terrorist event in a Western country there is always a flurry of risk assessment activity because decision makers want to know if their own organisations or the societies they protect are exposed to the changed threat environment.
Sometimes a societal or organisational risk environment might have changed due to other factors that are not directly related to security, such as economic or political factors. For example, there could be an objective to reduce expenditure through efficiency gains. In this case, the risk assessment might be requested to highlight potential savings in operational costs. There are many reasons why a risk assessment could be needed in the decision process.
Clearly, it is important to understand who the decision makers might be and what their motivation is for conducting a risk assessment. In the absence of this information, the risk analyst might be tempted to raise issues of concern to himself, instead of those that the decision maker wants to address. For example, a security consultant might be concerned about the physical vulnerabilities of a particular building that has poorly maintained security systems. The consultant might explain how thieves could exploit these vulnerabilities, and the need for better physical security. He might offer some good ideas about how to achieve more effective security and suggest a suitable budget to cover the cost. However, the strategic manager responsible for deciding what to do with the building might be more interested in some other objective. For example, there might be a strategic decision to sell the building or lease it to a tenant. The strategic manager may simply want to ensure that the security systems are operational and adequate for presentation purposes. This is just one example; there are many others where the risk analyst and the decision maker are concerned about different issues. The risk assessor might think he is doing his job well, but the decision maker could be presented with expensive security solutions to a problem he does not want to solve!
This strategic misalignment of security and business objectives can cause tension between the security operatives and the senior managers they advise. For this reason, it is very important for security professionals to understand the business objectives of the organisation for which they are providing security advice. They need to understand what the senior managers are trying to achieve. The security goals need to align with those objectives in order for the security risk assessment to be in tune with the context.
For this reason, most risk management standards emphasise the need to define the context of the assessment before determining threats and vulnerabilities. For example, ISO31000:2009 describes external context as the key drivers and trends having an impact on the objectives of the organisation and includes the values and perceptions of external stakeholders. For example, a security intelligence agency or a central security policy agency might explain the current threat environment (such as terrorism) for a particular industry sector at a national level. This context then needs to be amended to fit the state level, the market segment level and even the facility level. It all depends on who the decision makers and stakeholders are.
Senior decision makers need to consider which threats and risks might prevent their organisation from achieving its business objectives. Security is only one category of risk that they need to consider. There can be many other categories. Security advisers need to ensure that their assessments and advice are in the context of the business objectives of the organisation that they serve.