Effective Risk Management – seven ways to make an impact
Risk Management, resilience, business continuity and related areas are born of the need for insurance and protective measures. Essentially, if we look at their raw ingredients, we are protectors of people, finance, property, reputations and, as is so critical today, information.
Today’s risk management roles almost require the ability to see into the future, identify the unknown and be able to deal with the now all too common term “unprecedented” in response to major incidents. In light of this, reviewing previous incidents and our current approach is vital for effective risk management. Here are seven ways to consider for effective risk management:
It is important to consider the speed at which technology grows and develops: this rapidity impacts our risk management. Organisations need to embrace these rapid changes to endure and flourish. In the constant race for new tech, can physical security learn from these advances? What are the equivalent physical alternatives or processes in the real world? Along with the technical advances, new legislation also impacts on risk and keeping up to date with this must be part of risk management.
The saying “a chain is only as strong as its weakest link” is never more apparent than in the risk management environment. The wider impact of risk includes the reliance on others to do business and this is often evident when things go wrong.
Organisations do not work in silos; they are all in some way or other dependent on someone or something else to function. This interdependency and interoperability is fundamental to modern risk management. The recent Hi Vis days carried out by the City Security Council and the City of London Police demonstrate that this interdependency and partnership working is essential for the wider protective environment. Web-based platforms and the internet also demonstrate this interoperability perfectly.
Communication in risk management is critical, and usually the first point of failure when responding to any incident. Measures to minimise the margins of error must be in place when risks become incidents. Understanding the sender/receiver cycle will assist in reducing any communication blocks. As once famously stated: “no plan survives its first contact with the enemy.” This does not mean you cannot plan and test responses to your identified risks, quite the opposite in fact.
Key to any effective risk management is having the right person in the right place. This in turn means the right information in the right hands so that decisions, often made by the first responder, can be managed in principle as well as process and ensures the “why” aspect to any response can be in place.
Risk planning is often defined as including organisational, physical, psychological, legal, economic and moral aspects. All of these add to the complexity of a problem and impact on the risks and the need to be more resilient.
An understanding of how you respond to High Impact, Low Probability and Low Impact, High Probability events needs to be in place. The most critical aspect of this needs to consider, “is the plan suitable for the most likely first responder?” Basically, the available plan needs to be a simple set of instructions that can be actioned under duress.
With any risk judgement, we must consider the person making the assessment, which will be subjective and based on that person’s experience, knowledge, abilities and, in some cases, qualifications. This assessment will ultimately lead to the efficacy of any plans when applied to live situations.
Ultimately, people will be dealing with any incident, so the right information, at the right level and with those that understand their roles in relation to these plans is vital. Competency is key. Whichever way or model is employed in planning (for example, the gold, silver, bronze structure), ensuring competency, through testing means that you may avoid outcomes as tragic as that at the Manchester Arena.
Risk and resilience go hand in hand and each organisation will have specificity built into its own risks and responses across various levels.
As situations arise, the impact of these threats may or may not become apparent. However, there must be plans to mitigate, respond, and run operationally under duress if these risks manifest. The current COVID situation is a great example. The planning involved in rapidly deploying resources and responses during COVID demonstrated that having the right information, with the right people and working with available partners was of paramount importance.
Embracing interoperability and strengthening the reliance between other partners can decrease risk. However, structured steps in the response plans massively increased understanding and bolstered the resilience elements in the risk management process. This was certainly true in our case.
Emerging from this, I am sure several risk modelling variations were used across organisations within our industry. This will have enabled them to continue to operate on a much stronger level because of this resilience being tested daily during the pandemic.
The recent periods of isolation and fundamental changes in how we have had to live have had a massive impact on the terrorism threat we face.
As security professionals, we need to be honest and truly consider what effective CT looks like in our attitudes and culture. In any major incident the immediate responses in the aftermath are shock, horror and grief. This is followed by the investigations, reviews, and the dissection of how it happened. This heightened focus and response sadly settles all too quickly after an incident.
Outside those directly affected, this response needs to change: the “it won’t happen to me” mindset needs to be “not if, but when this happens to me”. There is excellent training available such as ACT, SCaN, and other programs in the industry. However, security culture needs to change. The incredible work being driven by Figen Murray on the Protect Duty, Martyn’s Law is so critical.
We get so absorbed in our roles, especially the day-to-day operations and contract fulfilment that the security function can be diluted. The core security basics sadly may not be carried out. Emphasising customer service is impacting the security function and detracting from the essential security role, in my view.
The focus we can forget is that terrorism is a crime. The methods employed by hostiles (those with negative intentions) carrying out reconnaissance are the same as if they were going to carry out a simple burglary. The methods used to disrupt crime are equally effective on those looking to commit opportunistic crime as they are on those planning something more sinister.
Simply put, if you make it uncomfortable for those with nefarious intent, minimise their opportunity to operate in our own small areas of responsibility and cooperate with our neighbouring security teams and police, then these small areas become a larger secure area.
Coaching frontline security teams to engage in this every day will change their mindset and is an effective measure for CT. All this impacts in minimising the risks and deterring the threats. As previously mentioned, the right information, at the right level, is essential in the risk management strategy.
“Unprecedented”, “not seen on this scale”, “unthinkable”, “inconceivable” are descriptions used all too often when we look back on what we have contended with in the security environment in the last 20-odd years.
Where does this leave us in terms of delivering innovation and new ideas, chasing that elusive next “eureka” moment? Sometimes innovation is so expected that it may even be included in KPI measurements.
The current approach may lead to “blue sky thinking” or ideas for ideas’ sake. For me, this is mostly a waste of time. New does not necessarily mean better. The threats and risk appetites that we deal with vary massively. Applying tried and tested approaches to security to these differing situations can lead to innovation in how they are applied.
An area that is regularly overlooked when considering innovation is lessons learnt. Reviewing previous experiences is critical to evolving response and mitigation measures. Without this dissection, mistakes are easily replicated through habitual or established responses when assessing risk and resilience.
The “how” something was implemented, not “what” was implemented, can bring innovation in my view: how was security applied within the environment it was expected to protect. This understanding of the environment and its risks will drive innovation and bring stronger and more effective security. A wiser man than me always emphasised the need to coach security teams on the “why”. This will lead to teams making decisions when they really need to.
Jon Felix BSc (Hons) MDIP MBCI MSyl
Security Risk & Threat Advisor CIS Security