CHAPTER 27 - Security Risk Management

OBJECTIVES Explain the basis for all protection functions, regardless of environment in which

they are practiced Identify and define two key elements of security risk management Explain the risk management cycle/process Reinforce the idea that the practice of risk management requires both a thorough

risk assessment and an ongoing program of risk monitoring Provide the tools to apply security risk management strategies to assess a

situation, develop a menu of feasible options, and recommend a realistic solution set to meet defined asset protection objectives

THE HISTORICAL BASIS FOR RISK MANAGEMENT The idea of "risk" and "risk management" is not unique to the security field — in fact, it is relatively new to us. The idea probably originated in the financial industry, where risks can result in significant loss of money or missed opportunities to grow financial assets. In recent years, financial risk has been highlighted by major losses in worldwide financial markets and public scandals such as the Enron collapse (2001) and the Bernie Madoff fraud case (2008). In fact, Madoff 's scheme has been described as "the biggest financial swindle in history" (Frank & Efrati, 2009).

Concern for managing risk is also critical in other fields such as business, science and technology, politics, and insurance. In reality, some degree of risk is inherent in almost any business decision. Should we develop a new product line? Establish a joint venture or partnership with a particular company? Manufacture or distribute our products in a different country or region of the world? Expand the business? Build a new facility? The answer to any one of these questions can result in tremendous growth for a company and its revenues — or it can mean disaster (in business terms).

If we think about these questions from our perspective, however, we can see that the answers usually have security risk implications as well. Because of this, it is extremely important that security professionals be included in discussions over important business or organizational decisions.

The same can be said of fields such as scientific research and development and the application of new technologies. Almost any program or project decision in these areas can have significant implications for the future — including security and asset protection issues. As an example, consider the selection among various ballistic missile defense technologies for the United States. This is clearly an issue of technology risk when comparing such diverse options as ground-based interceptors, space-based interceptors, the airborne laser and seaborne platforms. Besides the obvious factors of cost, schedule, and performance, each of these approaches also has security implications.

Think of how to go about developing a security approach to protect the people, equipment, communications, and information associated with each of these options. This will probably show quite different security challenges and recommendations for each platform.

Finally, the insurance industry is almost entirely focused on the concept of "risk." In fact, one of the earliest uses of the term "risk manager" is attributed to companies that

recognized the increasingly clear relationship between business practices and insurance costs in the 1950s (Thompson, 2003). The role of risk management in the insurance industry is further illustrated by the fact that in 1975, the American Society of Insurance Management changed its name to the Risk & Insurance Management Society (RIMS) (Hampton, 2007). Essentially, the insurance providers are taking on (or accepting) a portion of their policy holders' risk for a fee (their premiums). As we will discuss later, insurance is the most common example of "risk transfer," one of the five avenues of addressing security/asset protection risks.

WHAT IS SECURITY RISK MANAGEMENT? So how do we (protection professionals) fit into the picture of risk management? As mentioned in an article by Diana Thompson, a well-respected consultant in organizational risk management based in Australia:

To most businesses, the concept of risk management is confined to financial aspects ... but the risk game is fast changing . . . [now] covering everything from a computer meltdown to a terrorist attack.... (Thompson, 2003)

Today, risk management is a central concept in the fields of security, asset protection, and crime/ loss prevention. Risk management principles are used to help us conserve our limited resources (in terms of time, effort, manpower, and money), apply the right solutions in the right places, and keep up with changes in our operational environment. Plus, as shown in the quote above, it keeps us attuned to the broad array of threats that we face in any type of organization.

TWO KEY ELEMENTS: ASSESSMENT AND MITIGATION The practice of security risk management (SRM) begins with a thorough and well thought out risk assessment. Why? Because we cannot begin to answer questions until we know what the questions are — or solve problems until we know what the problems are. A good assessment process naturally leads directly into a risk mitigation strategy. These two key elements will be discussed further in this chapter and are mentioned at various points throughout this book with respect to specific protection applications.

Note: The following material is extracted from "Primer on Security Risk Management" and is used with permission.

Whether in the public or private sector, and whether dealing with traditional or cyber security (or both), asset protection practice is increasingly based on the principle of risk management. The concept is a perfect fit for the field of asset protection, since our primary objective is to manage risks by balancing the cost of protection measures with their benefit.

TAKING A STRATEGIC RISK MANAGEMENT APPROACH Too often, organization leaders look for the "quick fix" to satisfy their security needs. They buy a popular security system or are convinced by a sales representative that a particular product or service is the all-encompassing answer to their protection needs. They are convinced that their critical assets are then completely safe without even asking what those assets are or what types of threats they face. This is a particular problem for small and medium-sized businesses, but it certainly could apply to any size enterprise.

Taking a "strategic approach" means basing the enterprise's asset protection practice on sound planning, management, and evaluation, and taking into consideration both the organization's mission and the environment in which it operates. A "strategy" should articulate — to the security professional and executive decision makers — what is being protected, why it's being protected and how it's being protected.

The National Infrastructure Protection Center (NIPC) defines risk management as "a systematic and analytical process by which an organization identifies, reduces and controls its potential risks and losses." They further state that risk management:

Identifies weaknesses in an organization or system

Offers a rational and defendable method for making decisions about the expenditure of scarce resources and the selection of cost-effective countermeasures to protect valuable assets

Improves the success rate of an organization's security efforts by emphasizing the communication of risks and recommendations to the final decision-making authority

Helps security professionals and key decision makers answer the question, "How much security is enough?"

National Infrastructure Protection Center, 2002

THE RISK MANAGEMENT PROCESS The five components of the risk management process — which lead to a comprehensive asset protection strategy — are depicted in the accompanying diagram. The process begins by identifying realistic asset protection objectives and then conducting a comprehensive risk assessment (described below). This can be done at the enterprise-wide level and /or at the specific process or project level. Depending upon the nature of the business, it may be appropriate to do it at multiple levels.

Assets. The first step in risk assessment is identification and valuation of assets. As Gardner asserts, "the first step in establishing [any] effective [asset protection] program

involves identifying the businesses' assets" (Gardner, 1995). Although this is a step that is frequently overlooked, no effective security program can be implemented without a thorough understanding (on the part of both the asset owner and the security professional) of what is being protected — or should be protected. All three types of assets — tangible, intangible, and mixed — should be considered and incorporated into the risk assessment process. Too often, asset owners and security professionals focus exclusively on tangible assets or those which appear on the accountant's balance sheet.

Each component of the risk management process must be evaluated (gauged or rated) and this can be done either qualitatively or quantitatively. The value of assets is often expressed in dollar amounts, but assigning such a number is not always possible, particularly in the case of intangible and mixed assets.

This provides a natural lead into the debate over qualitative versus quantitative assessment approaches. Each approach has inherent pros and cons.

Qualitative analysis is any approach which does not use numbers or numeric values to describe the risk components. Generally, comparative terms such as "critical," "high," "medium," "low and "negligible" may be used to gauge the asset value and levels of risk components and risk itself.

Quantitative analysis is any approach which uses numeric measures to describe the value of assets or the level (severity or probability) of threats, vulnerabilities, impact, or loss events. It can vary from simple scale ratings (e.g., 1 to 5) to sophisticated statistical methods and mathematical formulas.

Many executive decision makers prefer information to be summarized in charts and graphs which can display a great deal of data in a concise manner. This is the strongest argument for using a quantitative approach. The other major advantage is the ability to automatically manipulate the data using computer programs and algorithms. Qualitative methods, by contrast, are generally simpler and quicker to use, and often provide results that are just as meaningful as numeric calculations.

Among the factors to consider in determining asset value are immediate response and recovery costs, investigation costs and replacement costs, and indirect costs (which are often overlooked in the overall assessment). Indirect costs may include things such as:

temporary leased facilities equipment rental/ purchase alternative suppliers/ vendors alternative shippers/ logistics support temporary warehousing facilities special employee benefits counseling /employee assistance loss of market share (temporary or permanent) decreased employee productivity increased insurance premiums temporary workforce/ staffing recruiting/ staffing costs for permanent workforce increased security costs (temporary or permanent) increased communications capabilities

data recovery/IT system (Information Technology) administrative support marketing/public relations efforts emergency /continuity plan revamps increased travel

In addition, intangible and mixed assets must be considered even though they are generally very difficult to value. Executive decision makers need to be educated with respect to intangible and mixed assets. Although it is often difficult or impossible to place a specific dollar value on intangible assets, they are certainly subject to loss events and can have a significant impact on the organization's vitality and mission performance.

Threat. Enterprises — regardless of size, location or mission — face a wide variety of threats that fall into three categories: intentional, natural, and inadvertent. A comprehensive, and hence more meaningful threat assessment will consider all three categories of threats.

Since September 11, 2001, it is common to focus heavily (sometimes almost exclusively) on the terrorist threat when conducting corporate or organizational risk analyses. However, terrorism is only one aspect of one category of threats that should be considered. This tendency is not unique. In the mid-1980's, for example, there was an overemphasis on the theft of advanced technology. At other times, the security community has focused too heavily on white collar crime, cyberattacks, natural disasters, or other calamities.

A balanced approach to threat assessment is necessary. Of course, some types of threats will be more prevalent at certain times and in certain places. Long-term asset protection strategies, however, must be based on a realistic, full scope, and balanced threat assessment.

According to security expert and author Ira Winkler,

"Accurate assessment of the level of threat against your organization is critical to the success of your . . . security plan." "Threat is an essential factor in your risk reduction formula, and you must consider it carefully. If you don't, you'll simply be flying blind when it comes to prioritizing countermeasures ..."

Winkler, 1997, p. 37

In terms of evaluating levels of threat consider the following three primary categories:

Intentional Threats — Evaluation of intentional threats is based on identification and study of potential adversaries. Assessors should think "outside the box" when listing potential adversaries. For example, the most obvious adversaries in a particular case may be international terrorist organizations, organized crime, or aggressive business competitors. Other important potential adversaries, however, may be activist groups (such as environmental rights activists or other special interest groups) — and their threats could be easily overlooked. The identification and assessment of adversaries are growing challenges today based on the post — Cold War environment, the global nature of our economy, worldwide demographic shifts, and the emergence of a far more asymmetric (less conventional and more difficult to define) nature of modern-day threats.

In most cases, adversaries can be judged according to their capabilities to cause a loss event (or attack) and their intentions to do so. Among the sources of information on adversary capabilities and intentions are past history organization rhetoric, public pronouncements, other open sources, internal communications (newsletters, websites, etc.), law enforcement reports, automated databases, and threat assessment professionals.

Natural Threats — Rather than adversary capabilities and intentions, natural threats are typically evaluated using historical trends and statistics. Long-term data is generally collected on weather and other natural hazards for specific geographical areas, terrains, and environments. In some cases, data has been assembled on natural hazard effects for particular industry sectors or facility types. Although this data provides extremely useful planning information, assessors must recognize that the unexpected can, and usually does, occur. Therefore, comprehensive contingency planning and at least some degree of all-hazard preparedness are strongly recommended by most professionals.

Inadvertent Threats — Perhaps the most overlooked or neglected threats are inadvertent threats. These include accidents, errors, and omissions. Security expert and author Ira Winkler put it best when he wrote that "... the biggest threat to U.S. corporations is human error" and "People make mistakes, and those mistakes are the most likely things to hurt you" (Winkler, 1997, p. 39).

Another key consideration — which is a subset of the inadvertent threat — is that of peripheral threats — for example, a threat that is targeted at a neighboring facility but that may have a major impact on the post operation. The effects of peripheral threats can include utility interruptions, required evacuations, closure of access routes to the facility, unwanted attention or traffic at the facility, full or partial operation shutdowns, productivity disruptions, and environmental effects (e.g., smoke, debris, water, or chemical runoff, etc.).

Inadvertent threats are the most difficult to predict and prepare for. Although, to some degree, the nature of the workforce, operations, or other environmental factors can influence the level of the inadvertent threat, there is usually little or no historical data to use for planning purposes. The best defenses are preparation, education and awareness, and realization that the threat exists.

Vulnerability. The most common view of "vulnerability" is a security weakness or problem. Although this can be the case, we must also recognize that some vulnerabilities are simply existing conditions or business practices which support mission accomplishment. For example, engaging in sales by e-commerce can be viewed as a vulnerability, but it may also be an essential way of conducting business for a particular company. One concise definition of "vulnerability" is "a weakness or organizational practice that may facilitate or allow a threat to be implemented or increase the magnitude of a loss event" (ASIS International, 2007, p. 8).

One important difference between a threat and vulnerability is that vulnerability is a characteristic of the organization or facility. As such, it is generally something over which the organization can exercise at least some degree of control. Threats, by contrast, are usually outside the control of the organization.

Vulnerabilities can be evaluated in different ways, but one common approach is to

measure them in terms of observability and exploitability.

Observability is the ability of an adversary to see and identify vulnerability. For example, a hole in a chain-link perimeter fence is likely observable by a potential adversary, whereas an inoperable CCTV (Closed-Circuit Television) camera is not.

Exploitability is the ability of the adversary to take advantage of the vulnerability once they become aware of it.

LIKELIHOOD VERSUS CONSEQUENCE SCATTER CHARTING In assessing natural threats, we can still use the concepts of observability and exploitability, although from a slightly different perspective. The observability factor would essentially be reversed and refer to our ability to observe — or become aware of, track, etc. — the oncoming threat (e.g., storm). This involves mechanisms for early warning and notification of the impending threat. By contrast, exploitability would be expressed in terms of the capability of a particular threat to cause damage specific to the facility, mission, or organization.

Using this observability/ exploitability approach, AP (Asset Protection) professionals can assess and develop plans to mitigate vulnerabilities both in the long-term (strategic) and immediate (tactical) time frames.

For inadvertent threats, the observability/exploitability approach is again slightly different. In this case, we measure our vulnerabilities via two questions:

1. Are we aware of the vulnerabilities? 2. Are the particular vulnerabilities subject to relevant inadvertent threats?

Again, both the inadvertent threats and associated vulnerabilities are generally the most difficult for any organization to identify and measure. This should not, however, be used as an excuse for neglecting this aspect of the overall risk posture.

Risk Analysis. In this step, the assessor puts all of the information on assets, threats, and vulnerabilities together, and then considers the potential impact or consequences of a loss event. In all risk analyses, but particularly in quantitative ones, it is advisable to determine the evaluation levels (for threat, vulnerability, and impact) by committee. In other words, assessments should be performed by a multidisciplinary team of subject matter experts in order to reach credible and justifiable numbers as input to the analysis. Justifying the numbers is the area that assessors are most often challenged when reporting their risk-analysis results to clients, executives, and decision makers.

There are many effective and time-tested approaches to calculating risk results once the numbers (evaluation levels) have been identified. Risk analysis results should be presented to the client or decision maker in a manner which assists them in understanding the data and making decisions. This includes placing the identified risks in a priority order or into priority categories to help show, from the assessor's perspective, which risks should be addressed first.

A final note about risk analysis, as discussed in a 2000 Security Management article entitled "Truth & Consequences," we need to consider low-probability/high-consequence

risks as well as those that are most likely to occur in our workplace (Garcia, 2000). Many corporate executives and decision makers only want to hear about the risks that represent the highest probability of occurrence, as that's where they want to expend their resources. We must also, however, give serious consideration to potential losses that, although they are not highly likely to occur, will result in very significant consequences (mission impact) if they do occur. Examples of such risks are terrorist attacks and catastrophic workplace violence incidents. Again, the objective of a comprehensive asset protection strategy is a rational balance between the focus on high-probability-of-occurrence risks and low-probability/high-consequence risks.

LIKELIHOOD VERSUS CONSEQUENCE SCATTER CHARTING Another method for considering organizational risk is the use of a "Likelihood versus Consequence" matrix, sometimes referred to as a "scatter chart." Conceptually, any organization must consider the question of likelihood versus consequence (impact) for their relevant risk or potential loss events. illustrates this issue by way of four quadrants.

Logically, a risk (potential loss event) located in Quadrant 1 would require the most urgent attention and resource allocation. These risks have a high likelihood of occurring and, if they do, will have significant consequences or impact on the organization. The consequences may be in the form of increased operating costs, damage to reputation/public trust, decreased safety or efficiency, loss of personnel resources, loss of, or damage to, facilities /equipment, or loss of critical information.

The priority of addressing risks will generally decrease with each successive quadrant. Many organizations, however, neglect the fact that Quadrant 2 warrants significant attention. Risks which lie in this quadrant have a low-to-moderate likelihood of occurrence, but a high consequence of impact if they do occur. Examples of risks that typically fall into Quadrant 2 are dramatic workplace violence incidents and terrorist attacks.

Risks that fall into Quadrants 3 and 4 should not be automatically discounted. Various

events (reorganization, expansion, adding new missions, change in neighbors, change in threat level, etc.) can easily move some risks from one quadrant to another. For this reason, security and management officials must periodically review the risk posture as well as operational and administrative changes that may influence the "likelihood versus consequence" equation.

The likelihood versus consequence scatter chart technique may be used in combination with a traditional risk analysis method. This often provides a more comprehensive and accurate picture of the risk environment (and contributing factors) than the use of one method alone.

Risk management is a cyclical process — one that must regularly evaluate changes in assets, threats, vulnerabilities, and loss event impact. These factors are in constant flux and must be deliberately and carefully monitored to ensure that the asset protection strategy and its components remain both effective and efficient.

Following a thorough risk analysis, the next step is to recommend a suite of solutions or "mitigation measures" to address the risks that have been identified and prioritized. By "suite," we mean a series of measures that work together and comprise elements of a deliberate plan — or a "mitigation strategy."

THE FOUNDATION OF A MITIGATION STRATEGY Taking a truly strategic approach helps avoid major mistakes such as knee-jerk reactions to incidents/events, introducing inefficiencies, over-relying on vendors or salespeople for solutions, and serious resource misallocations. Any risk mitigation strategy should consider three underlying or foundational concepts: the five avenues to address risk, the "Four D's," and layered security (defense in depth). The best and most effective protection programs are based on strategies that integrate the philosophies embodied in all three of these foundational concepts.

THE FIVE AVENUES TO ADDRESS RISK The concept of the five avenues to address risk is directly related to the comprehensive risk management approach. It contends that there are five distinct avenues we can follow to address identified risks to assets. Generally, a comprehensive asset protection strategy incorporates a well-thought-out combination of all or most of these avenues. The five avenues are risk avoidance, risk transfer, risk spreading, risk reduction, and risk acceptance.

The following diagram illustrates the application of "the five avenues to address risk." It begins with an initial consideration of risk avoidance then proceeds to three additional avenues of addressing risk (transfer, spreading and reduction). Ideally, these three avenues are employed in concert with one another as part of a comprehensive strategy.

Risk avoidance — this is the most direct avenue for dealing with risk. It simply involves removing any opportunity for the risk to cause a loss event. Many security professionals consider risk avoidance impractical — and therefore, essentially irrelevant — since the measures required to completely avoid risk will essentially negate the enterprise's ability to perform its mission or accomplish its objectives.

Risk spreading — this very effective practice avoids putting "all your eggs in the same basket." The best example of this is geographically distributing an organization's assets. If a company maintains an inventory of high-value merchandise, for example, and stored all of it in a single warehouse, the potential loss could be 100% of the merchandise if that warehouse experienced a major loss event (e.g., theft, flood, fire, etc.). If, however, this merchandise were distributed among three geographically separated warehouse facilities, the loss event would result in a potential loss of only about one-third of their total inventory.

This simplified example provides an excellent illustration of the concept of risk spreading. Another good example of risk spreading is the practice of off -site backups for computer data. By storing a copy of this highly valuable "asset" in another location, a relatively quick recovery from the loss of original data can be effected. Risk spreading can increase the cost of an operation, but the generally modest costs are usually offset by the decrease in risk to critical assets.

Risk transfer — the typical example of risk transfer is the purchase of insurance. Although not commonly viewed as a part of the traditional "security" function, insurance is generally a key element of organization (or individual) risk management strategy. Another form of risk transfer is the act of making oneself a less attractive target than other potential targets (such as neighboring facilities). Although it may not be considered "polite," this is a way of "transferring" a portion of the risk to a neighbor. In some cases, a portion of risk can be transferred to suppliers, vendors, or others through contract clauses or other types of formal agreements.

Risk reduction — essentially, risk reduction involves any security measures or other actions that would reduce the risk to assets. The most common and direct means of reducing risk, in this sense, are actions that decrease the vulnerability in the risk equation (whereas risk spreading and risk transfer primarily decrease the impact of a loss event).

Common risk reduction mechanisms are security measures, policy enforcement, and employee education and awareness, as well as financial and legal positioning.

Risk acceptance — after all risk spreading, risk transfer, and risk reduction measures have been implemented, some risk will remain since it is virtually impossible to eliminate all risk (except as discussed under risk avoidance). This risk is termed "residual risk." One example of risk acceptance is the setting of shrinkage tolerance levels in the retail industry. In addition, some organizations established a formal process for risk acceptance.

Carefully considering the five avenues to address risk is an excellent exercise and can be very effective at helping (protection) professionals and management to think outside the box in terms of multiple approaches to protecting assets.

"THE FOUR D'S" The "Four D's" is a classic principle in the crime prevention community and applies equally well to almost any aspect of asset protection or security risk management. It nicely complements its "cousin" concepts: the five avenues to address risk and layered security (defense in depth).

Deter - Under this concept, the first objective in protecting assets is to deter any type of attack or attempt by a potential adversary.

Deny - The second objective is to deny the potential adversary access to the target (or asset). This is typically achieved through traditional access controls and other physical, personnel, or technical security measures.

Detect - The next objective — should deterrence and denial fail in whole or part — is to detect the attack or situation. This can be done in a variety of ways, traditionally using surveillance and intrusion detection systems, human observation, or even a management system that will immediately identify or flag shortages or inconsistencies (e.g., an inventory tracking system which reports out-of- tolerance conditions).

Delay - Finally, once an attack or attempt is in progress, the intention should be to delay the perpetrators enough to either convince them to give up / terminate the attempt or to allow an appropriate security/ law enforcement response to the scene.

Like the other foundational concepts, the "Four D's" can be applied in a traditional security environment or in the logical security sense with respect to IT systems. Such tools as access control, authentication, encryption, intrusion detection systems, anomaly reporting, firewalls, port management, and content filtering work together to support the concept of the "Four D's" in the world of cybersecurity.

LAYERED SECURITY (DEFENSE IN DEPTH) A closely related concept is that of layered security, which is also known as defense in depth. Again, this principle applies across the board to physical, logical, and converged environments. Defense in depth recognizes that a single protection measure is not adequate, and that a series of well-planned and complementary levels of security measures comprise an effective asset protection scheme.

The ASIS International Glossary of Security defines "layered security" as: A physical security approach that requires a criminal to penetrate or overcome a series of security layers before reaching the target. The layers might be perimeter barriers; building or area protection with locks, CCTV, and guards; and point and trap protection using safes, vaults, and sensors.

ASIS International, August 2006

In a more comprehensive sense, however, the concept can include personnel security, technical security, policies and procedures, security education, facility layout, traffic patterns, and even — in the case of shopping centers, for example — Neighborhood Watch programs.

In short, asset protection should involve a comprehensive strategy, not a combination of piecemeal elements (officers, CCTV, access control systems, etc.). Developing such strategies, particularly in today's complex global environment, requires both broad expertise and a very thorough thought process based on underlying concepts such as those described above.

MITIGATION MEASURES A comprehensive strategy incorporates all aspects of protective measures that are appropriate to the environment based on its mission, nature, physical attributes, and risk assessment results. As mentioned, these should be viewed as part of a suite of solutions.

Among the families of measures to be considered are:

Physical security (barriers, locks, access control, etc.) Electronic security systems Security officers Policy and procedure/business practices Employee training and awareness Layout, design, and architecture CPTED (Crime prevention through environmental design) Contracts and clauses Legal and financial posturing Insurance Personnel security Technical security (IT and non-IT) Travel security Liaison and relationships Business continuity and crisis preparedness

(end of extract from "Primer on Security Risk Management")

TAILORING A PROGRAM TO THE SETTING AND ENVIRONMENT Any risk-mitigation strategy should be tailored to the specific industry setting, location, and organization being protected. There are important factors that affect how protection measures will be implemented, how well they will be accepted, and how effective they will be. Even within subsets of industry sectors, fine distinctions exist that can significantly impact the effectiveness of protection strategies and individual protection measures. For example, there are very significant differences between a worldwide intermodal cargo shipping firm and an urban subway system, even though both are components of the transportation industry.

Different industry sectors and subsectors are subject to different risks in terms of the type, extent, and nature and may view the risks themselves, as well as recommended mitigation strategies, very differently. In addition, factors such as the type of people who are employed, the nature of the work, working hours, type of facility, location, and even

management style may affect the way protection measures work — or even if they will work.

In today's global environment, we also need to consider how the components of our mitigation strategy will operate in countries around the world where our organization may have facilities, people, joint ventures, or partner firms. Laws, language, culture, treaties, and international agreements all impact relevant aspects of the threat as well as the applicability of security measures and other risk management tools.

THE ROLE OF THE PROFESSIONAL PROTECTION OFFICER According to Karim Vellani, a well-respected professional security consultant and author,

"Risk is the most significant factor that drives the deployment and redeployment of security forces"

Vellani, 2007, p. 234

This statement seems simple, but is very profound. It attests to the extremely significant role of security risk management as well as its direct application to professional security services and security officers. Risk management principles can and should be applied at three levels related to modern-day professional protection officers. Each level is briefly described below.

Individual Officer Every security officer makes decisions on a wide variety of levels during their shift. They range from mundane to life-and-death. Some of these decisions include:

Whether to report an incident /information, or note it and hold it How to respond to a call for service How to deal with an aggressive individual How to word a report How in-depth to investigate a situation Who to call in a particular nonroutine situation that is not specifically outlined in

post orders Whether or not to grant access to a particular individual or to allow entry of a

package Whether or not to draw a weapon Whether to use nonlethal force Whether or not to call for backup Whether or not to overlook an ethical lapse

In every case, the best decisions are based on a sound risk management process. Whether this is a formal, documented process laid out in a neat flowchart, or an instantaneous thought process that yields a split-second decision, risk management should be at play.

By integrating risk management into each security professional's mind-set and normal business practices, it will become completely natural — a part of the way they think and act. More effective decision making will result in both strategic and tactical situations, and asset protection — people, property, and information — will be enhanced. Customer or Client

As implied in Vellani's statement, risk management should be used to make decisions regarding the deployment of security resources — including officers and staff. Decisions such as the best mix of proprietary and contract officers, appropriate officer functions, patrol procedures, the contents and format of post orders, arming, standard procedures, and security systems will be better informed. Risk management can be applied in every aspect of an organization's asset protection program planning, management, and evaluation. It can also be used as the basis for interaction between the client and security service providers to support planning, training, evaluation, reporting, and liaison.

Risk management helps avoid imprudent security. An example of this was revealed during a series of security risk assessments shortly after the September 11 terrorist attacks. Consultants visited numerous locations of a large news organization with sites nationwide. The sites ranged from large news bureaus in major cities to small communications /server sites manned by only a few people.

After September 11, the corporate executives ordered that every site be staffed with a security officer — and they immediately (and massively) expanded the scope of their existing security services contract. During the assessment, consultants asked each of these new security officers about their role and function in support of the client.

Without exception, the officers had no idea why they were there or what they were supposed to do. A number of officers stated, "They just told me to stand here." Now that IS imprudent security! However, it is not that uncommon and is exactly the type of dangerous and wasteful situation that can be prevented by applying sound risk management principles and having those discussions between the client and the security professionals.

Another important decision-making process which can be formed by effective risk management thinking, regards the proper mix of security technology, security forces, and other solutions. Efficiency and effectiveness of security services in typical threat environments can not only save resources but also save lives.

Security Services Provider (Security Company) Service providers can base their core business model on risk management principles. This will assist in determining the types of services to offer, staff composition, market objectives, industry sectors to emphasize, and many other corporate functions. It should also be incorporated in business processes such as the quality assurance program and training program (for corporate staff, officers, and others).

For example, Vellani recommends using benchmarking as a key quality control function to help set baseline performance measures for officer assessment (Vellani, 2007, p. 247). The practical applications for risk management in the security field are almost limitless. Be creative. It will help distinguish the security company as a forward-looking and high-performance provider.

In terms of client interaction, use risk management as a foundation for discussions regarding customer requirements, staffing, and services. Not only will it result in more effective security services for the client but also may lead to an expanded role for the security provider.

EMERGING TRENDS

The practice of security risk management is being increasingly formalized here and around the world. Examples of this include various protocols established by the U.S. Department of Homeland Security (DHS) in the wake of the September 11, 2001, terrorist attacks, and additional work performed by the Department of Energy. These protocols have been expanded and adapted to specific elements of our critical infrastructure such as chemical plants and water supplies.

On a global scale, international standards are focusing more and more on security practices and taking a risk management approach. One example is ISO 27005 (2008), an international standard for Information Security Risk Management. This standard is based largely on previous work done primarily in Australia and Great Britain.

Other standards being developed include an All Hazards Risk Management Standard and a first-ever ANSI (American National Standards Institute) Standard on Organizational Resilience.

Although there is a lot of work going on around the world — and being applied to many different environments, all of the guidelines, protocols and standards are closely aligned with the basic security risk management model presented in this chapter. Risk management principles will become even more important in the future as the threats we face are increasingly ambiguous, while at the same time security resources (such as budgets and manpower) continue to be tight.

SUMMARY Risk management is a critical process that touches every aspect of organizational asset protection as well as the activities of the professional protection officer. There are many specific and formalized models — even some sophisticated computer models — for risk management, but all are based on a basic "asset-threat-vulnerability-impact" model. The simple objective is "smart security decisions," whether it is how to structure a huge multi-national corporation's security function or how to word an incident report.

Every protection professional should become intimately familiar with the concepts of security risk management — and incorporate them into their mind-set and business practices at all levels.

SECURITY QUIZ

1. The terms "threat" and "risk" can be used interchangeably; for example, a "threat assessment" is the same as a "risk assessment."

a) True b) False

2. The concept of "risk management" originated within the security profession. a) True b) False

3. Because vulnerabilities are actually a characteristic of the organization or facility, they are:

a) The risk factor over which the organization has the most controlb) Impossible to accurately assess by an outside consultantc) The risk factor that is most expensive to correctd) The only risk factor that can be influenced by the organization

4. According to "Primer on Security Risk Management," the primary categories of threats are (circle all correct answers):

a) Criminal b) Intentional c) Inadvertent d) Terrorist e) Natural

5. In a scatter chart used for risk analysis, which quadrant represents a "high-likelihood/high-consequence" risk?

a) Quadrant 1 b) Quadrant 2 c) Quadrant 3

Quadrant 4

6. In order to effectively mitigate risks, a security professional should: a) Limit their strategy to using proven security measures onlyb) Assess all possible threats to the organization c) Apply a protection strategy that employs a suite of solutions d) Ensure that management is aware of existing vulnerabilities

7. Buying insurance is one example of: a) Risk spreading b) Risk transfer c) Risk avoidance d) Risk reduction

8. Which one of the following is not one of the underlying concepts on which a risk mitigation strategy should be based?

a) The five avenues to address risk b) The "Four D's" c) Layered security d) Quantitative analysis

9. Risk management is a critical process that touches every aspect of organizational asset protection — and the activities of the professional protection officer

a) True b) False

10.Service providers should not base their core business model on risk management principles.

a) True b) False