Risk Management: The Foundation of
A known threat that has unpredictable effects in either timing or extent
2 types of Risk:
1. Pure Risk
The potential for injury, damage or loss with no possible benefits.
2. Dynamic Risk
This has potential for both benefits and losses.
Accepting checks to stimulate business
Hiring our own security personnel
Risk Management: The Big Picture
Taking steps to reduce or prevent such risks
Evaluating the Results
Risk Management: The Big Picture
An important part of any risk management program is the worth of the asset being protected.
Overall value of the asset to the organization
Immediate financial impact of losing the asset
Indirect business impact of losing the asset.
Risk Assessment is the process of identifying and prioritizing risks to a business.
“A risk assessment serves as the foundation upon which an organization builds its physical security plan.” (Fredrick, 2006, p. 19)
Sources of Information on Risk
Local police crime statistics
Internal organization documents
Prior civil claims against security
Law enforcement intelligence
3 Factors of Risk Analysis
Vulnerability – where and how could losses occur
Probability – analyzing those factors that favor loss
Criticality – deciding the consequences of a loss if it should occur
How to handle identified risks:
1. Risk Elimination
The best alternative, if it is realistic.
For example, we can eliminate the risk of losses from credit card fraud if we don’t take credit cards.
However, the loss of business would be more than the loss from credit card fraud.
2. Risk Reduction
We can not eliminate all pure risk, but we can reduce it.
We reduce it by establishing control and procedures.
Lighting, installing locks and alarm systems are all examples of methods of risk reduction.
2. Risk Reduction – attack trees
These give us a visual representation of our risk.
3. Risk Spreading
Related to risk reduction
This approach uses methods that reduce the potential loss by splitting up the risk into several areas.
4. Risk Transfer
We can transfer the risk by either raising prices or insurance.
Insurance has a couple of important principles:
Indemnity: states the insurer pays only the actual amount of the loss and no more
Subrogation: substitution of the insurer in place of the insured for the purposes of claiming indemnity from a third party for a loss covered by insurance
5. Risk Acceptance
It is never cost effective, practical, or indeed possible, to provide 100% security, thus some risks we simply have to accept.
Some risks are simply the costs of doing business.
Qualitative and Quantitative Risk
Quantitative – calculate the objective values for each component during risk assessment and cost benefit analysis.
Qualitative – identifies the most important risks quickly by assigning relative values to assets, risks, control and effects.
This balances cost and effectiveness.
Conducting the Security Survey
A survey instrument needs to be developed
A thorough, physical walk-through should be done
Walk-through should include talking to and observing personnel and observing the environment as a whole
Reporting the Results
A discussion of the risk analysis
Strengths of the system
Weaknesses of the system
Recommendations for alternatives for managing the risks, including the estimated cost and savings, and who should be responsible for making the changes
Implementing the Recommendations
It is important to note that most companies will not have the money to implement all the changes at once.
It is important to establish a schedule for implementation of the recommendations, in order to accommodate budget issues and ensure items do not get overlooked.
Keys to Success
Well defined list of stakeholders
Clear definition of roles and responsibilities
Atmosphere of open communication
Spirit of teamwork
Holistic view of organization
Authority throughout process