Security risk and protection planning

Unsuccessful risk management comes in many forms. For example, when
numerous different systems are supervising hundreds of alarm points,
new and existing, frequently none of those alarm points have been
assessed to determine if they represent a high degree of risk to the
enterprise. Instead, they result in guards acknowledging, responding to
and reporting events which may be primarily false alarms. Instead of
assisting security guards in protecting assets, the system keeps their
shifts busy with unnecessary responses and encourages complacency. The
combined strength of the guard and new control have unintentionally
become less effective, despite your confidence in both, while the
constant alarms can lead to a negative company perception.
 
Adopting an effective security risk management program accomplishes
strong control that does not negate other existing plans. Simply put, a
security risk management program is a continual process of risk
assessment control. The risk management processes must be ongoing task
to consider the fluidity of the enterprise’s needs.

The business objectives from the risk management process include:

1. Providing the enterprise the ability to be consistent in the
measurement of the vulnerability of assets in order to make fundamental
risk avoidance decisions by evaluating effectiveness and strength of
security countermeasures.
2. Ascertaining the most cost effective processes and security controls to reduce vulnerability.
3. Integrating the risk assessment and risk control processes into
wider business management techniques to improve the success rate of new
risk control techniques.
4. Confidence that all risk control techniques support the enterprise’s business priorities.

Today security practitioners have been conducting risk assessments and
recommending risk control techniques for decades using several similar
models. A successful model consists of the following collective tasks:

1.Identification of critical and essential assets that require protection
2.Evaluating the most probable threats
3.Defining possible means of targeting existing administrative, electrical and mechanical security controls
4.Evaluation of the probability of undesirable loss
5.Recommending security control measures that provide a layered
security approach by reducing several risks and interacting with other
”“ new or existing ”“ control measures
6.Determining that no new recommended controls negate the effectiveness of existing security controls

The objective of each model is to identify new solutions to old
problems and to justify past decisions. The security industry is full
of good risk-based evaluation software, which offers a structured
approach to the process. In contemplation of the right software tool,
is to consider whether the software performs as a tool, or the master
of the risk management program, as your site-specific knowledge,
historical data and intuition should support the output. Also consider
whether it measures both positive and negative result scenarios, and
whether the output is easy to understand and explain. Using a tool in
the planning stage can provide consistency and historical planning.
 
Risk management includes risk assessment and the process of acting on
that assessment with risk controls. The security industry must
recognize that the matter of security planning is serious and that the
future is uncertain.  We cannot envision or prepare for every type of
unknown threat. Instead we must understand and accept that we must
define and manage the potential and probable threats with a disciplined
approach to resource prioritization and the diversification of risk
avoidance across the full spectrum of an enterprise. Applying risk
based framework to all security efforts will help to ensure your
security program’s success over the long term.

Terry M. Hoffman, CPP, CBCP, is President of Hoffman & Company,
Security Management Consultants Inc. He can be reached at
terry@hoffmanandcompany.ca.