Sound financial management is a must

There is a good lesson here for the security practitioner because financial planning and management is of vital importance. Even though Canada is in relatively good economic shape, those in charge of security budgets need to exercise sound financial decision-making skills and to be able to discuss and back up those decisions with those in organizations who have ultimate say over how money is going to be spent.

The basis of all financial decision-making should be a detailed and comprehensive risk assessment. The risk assessment process itself consists of eight stages, based on the General Security Risk Assessment Guideline published by ASIS International in 2003.  Just a note, if this guideline does not work for you, there are plenty of others available. All you have to do is look. 

The stages detailed are:
1.  Identify assets;
2. Specify loss events;
3. Determine the frequency of those events;
4. Determine the impact of those events;
5. Identify options to mitigate;
6. Explore the feasibility of options;
7. Conduct a cost/benefit analysis; and finally
8. Make a decision on how to proceed.

What I want to discuss today is stage 6: Explore the feasibility of options.  There are four elements to the decision-making process when exploring these options.

First, when it comes to selecting an option, or in security terminology, a countermeasure (CM), you have to determine if it works or not. This does not just refer to whether the CM technically works, but to whether it does what it is supposed to do.  Does the CM counter the threat in an effective manner? For example, if a CM is uniformed security guards, do the guards perform the actions that are required of them, whether it is going out on patrol, watching cameras and reporting incidents, or responding to events? Or do they hide away not responding to requests for assistance, or sleep in front of the monitor? Lest anyone think I am picking on security guards, the same thing can be said about the Chief Security Officer of an organization. A CSO is also a countermeasure. Are they able and trained to do the job, or are they sleeping the day away?

Determining whether a CM works is often difficult; there is such a scarcity of research and data available that decision-makers often make decisions based on hope. 

The second element in the decision-making process is the degree of reliability of the CM. If the CM is a burglar alarm, will it work properly each and every time? Will the system be properly designed, installed and maintained? (For more on this, read “Think before you buy” in the June 2010  issue of Canadian Security.) Reliability is obviously specific to the CM.  Will putting the key in the lock unlock and lock the door each and every time? How often will it jam or break the key? How often will it require repair? What is the maintenance schedule? Does the access control system create a million false alarms a year or one?  If we are talking about human countermeasures, does the person show up for work on time, each and every day? Do they put in a full shift? Are they competent, trained, motivated and enthusiastic?  Can they be relied upon to do the job? Reliability is extremely important.   

The third element in the decision-making process is the approximate cost of the CM. From a cost effectiveness and loss prevention perspective, we all know we don’t spend a million dollars to save $10. But what about spending a million dollars to save a million? Of course we don’t, but what is the cost-benefit ratio on our protective strategies? In order to determine this, we need to identify our assets, their true value and what it would cost the company if that asset is no longer available. We may determine in our countermeasure identification process that we have half a dozen options, but this is where we go back to determine their validity and reliability in addition to cost.

The fourth element in the decision-making process is the delay or elapsed time required to install the CM. We may find the best, more effective CM of all time. It will protect the organization 100 per cent of the time, is 100 per cent reliable, and costs $10 to design, install and maintain.  But it will be 10 years before it is installed. Obviously, this won’t work for us because we have to figure out what to do in the meantime.  
Each of the four factors can be weighted to determine how important it is to the overall countermeasure selection process. 

These four factors are aspects of just one of eight stages that need be taken into consideration when conducting a proper risk assessment. It may look intimidating to some who may be unfamiliar with the decision-making process, but it is not nearly as intimidating as walking into a budget meeting unprepared. Security practitioners need to be able to fight for their program and back up their decisions with facts and figures.  Following an established process will make the job easier.

Glen Kitteringham, M.Sc., CPP, F.SyI. is President of Kitteringham Security Group.