Security Risk Management Measures

Written by Nagott
April 15, 2024

Security Risk Management Measures

Introduction

As noted in step 5 (Risk Analysis), risk management is the process whereby an organization attempts to lower risk by implementing measures to reduce likelihood and/or impact by reducing vulnerabilities.

SRM Measures are selected after specific threats are identified, and only after existing mitigation or prevention measures have been assessed for strengths and weaknesses and when the impact and likelihood of those threats have been evaluated to determine risk. SRM Measures may include information, training, briefings, specialist resources, equipment, physical improvements to premises or facilities, or procedural changes. However, all measures presented must be directly linked to the preceding assessment, assisting to reduce either the likelihood or the impact of an event, or both, and they should be logical, feasible, and relevant. Experience, judgment, and creativity play a critical role in this step.

Projecting Required SRM Measures

Through the SRM process, we analyze threats and vulnerabilities to assess the risk. If the threat does not change, the only way to lower risk is to lower vulnerability (i.e., increase protection and mitigation). In this way, managing risk means lowering vulnerability by investing in prevention measures and procedures (“prevention vulnerability”) and/or lowering impact by investing in mitigation measures and procedures (“mitigation vulnerability”). Since the SRM Process evaluates each component of risk in a structured way (and records the results of those evaluations in the SRM Tool), it is easy to highlight where the vulnerabilities are and, subsequently, to design SRM measures to address those vulnerabilities.

Present (existing) prevention vulnerability and present (existing) mitigation vulnerability have already been assessed as part of Step 5, and identify where risk management countermeasures/procedures are in place and their effectiveness on a scale of 1 to 5. This then allows the security professional to determine, based on the existing measures and their effectiveness, what additional measures not currently in place are required, as follows:

  • Measures & procedures to reduce the likelihood
  • Measures & procedures to reduce the impact
  • Measures & procedures to reduce both likelihood and impact.

If a measure reduces the likelihood or impact of multiple events, it may be necessary to record all the events where risk is reduced.

Selecting SRM measures

Risk management entails making decisions about the best options among several alternatives in an uncertain environment. Security measures can rarely protect 100% against all threats. The key moment in the execution of any risk management process is therefore, when a manager decides to implement a selected course of action. This can include making an affirmative decision to implement new measures, as well as the decision to maintain the current suite of risk management measures (when a risk is already acceptable, there may be no need to identify and implement additional measures – for more on this, see the section on acceptable risk in step 8).

In most cases, the risk management process attempts to strike an economic balance between the impact of risks and the cost of security solutions intended to manage them; measures must be cost-effective. However, as is often the case in many organizations, the decision to implement (or not implement) measures may be driven by the importance of a project, mandate or operation and the measure’s ability to save lives, as opposed to its financial cost.

When selecting SRM measures, it will be important to take into account the following:

  • Adverse impacts of SRM measures: Make sure to consider any unintended adverse impacts of a particular measure. Your attempts to manage one risk may inadvertently create or increase another risk. For example, measures to manage the risk of an attack on a compound (effective perimeter security, access control, regular guard patrols, etc.) may reduce both the impact and likelihood of an attack, but also distance staff from local populations (both physically and symbolically), making it harder to conduct operations and implement business objectives. Implementing alternative measures, such as engaging in dialogue with the local population, might enhance security whilst minimizing negative appearances. – Other adverse impacts of measures might include increased inconvenience to users (for example, lengthy access controls that delay entry to premises. This could be an irritation to staff, but even worse, it could expose them for longer periods to the threat that was original to be mitigated), or those that impact the privacy of staff (for example, the collection of personal information for a security plan). Sometimes these effects are perceived as opposed to being real, and sometimes it may not be possible to avoid these adverse effects based on the specific risks identified. However, when considering alternative measures, we can make efforts to strike a balance between the need to enhance security for the organization and the need to consider the long and short-term adverse impacts associated with each measure.
  • Cost of measures: As already noted, the costs of potential damage from threats such as terrorism are substantial, but often so are the costs of improved security. However, the cost-benefit analysis can be problematic when dealing with security issues, mainly because the benefits are sometimes uncertain and hard to quantify. Determining if a security measure is a sound investment is not always easy. Security is not simply about a financial reward measured against expenditure but rather the provision of some kind of benefit to others. Knowing that money is being wisely spent on security is key. Some security measures may be implemented at little or no cost and without the use of complex technology. Updating procedures to improve processes or raising security awareness through communication might incur very little or no cost, while the delivery of training might require a minimal investment. By considering several options before recommending measures and if possible, selecting measures that are part of an integrated systems approach (see below), we can more effectively maximize limited financial resources.
  • Additional resources: For an SRM measure to have success, project management methodologies and general management practices must support its correct implementation, including, where needed communicating with and educating individuals and organizations. Any item of security equipment will also require training, support, maintenance, and multiple other factors to be available if it is to remain operational. For this reason, additional resources – not just the initial cost of a measure – must be considered when selecting SRM measures so that they can be implemented effectively and continue to function as anticipated.
  • Time to implement measures: As already noted, risk management entails making decisions about several alternatives; those decisions may differ based on many factors, including the relevance of time pressure. Although it may be preferable to take a long-term view to address and manage risks, the realities of an organization’s environment dictate that, at times, implementing the risk management process may not be a linear progression. Security professionals, project managers, and decision-makers may be required to improvise and truncate steps in the process based on time and resource constraints. This is not to suggest that shortcuts should be sought but to ensure that consideration is given as to how long a particular measure may take to implement and whether the decision to implement will have an influence only in the short term or over a long period. By evaluating the time needed to implement each risk management measure and the resources required, alternative measures might be identified as being more appropriate, meeting time pressures, and/or filling gaps where long-term measures are not yet fully implemented.

It is not feasible to come up with a comprehensive list of security measures, and no single measure will cover all risks nor be practical for all locations within a geographic area. Most security professionals are familiar with solutions that work in some locations but not in others. The point is that by following the SRM process, we can tailor the SRM measures specifically to the environment in which the organization work. The security cell provides an excellent forum for security professionals to develop and consider a variety of options. Options must be feasible, funded, and include resources and timelines that are as comprehensive as possible.

The effects of SRM Measures – reducing Likelihood and Impact

Security measures can have a variety of effects. Risk management measures employed can be considered to avoid, control, accept, or transfer (share) risk and may provide benefits in terms of protection, deterrence, or acceptance.

Prevention is preferable to mitigation; the desired state is to prevent a threat from being presented against the organization. However, the nature of operating in volatile environments is such that the prevention of a threat may often be highly problematic to achieve. We cannot avoid risk altogether. It is therefore important to distinguish between those measures that reduce the likelihood of an event, preventative measures, and those that reduce its impact, mitigation measures.

RISK MATRIXImpact
NegligibleMinorModerateSevereCritical
L
I
K
E
L
I
H
O
O
D		Very LikelyLowMediumHighVery HighUnacceptable
LikelyLowMediumHighHighVery High
Moderately UnlikelyLowLowMediumHighHigh
UnlikelyLowLowLowMediumMedium
Very UnlikelyLowLowLowLowLow
  • e.g., Applying shatter-resistant film to facility windows (which have adjoining mullions that can resist the large loads that are collected by the film). This measure will lower impact by reducing the hazard of flying debris, which could cause injury or death. However, it will not reduce the likelihood of a bomb blast against the specific facility.
  • e.g., Trimming trees and relocating objects near the building that can be used as climbing devices and ensuring that lamp posts, fences, and other features are not scalable. This may not reduce the impact of a facility intrusion (there may still be injuries, and/or assets may still be lost), but by preventing access to the facility via windows and roofs, the likelihood of an intrusion can be reduced.
  • e.g., Delivering security awareness training to develop the competencies, skills, knowledge, values, and behavior of staff to act safely and securely. This could reduce the likelihood of, for example, a staff member becoming a victim of theft if the training ensures that staff understands the threats in the environment in which they operate. The training may also help to lower the impact of, for example, a carjacking if the training includes guidance on what to do in that type of event.

Integrated Systems Approach

Although measures that reduce the likelihood of an event and those that mitigate its impact are assessed one by one, multiple measures are implemented to simultaneously reduce impact and likelihood. The combined effects of several security measures are a systems approach, integrating physical, procedural, technical, and human aspects of security. Often, in cases of facility protection, the systems approach is based on the effective use of the following principles:

  • Deter – physical and procedural security that attempts to prevent undesirable action against the facility by influencing the attacker’s decision-making. Deterrence is a psychological measure; it increases the perception of effort or fear of failure in the mind of the attacker.
  • Detect – measures to detect and assess planning (or actual attempts) by threat actors to penetrate the security perimeter or to test the effectiveness of the security system in place.
  • Delay – physical, technical, procedural, or psychological barriers to restrict movement and to allow time for appropriate response (by security or host Government forces).
  • Deny – the ability to oppose or negate the effects of action against the facility, including denying access to information on the layout and contents of the facility. The premises security system must be designed to deny identified threat actors the ability to carry out a successful harmful action against the facility.

The integration of the principles outlined in the Four D’s above requires the concept of Concentric Layers of Security (Defence in Depth). Proper facility security requires a system designed with sufficient diversity and redundancy so that the strength of one particular component offsets the weakness of another. Components of the security system must be designed with a sufficient number of layers to make it more difficult to defeat the whole system. All facilities should have at least two physical layers of security between staff or valuable assets and the areas beyond direct organizational control, including a system to only allow authorized persons, vehicles, and other items to cross these layers (access control). The principle of concentric layers of security also requires officials responsible for the facility to coordinate with areas of responsibility of the host government outside of the facility.

Decision-making and Implementation

Risk is reduced only after the management measures have been implemented. Once you have selected your appropriate SRM measures based on how they reduce likelihood and impact and have considered whether they are fundable and practical given your timelines, decision-makers need to consider the feasibility of implementing options. When providing decision-makers with your recommendations, you need to be able to present your options and their strengths and weaknesses clearly and understandably to ensure that decisions are informed by a common understanding of the organization’s risks. Information should be tailored to the needs of leadership. Decision-makers should have a clear understanding of the present risk; the security risk based on the threats; the security measures and procedures currently in place; the projected risk; and the expected security risk if recommended security measures and procedures were to be in place.

Once a decision is made, there must be a strong commitment to implementing the mitigation plan.

Once SRM measures are identified, they need to be approved. Senior management authorization is usually required for Evacuation and/or Relocation of staff, a continuation of activities associated with very high residual risk, lifting of Evacuation and/or Relocation status, or in support of a recommendation for danger pay. When the SRM process recommends these measures and they are approved they must be authorized by HQ (or officials with pre-arranged authority) unless lives are threatened and communications are lost.

MOSS

Once security risk management measures and processes are approved at the appropriate level they are requirements and are referred to as the MOSS (Minimum Operational Security Standard). As part of this approval process, an Implementation Plan must be developed to ensure that these measures are put in place and by ongoing monitoring and review, to ensure that they are completed in a timely and effective manner. As already noted, all MOSS measures must be logical, practical, realistic, cost-effective and capable of being implemented within the context of the SRM area.

If a new operation or project is established then a new time scale for implementation of the MOSS measures and procedures needs to be established to include clear indications of the risk level that these programs face before and after full implementation of SRM measures.

Conclusion

Given that the SRM process relates very clearly to a defined SRM area, the SRM process allows sufficient flexibility to ensure that the measures relate specifically to that area, removing the need for minimum measures for the whole country (albeit that there may be measures relevant to the whole Designated Area). However, mandatory requirements for all locations, as designed through Organizational Policy also need to be implemented. For example, the requirement for all staff to have completed ‘HEAT Training’ (Hostile Environment Awareness Training), for PEP kits (post-exposure prophylaxis) to be on hand, and for security plans to be updated and made available, are SRM measures that are integral to a Framework of Accountability and other policies. Although these may not be captured in the Implementation Plan for the SRM area, they are usually required and a progress update should, therefore, be provided to determine whether the requirement as per policy has been met.

Monitoring risk clearly overlaps with the implementation process, whereby monitoring helps to continuously manage risks – see step 7 (SRM Implementation) for more on this.

Related Articles

  

  

Subscribe to i2Bureau Insights

Our goal is to help people in the best way possible. This is a basic principle in every case and cause for success. Subscribe today to stay up to date.

Practice Areas

Newsletter

Sign up to our newsletter

WordPress Appliance - Powered by TurnKey Linux