Acceptable Risk

Written by Nagott
April 15, 2024

Introduction

Risk management has three important principles that relate to how Security Management Systems deals with questions of acceptable risk:

  • Do not accept unnecessary risk. There is no benefit in accepting any unnecessary risk if it does not help the organization achieve its objectives.
  • Accept risk only when benefits outweigh risks. We cannot eliminate all risks – that would be too rigid and costly. On the other hand, avoiding all risks does not help the organization achieve its objectives.
  • Make risk management decisions at the right level. This means that the organization must ensure that decisions on risks are taken at the level of delegated authority. Staff and managers must not assume any risk for which authority has not been received.
  • Everything reasonable should be done to reduce the risk. We must always try to lower risk whenever feasible.

Acceptable Risk Model

Based on these principles, the “Acceptable Risk Model” balances the security risk with project benefits (called “Project Criticality”). There are four levels of Project Criticality in line with the levels of risk produced in Step 5 – Risk Analysis

.

The Acceptable Risk Model also distinguishes between activities carried out by organizational staff and activities carried out by implementing partners in support or activities. The Acceptable Risk Model only deals with activities conducted by organizations staff. Personnel of implementing partner organizations conducting activities in support of organizational activities are not considered in the Acceptable Risk Model.

The figure below shows a schematic of the Acceptable Risk Model. Security Risk Management, encompassed in the tool explained in this Manual, is used to establish the present level of risk associated with a particular area or activity. A separate tool, called the Project Criticality Tool (explained here), is used to establish which of four levels of Project Criticality any activity involving organizational personnel falls. The Acceptable Risk Model then establishes the maximum level of security risk that is acceptable for each level of Project Criticality.

There is a level of risk that is unacceptable no matter what activity staff may wish to conduct. This level of unacceptable risk is when an event is assessed to have the highest level of likelihood (Very Likely) and the highest level of impact (Critical Impact). The only security risk management option in this situation is to avoid the risk, i.e., move people away from the location or situation until the required security measures are in place and functioning to bring the risk down to acceptable levels (until the risk is at least Very High).

Acceptable Risk Balanced with Project Criticality

Whether the risk of an activity is acceptable at any level lower than “unacceptable” is determined by the level of Project Criticality of the activity. The Project Criticality Tool is used to establish the levels of Programme Criticality for this purpose.

If the organization has done all it can to lower the security risk, and the security risk is assessed as Very High, then that organization would be able to conduct only PC1 activities, and usually only if:

  • The Executive Head of that organization approves that the activity is a PC1 activity; and
  • The Security Cell gives the final clearance.

If the organization has done all it can to lower the security risk, and the security risk is assessed as High, then that organization would be able to conduct PC1 and PC2 activities but usually only if:

  • The representative of the organization at the country level approves that the activity is either a PC1 or PC2 level activity; and
  • The Senior Official in the country gives the final clearance.

If the organization has done all it can to lower the security risk, and the security risk is assessed as Medium, then that organization would be able to conduct PC1, PC2 and PC3 activities only if:

  • The representative of the organization at the country level approves that the activity is either a PC1, PC2 or PC3 level activity; and
  • The Senior Official gives the final clearance.

Finally, if the organization has done all it can to lower the security risk, and the security risk is assessed as “Low” by the SRA, then the organization can conduct any activity (PC1, PC2, PC3, and PC4).

The above explanation shows that the more we invest in security risk management measures the more activities we can conduct because the investment in SRM measures has lowered risk.

As noted in Step 5, for the purposes of making Acceptable Risk decisions, the risk level assigned to an SRM Area, or any other program or location to which an ad hoc SRM Process was applied, shall be the highest risk associated with any of the events that would be applicable to the program activity under consideration.

Project Criticality

How a specific activity is assigned a certain level of Project Criticality is covered by the use of the Project Criticality Tool. Details on how that tool works are found here.

As noted above, the output of the Project Criticality Tool (an assigned “PC Level” for each activity) becomes the input for a decision on Acceptable Risk.

Related Articles

  

  

Subscribe to i2Bureau Insights

Our goal is to help people in the best way possible. This is a basic principle in every case and cause for success. Subscribe today to stay up to date.

Practice Areas

Newsletter

Sign up to our newsletter

WordPress Appliance - Powered by TurnKey Linux