Intro
Risk management in the security context deals with threats in the environment. Therefore, it is important to determine a specific area in the environment in which these threats occur. It is also necessary to establish clear geographical locations to set the context in which project, activity, and vulnerability assessments are made. Therefore, the establishment of the geographical scope of the SRM process is the key first step.
If the geographical scope is too broad, then the threat and risk assessments will have little meaning. Conversely, too many small areas will create an additional workload.
The general guideline
The selected geographical scope should contain similar characteristics. For instance, if a country contained a large capital city in which client offices were located, a region of widespread drought in the east of the country, and an area in which IDPs (Internally Displaced People) were located, it would make sense to treat each of these three areas in a separate security risk assessment. Keep in mind that the country’s political division, as established by the host government, may not be the best way to establish the geographical scope for the SRM process.
When deciding on geographical areas, it is important to establish who is overall responsible for the area. Unfortunately, a common mistake and potential point of failure are not designating specific roles and authority. Too often, avoidable errors are made due to organizational confusion about who is responsible for security in a designated area.
Several viable options are available when establishing Geographical Scope. A simple method is to establish layers of geographic scope:
- The first is the “Designated Area.” This is the area assigned to a Senior Representative of the organization. This is usually equivalent to the country but isn’t always. Examples exist where one country is divided into two or more Designated Areas under the responsibility of two or more Managers or where the Senior Representative covers more than one country.
- The second is the “Security Area.” All Designated Areas must have at least one Security Area. A Security Area without a designated Security Manager falls under the same as the Designated Area. Where a designated Security Manager is designated, their area of responsibility is the Security Area. Several security managers can operate their respective Security Areas within the overall Designated Area.
- The third is the “SRM Area.” This is the area of homogeneous threats for which an SRM assessment is carried out. The determination of an SRM area is the decision of the Senior Representative, usually in consultation with a Security Management Team (SMT). All Security Areas must have at least one SRM area. An SRM Area must lie within a single Security Area.
Example: A hotel chain operating in Florida in the United States. The organization operates several hotels in both Miami and Orlando. The Senior Representative covers the entire state (Designated Area). The organization has two district managers, one in each of the cities (Security Area). In Miami, the organization operates four hotels, one near the airport (SRM Area 1), one in the northern suburbs (SRM Area 2), and two on the beach (SRM Area 3). Similarly, Orlando is divided into Security Areas and SRM Areas.
Timeframe
Establishing a clear timeframe for analysis is very important for the SRM process, especially regarding likelihood. It is important to specify the timeframe under consideration because different durations of time are likely to be related to different levels of opportunity to carry out threats. The question is how likely the event is to occur within an established timeframe.
Over a longer time frame, a threat may be harder to quantify. For example, an assessment about whether an individual is likely to carry out a threat against the organization, such as a bombing or active shooter, at some point in the future is likely to be less useful when managing risk and prioritizing resources, compared to assessing the likelihood of a bombing within a clearly specified timeframe such as the following six months. By focusing on the next six months, it may be possible to more accurately evaluate the likelihood of the event. In the context of terrorism, the time frame may be of additional importance given that terrorist groups, on occasion, may work towards specific dates, e.g., specific anniversaries. Similarly, external events such as elections or projects and operations may drive the timeframe set for the assessment.
For the SRM process, a very wide set of analysis timeframes can be used – from one day for a road move to 12 months. However, no timeframe for analysis should extend beyond one year (12 months) to ensure that threats are constantly re-evaluated. For SRM Areas where the security threats are prone to change rapidly, a timeframe of, for example, 3 or 6 months is recommended. For SRM Areas where the security threats are more stable, a longer timeframe (for example, 6 or 12 months) is recommended.
When the SRM process is applied to a short mission or project, then the time frame should match the timeframe of the mission.
Once established at this stage of the SRM process, the geographical scope (SRM Area) and timeframe will apply to all other steps of the process. Multiple SRM processes can be combined into a designated area SRM report.