SRM Implementation

Overview

The implementation phase of the SRM is of paramount importance as it carries in itself the credibility of the process. The project planning phase and the implementation phase are two very different things; consideration needs to be given to how the SRM will be implemented throughout the process of assessing risk and recommending risk management measures. The implementation plan involves assigning the ‘who’, ‘when’, and ‘how’ the identified/selected measures will be put in place. Common mistakes in the implementation phase include no (clear) ownership and a detachment from the actual capabilities in place (reality check).

Management Guidelines

Once a decision is reached, there must be a strong commitment to implementing the mitigation/prevention plan. Without this stage operating effectively, the entire security risk management process could fail. Leadership should therefore encourage security actors and appropriate third parties (such as engineering specialists, telecommunications experts, security providers, etc.) to adopt comprehensive project management approaches that will document the planning, organizing, and managing of resources necessary for the successful implementation of the risk management process, taking into account the following aspects of the Implementation Plan.

• The actor responsible for implementation: Determine the appropriate manager responsible for identifying and implementing MOSS. Physical implementation must be clearly allocated to an individual to lead. He or she must have the knowledge and/or resources to implement the plan. Risk management measures or procedures will not be effective without an engaged risk manager who has the authority granted to him/her by senior leadership to carry out implementation. Irrespective of who is tasked to implement the measures, the SMT has the responsibility to ensure that implementation is completed.
• Prevention/mitigation measure: detail the specific measure proposed.
• Prevention/mitigation objective: How does the measure actually manage the risk? Does it reduce either likelihood or impact, or both?
• Resources/Costs: What resources are required? Consider, for example, additional funding or collaboration. Consider whether this is a one-time cost or whether there are recurring costs (e.g. for maintenance, training, etc.).
• Timeframe for implementation: Determine the time needed to complete each activity and when the expected completion date should be. Be realistic with implementation timeframes, taking into account how long actions might require, and bearing in mind that resources and/or funding may take time to become available, particularly for measures related to infrastructure or specialized equipment such as armored vehicles, as opposed to those, such as SOPs, that can be implemented quickly and with minimum or no cost. In the event of long lead times for implementation, alternative and/or temporary measures should be considered to ensure that there are no gaps in the SRM process and the level of remaining risk in the interim period is still considered to be acceptable.
• Progress update: State whether implementation has not yet started, is in progress or completed. Identify actions and steps needed to implement the mitigation/prevention strategy. What specific actions are needed? Include only those stakeholders relevant to the step, action, or decisions and make sure progress is clearly documented. Appropriate decisions, agreements, and actions resulting from a meeting would be required for progress, not merely the fact that the meeting was held. Look for evaluation, proof, and validation of criteria met. Consider, for example, metrics or test events.

Budget and funding

Funding for mitigation or prevention measures may come from several different sources. Since organizations differ significantly regarding budgeting and funding mechanisms, we will not cover it in this document.