Addressing Security Risks with the Appropriate Solutions
We cannot take budget security seriously
I am just ignoring budget solutions here. We really cannot take seriously, agencies or even family heads which experience serious security risks, and try to manage these with residential or diy security solutions.
Risk Assessment and ROI
I hail from a background in risk assessment and mitigation – stemming from my time as a chief fire officer in a hazardous materials response and mitigation unit. Perhaps it’s in order to just briefly outline the risk measurement process.
What is Risk?
There are many weird and wonderful descriptions of risk – but I like to view risk as:
A subject or situation which exposes something (someone) of value to harm, loss or danger. (Just as an aside here – it is now generally recognized that the value of a human life is 10 Million USD)
There are numerous forms of harm, loss or danger presented to the items of value.
Some are:
Compliance Risk: A business suffers the risk of harm, when it fails to comply with requirements. Non Compliance is a risk factor that exposes the business and it’s resources to danger of loss in different forms.
Operational Risk: A business suffers the risk of harm, when a situation or subject presents that may interrupt the operations of a business.
Financial Risk: A business suffers the risk of harm, when a financial situation or subject presents that may negatively affect the financial assets of a business.
Reputational Risk: A business suffers the risk of harm when a subject or situation presents which questions the reputation, ethics or morality of that business.
Step 1: Identifying assets
The first step in identifying risk then is to identify every tangible and non-tangible asset of some value to the business that is vulnerable to harm, loss or danger.
Data, Patents, Vehicles, Brand, Processes, Employees, etc.
Step 2: identifying Risk
Once you have listed these assets – you can identify whether the asset is vulnerable to one of the above risks – clearly defining the nature of the subject or situation that presents the risk.
Step 3: Calculate the Likelihood Or Probability of loss
Where a vulnerability exists, you need to quantify the probability or likelihood of that risk being realized.
Is it likely? When? How? How Often?
It’s usually recommended to use some kind of scale for this quantification – 1-5 or 1-10 as an example.
In the world of security, we would like to segment a facility into Physical areas or zones, based on their asset value category. Data Storage Area, or Stock Area for instance. There is definitely a place for compiling non-physical security areas as well, such as Brand Name.
It is then recommended that we engage all stake holders in that particular area,to jointly identify the potential risks from the category above, and the likelihood of that risk being realized.
It’s unfortunate that as security practitioners, we hardly ever get the client, to give us the time or patience to conduct such assessments at their facilities.
At this stage we have a worksheet which;
Lists the tangible and non-tangible assets of a business,
Identifies the risk category and actualization mode to which the asset is vulnerable,
Estimates the degree of vulnerability by quantifying the likelihood of the risk being realized.
Step 4: Calculate Exposure to loss
The next factor to apply to likelihood is frequency. How often is the likely event expected to occur in one year, or day or week? Here again we can use a scale of 1-5, or 1-10 to quantify this. Once a day, twice a day more than 10 times a day for instance.
When we multiply the likelihood measure and the Frequency measure we get an exposure rating.
Step 5: Calculate the Impact of potential loss
Now we move on to determining the degree to which the risk is tolerable or not.
This is achieved by examining the scale of the actual loss that might be realized should the specific loss or harm be realized.
Many will suggest using a scale, such as 1- 5 or 1-10 for this. I find that approach somewhat subjective.
To really understand what we are dealing with, I recommend attempting to quantify the probable currency value likely to be lost. We bring everything – tangible and non-tangible loss down to a dollar value.
For example – Imagine that your store attendant is rude to one of the customers. Statistics show that this customer will hardly complain – but is more likely to simply stop coming to your store.
Let’s say it’s a convenience store. The average customer stops there and buys a loaf of bread, a liter of milk, packet of smokes and some fries daily. Now lets calculate that average spend to a daily, weekly, monthly, annual currency value.
Here we have the value of the likely loss.
All we have to do on our worksheet is to multiply the exposure rating of each identified risk with the currency value of the potential loss.
Why should we assess risks?
Why should we go through all of this – surely we know where the risks are in our business?
Well, we only know the obvious, recently experienced risks – clearly we want to be warned and reminded of risk potentials that we have not yet experienced, or which we have forgotten about – Yet are likely to happen.
Additionally, once you know the Likelihood of losing a specific currency amount – you are able to effectively determine a threshold amount that is reasonably expended on interventions designed to mitigate the risk.
That’s not to say you should blindly budget the calculated amount, since you might effectively reduce the likelihood of loss with some very simple and inexpensive solutions.
It does raise red flags though when the solution cost vastly exceeds the probable loss, or costs a minute percentage of the expected loss.
Measuring ROI
This is probably how we in the security field should be determining ROI and efficacy on deployed security solutions.
What impact has the solution had on the actual losses realized from the specific risk?
Will we do it?
How many security practitioners have I seen practically implement this – Very few!
How many customers would allow or tolerate the time and expense of implementation – Very few!
Clearly, the quick site visits and generic security deployments we are so used to are of little value.
It’s not uncommon to come across people who aim to protect a 10 Million Dollar human asset, facing a 100% likelihood of harm, with a R2000- R8000 budget.
For this reason many agencies dispute the acknowledged value of a human life. In some countries it is pegged at around $220,000.00.
What do you think is the realistic value of a human life? immeasurable is not an allowed answer?
We encourage all business owners and family heads to take the time to sit down and conduct a formal risk assessment.
This single activity promises a huge ROI for your business or family.