The time to manage it is before harm happens.
A risk management program can supply your business with the tools it needs to ensure short-term changes have long-term success. Risk assessment (identifying potential threats) and risk control (identifying means to reduce post-threat loss) combined with the right security experience, intuition, and good management skills will result in a successful risk management program.
Unsuccessful risk management comes in many forms. For example, when numerous systems are supervising hundreds of alarm points, new and existing, frequently none of those alarm points have been assessed to determine if they represent a high degree of risk to the enterprise. Instead, they result in guards acknowledging, responding to, and reporting events which may be primarily false alarms. Instead of assisting security guards in protecting assets, the system keeps their shifts busy with unnecessary responses and encourages complacency. The combined strength of the guard and new control have unintentionally become less effective, despite conﬁdence in both, while the constant alarms can lead to a negative company perception.
Adopting an effective security risk management program accomplishes strong control that does not negate other existing plans. Simply put, a security risk management program is a continual process of risk assessment control. The risk management processes must be ongoing task to consider the ﬂuidity of the enterprise’s needs.
The business objectives from the risk management process include:
- Providing the enterprise the ability to be consistent in the measurement of the vulnerability of assets in order to make fundamental risk avoidance decisions by evaluating effectiveness and strength of security countermeasures.
- Ascertaining the most cost effective processes and security controls to reduce vulnerability.
- Integrating the risk assessment and risk control processes into wider business management techniques to improve the success rate of new risk control techniques.
- Conﬁdence that all risk control techniques support the enterprise’s business priorities.
Today security practitioners have been conducting risk assessments and recommending risk control techniques for decades using several similar models. A successful model consists of the following collective tasks:
- Identiﬁcation of critical and essential assets that require protection.
- Evaluating the most probable threats.
- Deﬁning possible means of targeting existing administrative, electrical and mechanical security controls.
- Evaluation of the probability of undesirable loss.
- Recommending security control measures that provide a layered security approach by reducing several risks and interacting with other — new or existing — control measures.
- Determining that no new recommended controls negate the effectiveness of existing security controls.
The objective of each model is to identify new solutions to old problems and justify past decisions. The security industry is full of risk-based evaluation software, which offers a structured approach to the process. In contemplation of the right software, as a tool, or the master of the risk management program, as your site-speciﬁc knowledge, historical data, and intuition should support the output. Also consider whether it measures both positive and negative result scenarios, and whether the output is easy to understand and explain. Using a tool in the planning stage can provide consistency and historical planning.
Risk management includes risk assessment and the process of acting on that assessment with risk controls. The security industry must recognize that the matter of security planning is serious and that the future is uncertain. We cannot envision or prepare for every type of unknown threat. Instead we must understand and accept that we must deﬁne and manage the potential and probable threats with a disciplined approach to resource prioritization and the diversiﬁcation of risk avoidance across the full spectrum of an enterprise. Applying risk based framework to all security efforts will help to ensure your security program’s success over the long term.