Determining and mitigating risk: Where to begin?

November 2019 Editor's Choice

In a country where serious crime such as robbery with aggravating circumstances, assault with intent to cause grievous bodily harm, and attempted murder, has increased significantly again, it is disconcerting to be aware of the sheer number of properties in South Africa which do not undertake regular risk determinations for the purpose of the development of, or continual re-calibration of, the specified security strategy.

Security spend is often limited, or allocated elsewhere, as a result of the fact that people and assets have not yet experienced a significant incident.

Yet risk itself is defined as having little to no protection from something ‘potentially’ harmful. It follows that managing risk means proactively reducing the severity or seriousness of that which has not ‘yet’ occurred.

While it is encouraging to hear that this beautiful country of ours still boasts numerous areas which innately just feel safe to live in, work and go to school, it seems that if one were going to travel to a yellow-fever ridden area, for example, one would fully vaccinate ahead of time? And so, in the interest of good governance, does risk not by its very definition require the same proactive approach?

Undergirding principle 1: Accept that risk cannot be retrospective

The first step in being asked to undertake a risk consultation often involves needing to encourage a changed ‘mindset’ on the part of the client’s senior decision-making team. Facilitating this shift may fall to me as the consultant, but frequently I am only echoing the sentiments of an already frustrated risk or security manager, trying to secure critical spend.

No property can embark on a security journey before all senior decision-makers have come to terms with the fact that what is to be discussed, will be that which might yet still happen – that we will be identifying potential incident, to prevent or minimise potential impact.

This absolutely must be step one and is often the step that consultants spend significant facilitation time on.

Undergirding principle 2: Embrace ownership

Furthermore, the ultimate ‘responsibility’ for a risk determination and risk management cannot rest in the hands of the security service provider/s onsite, current or future. Responsibility must remain with those with the fiduciary duty to protect people and property.

Service providers can and should be held accountable to contracts and KPAs, and this can certainly be made more effective through the results of a risk determination process. Further, I am also a great believer in leaning on the specific expertise of these providers, by having their senior representatives contribute toward the risk determination process itself.

Yet, I cannot advocate that my end-user client place primary responsibility for the regular analysis of risk and/or the adjustment of security strategy, in the hands of any manufacturer, distributor, turnkey system integrator, guarding company, CCTV installer, remote monitoring service provider, or investigative, tactical or armed response team, all of which ultimately have a specific business interest in the property.

A risk, safety and security strategy is a serious practice. It is about good governance. Accountability is key.

Undergirding principle 3: Understand the intrinsic roles of these security industry role players

With apologies for a little bias here, it seems pertinent to note therefore that while most companies in today’s world are familiar with the benefits of using an independent consultant to assist in critical decision areas, within the security industry a slightly different approach prevails. In our field, pressure tends to be placed directly on these same provider/s within the value chain mentioned above, to provide consultative services which would ordinarily be the domain of an independent consultant.

This pressure often lands on sales staff, expert in specific products and chasing steep targets, now required to provide consultative services (as a value add) for which they simply do not have the necessary freedom, breadth of experience, or time.

These statements are made with no disrespect. Many of my friend-colleagues in the industry have skills in certain areas far, far better than my own. And, understandably, end-user clients under severe budgetary constraints must often extract as much value out of their on-site providers as is possible.

Yet savvy clients understand that one cannot be an unbiased expert in, or have the time for, everything. Thus, bringing in an independent consultant does not mean that they see their service providers as ineffective or unable. Rather, it means that they innately understand the individual contribution that each link in the value chain is best poised to make.

For risk consultants there is nothing more satisfying than to sit around a boardroom table with the right manufacturer/distributor team, a great integrator of manpower and technology, and the client decision-making team, all contributing together to address the results of a thorough risk determination. This is the ideal result of what we consultants do.

Lesley-Anne Kleyn.

Risk determination phase 1: Know what you (really) currently have in place and how effectively it (really) is working

In my opinion, the most important part of a risk determining exercise lies in first establishing – really establishing – what is currently in place. This part of the project will examine the manpower, processes, and technology currently on site, and within each of these important pillars, will consider the client’s CCTV network infrastructure, pay special attention to command and control of the site, examine access and egress, outer and inner perimeters, buildings, warehouses and retail outlets, deterrence, detection and response, the maintenance contract in place, and a host of other factors, both safety and security. These will all be evaluated against industry best practice principles.

This is not a good, yet general, survey of the property. This is an in-depth analysis, carefully and thoroughly documented.

It will include CCTV as-built surveys, technology designs, intrusion test results, processes analyses, budgetary costings, and other relevant information. This will also be the springboard from which an RFQ is determined and tenders are adjudicated when the time comes.

Risk determination phase 2: Determine risk categories, likelihood, and potential impact

At risk of being repetitious, risk management is by its very definition the process of proactively identifying and then reducing the severity or seriousness of ‘potential’ danger.

Phase 2 is therefore the part of the project that gets me enthused. During this phase client senior decision-makers must participate in at least one facilitated session. Typically, a workshop is conducted with the decision-making team, the members of which will already have been presented with where the vulnerabilities have been revealed during phase 1, all in the form of a heap of logical and precise written information with easy-to-skim summaries.

This information now on the table, we can turn our attention to risk. The macro-environment is examined, and crime is rated and categorised. Potential threat, the vulnerabilities revealed during phase 1, and the target attractiveness of various aspects of the property, give the team an indication of ‘likelihood’. Then potential ‘impact’ is examined in terms of financial impact, reputational damage, and so on. Likelihood multiplied by impact gives us quantifiable risk within each risk category.

Risk determination phase 3: Develop, re-evaluate, embed or adjust the three- to five-year risk, safety and security strategy

At this stage, the client decision-making team begins to get to grips with tangible, measurable information and unifies over discussions around a security strategy.

It was a management consultant Peter Drucker who said that stated objectives can be compared to a compass bearing by which a ship navigates. He put it that a compass bearing is firm, whilst in actual navigation, the ship may veer off course for many miles. Without a compass bearing, he stated, a ship would neither find its port nor be able to estimate the time required to get to it.

So to journey with my client to this phase means that I have achieved my original objective of enabling my client to formulate (or in some cases, recalibrate) a clear, written strategy around which future decisions will be made.

The client team now knows exactly, in detail, what risk, safety and security measures are currently in place, as well as how effectively these are working, is in agreement as to the specific risks which could impact this particular property in the future, has strategised accordingly in order to reduce these risks as far as possible, and now has a plan in place which can be regularly revisited, regardless of changes to specific portfolio-carrying individuals, as a decision-making team.

The property can now be carefully and communicatively handed over to one of the many excellent manpower and/or equipment providers in the industry, which can pick up the baton and turn vision and decisions into an impenetrable reality.

Kleyn Consulting is an independent risk, safety and security consultancy with experience in a range of verticals. Based in the Western Cape Winelands, Lesley-Anne travels across South Africa. Contact her on +27 64 410 8563 or

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

The same security assessment for different reasons
Issue 7 2020, Alwinco , Editor's Choice
Like everything else in life, a security risk assessment also has two sides: one is the proactive approach, and the other is the approach taken ‘after the fact’.

Risk intelligence the key to a sustainable future
Issue 7 2020 , Editor's Choice
Only by building risk intelligent organisations will leaders be able to overcome six distinct global threats identified by the Institute of Risk Management South Africa (IRMSA).

Profile D for access control peripherals
Issue 7 2020 , Editor's Choice
Profile D provides interoperability for devices such as locks, credential/biometric readers, PIN pads, LPR cameras, door phones, sensors and displays.

Security investments and culture
Issue 7 2020 , Editor's Choice
Organisations must embed security into the culture of the company and approach security investments with this culture in mind.

Elastic storage pricing
Issue 7 2020 , Editor's Choice
With elastic pricing, users can switch from one storage model to another without having to pay a premium or a penalty, and without having to physically move any data.

Use technology as a differentiator
Issue 7 2020 , Editor's Choice
Juni Yan, director of Transport, Logistics and Automotive at BT, shares her insights on how logistics companies can leverage digital transformation to become a real market differentiator – no matter the state of the pandemic.

Management of PPE allocation made simple
Issue 7 2020, Powell Tronics, Technews Publishing , Editor's Choice
Of all the roadblocks and challenges COVID-19 has introduced us to over the past few months, one of the tasks organisations have to manage is the issuing of PPE to staff.

Robots in warehousing and freight, a security perspective
Issue 7 2020, FSK Electronics , Editor's Choice
The logistics industry needs support from technology to meet its ongoing demands and ongoing security concerns.

The new training normal
Issue 7 2020, Leaderware , Editor's Choice
Insights from running my first CCTV Surveillance Skills and Body Language and Advanced courses at physical training venues since COVID-19 started.

An exciting journey in security
Issue 7 2020, Technews Publishing, BTC Training Africa , Editor's Choice
Errol Peace describes his 40-plus year career in the security industry where he was and is a great proponent of training as an “exceptionally exciting journey”.