Determining and mitigating risk: Where to begin?

November 2019 Editor's Choice

In a country where serious crime such as robbery with aggravating circumstances, assault with intent to cause grievous bodily harm, and attempted murder, has increased significantly again, it is disconcerting to be aware of the sheer number of properties in South Africa which do not undertake regular risk determinations for the purpose of the development of, or continual re-calibration of, the specified security strategy.

Security spend is often limited, or allocated elsewhere, as a result of the fact that people and assets have not yet experienced a significant incident.

Yet risk itself is defined as having little to no protection from something ‘potentially’ harmful. It follows that managing risk means proactively reducing the severity or seriousness of that which has not ‘yet’ occurred.

While it is encouraging to hear that this beautiful country of ours still boasts numerous areas which innately just feel safe to live in, work and go to school, it seems that if one were going to travel to a yellow-fever ridden area, for example, one would fully vaccinate ahead of time? And so, in the interest of good governance, does risk not by its very definition require the same proactive approach?

Undergirding principle 1: Accept that risk cannot be retrospective

The first step in being asked to undertake a risk consultation often involves needing to encourage a changed ‘mindset’ on the part of the client’s senior decision-making team. Facilitating this shift may fall to me as the consultant, but frequently I am only echoing the sentiments of an already frustrated risk or security manager, trying to secure critical spend.

No property can embark on a security journey before all senior decision-makers have come to terms with the fact that what is to be discussed, will be that which might yet still happen – that we will be identifying potential incident, to prevent or minimise potential impact.

This absolutely must be step one and is often the step that consultants spend significant facilitation time on.

Undergirding principle 2: Embrace ownership

Furthermore, the ultimate ‘responsibility’ for a risk determination and risk management cannot rest in the hands of the security service provider/s onsite, current or future. Responsibility must remain with those with the fiduciary duty to protect people and property.

Service providers can and should be held accountable to contracts and KPAs, and this can certainly be made more effective through the results of a risk determination process. Further, I am also a great believer in leaning on the specific expertise of these providers, by having their senior representatives contribute toward the risk determination process itself.

Yet, I cannot advocate that my end-user client place primary responsibility for the regular analysis of risk and/or the adjustment of security strategy, in the hands of any manufacturer, distributor, turnkey system integrator, guarding company, CCTV installer, remote monitoring service provider, or investigative, tactical or armed response team, all of which ultimately have a specific business interest in the property.

A risk, safety and security strategy is a serious practice. It is about good governance. Accountability is key.

Undergirding principle 3: Understand the intrinsic roles of these security industry role players

With apologies for a little bias here, it seems pertinent to note therefore that while most companies in today’s world are familiar with the benefits of using an independent consultant to assist in critical decision areas, within the security industry a slightly different approach prevails. In our field, pressure tends to be placed directly on these same provider/s within the value chain mentioned above, to provide consultative services which would ordinarily be the domain of an independent consultant.

This pressure often lands on sales staff, expert in specific products and chasing steep targets, now required to provide consultative services (as a value add) for which they simply do not have the necessary freedom, breadth of experience, or time.

These statements are made with no disrespect. Many of my friend-colleagues in the industry have skills in certain areas far, far better than my own. And, understandably, end-user clients under severe budgetary constraints must often extract as much value out of their on-site providers as is possible.

Yet savvy clients understand that one cannot be an unbiased expert in, or have the time for, everything. Thus, bringing in an independent consultant does not mean that they see their service providers as ineffective or unable. Rather, it means that they innately understand the individual contribution that each link in the value chain is best poised to make.

For risk consultants there is nothing more satisfying than to sit around a boardroom table with the right manufacturer/distributor team, a great integrator of manpower and technology, and the client decision-making team, all contributing together to address the results of a thorough risk determination. This is the ideal result of what we consultants do.

Lesley-Anne Kleyn.

Risk determination phase 1: Know what you (really) currently have in place and how effectively it (really) is working

In my opinion, the most important part of a risk determining exercise lies in first establishing – really establishing – what is currently in place. This part of the project will examine the manpower, processes, and technology currently on site, and within each of these important pillars, will consider the client’s CCTV network infrastructure, pay special attention to command and control of the site, examine access and egress, outer and inner perimeters, buildings, warehouses and retail outlets, deterrence, detection and response, the maintenance contract in place, and a host of other factors, both safety and security. These will all be evaluated against industry best practice principles.

This is not a good, yet general, survey of the property. This is an in-depth analysis, carefully and thoroughly documented.

It will include CCTV as-built surveys, technology designs, intrusion test results, processes analyses, budgetary costings, and other relevant information. This will also be the springboard from which an RFQ is determined and tenders are adjudicated when the time comes.

Risk determination phase 2: Determine risk categories, likelihood, and potential impact

At risk of being repetitious, risk management is by its very definition the process of proactively identifying and then reducing the severity or seriousness of ‘potential’ danger.

Phase 2 is therefore the part of the project that gets me enthused. During this phase client senior decision-makers must participate in at least one facilitated session. Typically, a workshop is conducted with the decision-making team, the members of which will already have been presented with where the vulnerabilities have been revealed during phase 1, all in the form of a heap of logical and precise written information with easy-to-skim summaries.

This information now on the table, we can turn our attention to risk. The macro-environment is examined, and crime is rated and categorised. Potential threat, the vulnerabilities revealed during phase 1, and the target attractiveness of various aspects of the property, give the team an indication of ‘likelihood’. Then potential ‘impact’ is examined in terms of financial impact, reputational damage, and so on. Likelihood multiplied by impact gives us quantifiable risk within each risk category.

Risk determination phase 3: Develop, re-evaluate, embed or adjust the three- to five-year risk, safety and security strategy

At this stage, the client decision-making team begins to get to grips with tangible, measurable information and unifies over discussions around a security strategy.

It was a management consultant Peter Drucker who said that stated objectives can be compared to a compass bearing by which a ship navigates. He put it that a compass bearing is firm, whilst in actual navigation, the ship may veer off course for many miles. Without a compass bearing, he stated, a ship would neither find its port nor be able to estimate the time required to get to it.

So to journey with my client to this phase means that I have achieved my original objective of enabling my client to formulate (or in some cases, recalibrate) a clear, written strategy around which future decisions will be made.

The client team now knows exactly, in detail, what risk, safety and security measures are currently in place, as well as how effectively these are working, is in agreement as to the specific risks which could impact this particular property in the future, has strategised accordingly in order to reduce these risks as far as possible, and now has a plan in place which can be regularly revisited, regardless of changes to specific portfolio-carrying individuals, as a decision-making team.

The property can now be carefully and communicatively handed over to one of the many excellent manpower and/or equipment providers in the industry, which can pick up the baton and turn vision and decisions into an impenetrable reality.

Kleyn Consulting is an independent risk, safety and security consultancy with experience in a range of verticals. Based in the Western Cape Winelands, Lesley-Anne travels across South Africa. Contact her on +27 64 410 8563 or [email protected]

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

A closed security concept for test halls and perimeter
Dallmeier Electronic Southern Africa Editor's Choice
At its factory facilities in Vilsbiburg, Germany, Flottweg SE relies on tailored video security technology from Dallmeier for perimeter security and workplace safety.

Advanced server performance and energy efficient design
Editor's Choice IT infrastructure Products
Dell PowerEdge server portfolio expansion offers more performance, including up to 2.9x greater AI inferencing while Dell Smart Flow design and Dell Power Manager software advancements deliver greater energy efficiency.

Free-to-use solar score for South African homes
Technews Publishing Editor's Choice
The LookSee Solar Score is one of the first of its kind to provide insight into the potential of solar power for South Africa’s residential properties.

Fast, reliable and secure cloud services
Technews Publishing Editor's Choice Cyber Security IT infrastructure
Security and speed are critical components of today’s cloud-based services infrastructure. Cloudflare offers a range of services supporting these goals beyond what most people think it does.

Fire-fighting force at Vergelegen
Editor's Choice Fire & Safety Residential Estate (Industry)
Vergelegen wine estate in Somerset West, and its neighbours, are set to enjoy greater peace of mind this summer, thanks to the delivery of a brand new fire truck .

Sasol ensures Zero Trust for SAP financials with bioLock
Technews Publishing Editor's Choice Cyber Security Security Services & Risk Management
Multi-factor authentication, including biometrics, for SAP Financials from realtime North America prevents financial compliance avoidance for Sasol.

KPMG 2022 CEO Outlook, South African edition
Editor's Choice News
Mid-November saw the release of the latest KPMG 2022 CEO Outlook, South African edition, aptly sub-titled ‘Potential Growth in Uncertain Times’.

Do you know where your data is?
Technews Publishing Editor's Choice
Flow Security focuses on making sure companies manage their data security in real time through automated Data Security Posture Management (DSPM).

Two cases of cyber resilience
Technews Publishing Editor's Choice
Infinidat consolidates backups and cyber resilience for a cloud service provider in the healthcare environment, as well as an energy utility based in EMEA.

Are you below the security poverty line?
Technews Publishing Editor's Choice
While management may think their company is pulling its weight in terms of cybersecurity, the security team knows if it is operating below the security poverty line.