Determining and mitigating risk: Where to begin?

November 2019 Editor's Choice

In a country where serious crime such as robbery with aggravating circumstances, assault with intent to cause grievous bodily harm, and attempted murder, has increased significantly again, it is disconcerting to be aware of the sheer number of properties in South Africa which do not undertake regular risk determinations for the purpose of the development of, or continual re-calibration of, the specified security strategy.

Security spend is often limited, or allocated elsewhere, as a result of the fact that people and assets have not yet experienced a significant incident.

Yet risk itself is defined as having little to no protection from something ‘potentially’ harmful. It follows that managing risk means proactively reducing the severity or seriousness of that which has not ‘yet’ occurred.

While it is encouraging to hear that this beautiful country of ours still boasts numerous areas which innately just feel safe to live in, work and go to school, it seems that if one were going to travel to a yellow-fever ridden area, for example, one would fully vaccinate ahead of time? And so, in the interest of good governance, does risk not by its very definition require the same proactive approach?

Undergirding principle 1: Accept that risk cannot be retrospective

The first step in being asked to undertake a risk consultation often involves needing to encourage a changed ‘mindset’ on the part of the client’s senior decision-making team. Facilitating this shift may fall to me as the consultant, but frequently I am only echoing the sentiments of an already frustrated risk or security manager, trying to secure critical spend.

No property can embark on a security journey before all senior decision-makers have come to terms with the fact that what is to be discussed, will be that which might yet still happen – that we will be identifying potential incident, to prevent or minimise potential impact.

This absolutely must be step one and is often the step that consultants spend significant facilitation time on.

Undergirding principle 2: Embrace ownership

Furthermore, the ultimate ‘responsibility’ for a risk determination and risk management cannot rest in the hands of the security service provider/s onsite, current or future. Responsibility must remain with those with the fiduciary duty to protect people and property.

Service providers can and should be held accountable to contracts and KPAs, and this can certainly be made more effective through the results of a risk determination process. Further, I am also a great believer in leaning on the specific expertise of these providers, by having their senior representatives contribute toward the risk determination process itself.

Yet, I cannot advocate that my end-user client place primary responsibility for the regular analysis of risk and/or the adjustment of security strategy, in the hands of any manufacturer, distributor, turnkey system integrator, guarding company, CCTV installer, remote monitoring service provider, or investigative, tactical or armed response team, all of which ultimately have a specific business interest in the property.

A risk, safety and security strategy is a serious practice. It is about good governance. Accountability is key.

Undergirding principle 3: Understand the intrinsic roles of these security industry role players

With apologies for a little bias here, it seems pertinent to note therefore that while most companies in today’s world are familiar with the benefits of using an independent consultant to assist in critical decision areas, within the security industry a slightly different approach prevails. In our field, pressure tends to be placed directly on these same provider/s within the value chain mentioned above, to provide consultative services which would ordinarily be the domain of an independent consultant.

This pressure often lands on sales staff, expert in specific products and chasing steep targets, now required to provide consultative services (as a value add) for which they simply do not have the necessary freedom, breadth of experience, or time.

These statements are made with no disrespect. Many of my friend-colleagues in the industry have skills in certain areas far, far better than my own. And, understandably, end-user clients under severe budgetary constraints must often extract as much value out of their on-site providers as is possible.

Yet savvy clients understand that one cannot be an unbiased expert in, or have the time for, everything. Thus, bringing in an independent consultant does not mean that they see their service providers as ineffective or unable. Rather, it means that they innately understand the individual contribution that each link in the value chain is best poised to make.

For risk consultants there is nothing more satisfying than to sit around a boardroom table with the right manufacturer/distributor team, a great integrator of manpower and technology, and the client decision-making team, all contributing together to address the results of a thorough risk determination. This is the ideal result of what we consultants do.

Lesley-Anne Kleyn.

Risk determination phase 1: Know what you (really) currently have in place and how effectively it (really) is working

In my opinion, the most important part of a risk determining exercise lies in first establishing – really establishing – what is currently in place. This part of the project will examine the manpower, processes, and technology currently on site, and within each of these important pillars, will consider the client’s CCTV network infrastructure, pay special attention to command and control of the site, examine access and egress, outer and inner perimeters, buildings, warehouses and retail outlets, deterrence, detection and response, the maintenance contract in place, and a host of other factors, both safety and security. These will all be evaluated against industry best practice principles.

This is not a good, yet general, survey of the property. This is an in-depth analysis, carefully and thoroughly documented.

It will include CCTV as-built surveys, technology designs, intrusion test results, processes analyses, budgetary costings, and other relevant information. This will also be the springboard from which an RFQ is determined and tenders are adjudicated when the time comes.

Risk determination phase 2: Determine risk categories, likelihood, and potential impact

At risk of being repetitious, risk management is by its very definition the process of proactively identifying and then reducing the severity or seriousness of ‘potential’ danger.

Phase 2 is therefore the part of the project that gets me enthused. During this phase client senior decision-makers must participate in at least one facilitated session. Typically, a workshop is conducted with the decision-making team, the members of which will already have been presented with where the vulnerabilities have been revealed during phase 1, all in the form of a heap of logical and precise written information with easy-to-skim summaries.

This information now on the table, we can turn our attention to risk. The macro-environment is examined, and crime is rated and categorised. Potential threat, the vulnerabilities revealed during phase 1, and the target attractiveness of various aspects of the property, give the team an indication of ‘likelihood’. Then potential ‘impact’ is examined in terms of financial impact, reputational damage, and so on. Likelihood multiplied by impact gives us quantifiable risk within each risk category.

Risk determination phase 3: Develop, re-evaluate, embed or adjust the three- to five-year risk, safety and security strategy

At this stage, the client decision-making team begins to get to grips with tangible, measurable information and unifies over discussions around a security strategy.

It was a management consultant Peter Drucker who said that stated objectives can be compared to a compass bearing by which a ship navigates. He put it that a compass bearing is firm, whilst in actual navigation, the ship may veer off course for many miles. Without a compass bearing, he stated, a ship would neither find its port nor be able to estimate the time required to get to it.

So to journey with my client to this phase means that I have achieved my original objective of enabling my client to formulate (or in some cases, recalibrate) a clear, written strategy around which future decisions will be made.

The client team now knows exactly, in detail, what risk, safety and security measures are currently in place, as well as how effectively these are working, is in agreement as to the specific risks which could impact this particular property in the future, has strategised accordingly in order to reduce these risks as far as possible, and now has a plan in place which can be regularly revisited, regardless of changes to specific portfolio-carrying individuals, as a decision-making team.

The property can now be carefully and communicatively handed over to one of the many excellent manpower and/or equipment providers in the industry, which can pick up the baton and turn vision and decisions into an impenetrable reality.

Kleyn Consulting is an independent risk, safety and security consultancy with experience in a range of verticals. Based in the Western Cape Winelands, Lesley-Anne travels across South Africa. Contact her on +27 64 410 8563 or

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Axis gives a brighter future for children
Issue 1 2020, Axis Communications SA , Editor's Choice
Fully networked camera solution provides visibility and accountability, letting orphanage focus on what’s important – its children.

SFP Security & Fire becomes ISF SFP
Issue 1 2020, ISF SFP , Editor's Choice
SFP Security & Fire was sold to ISF in 2019, becoming ISF SFP and attaining Level-1 BEE status.

Janu-worry or Twenty-Plenty?
Issue 1 2020 , Editor's Choice
If the available security spend right now is somewhere between limited and non-existent, here are just a few suggestions.

CCTV surveillance needs are critical in defining types of camera deployment
Issue 1 2020, Leaderware , Editor's Choice
Cameras by themselves do not reduce crime; they need to be implemented as part of a considered strategy of crime prevention and detection.

Trends 2020
Issue 1 2020, Technews Publishing , Editor's Choice
Hi-Tech Security Solutions asked a few people from diverse companies to join us in a round-table discussion about what they expect to see happening in their environments in the coming year.

Seven key trends for 2020
Issue 1 2020, Hikvision South Africa , Editor's Choice
Hikvision looks at a few trends that will affect the security industry in 2020 and beyond.

Hundreds of millions to reskill
Issue 1 2020 , Editor's Choice
By 2022 alone, 75 million jobs will probably be displaced across 20 major economies, while 133 million new ones will spring up in industries that are only just gaining traction.

Slow and steady wins the access race
Issue 1 2020, ZKTeco, Technews Publishing , Editor's Choice, Commercial (Industry)
The commercial sector is slow in migrating to new access control technologies, with the majority of companies remaining with card and fingerprint solutions.

Client property access integrity
Issue 1 2020 , Editor's Choice
Blind or unquestioned trust is something that we all seem to willingly and unconditionally give our security service providers and their reaction officers.

2020 Residential Estate Security Conference in KZN
November 2019, Technews Publishing , Editor's Choice
Meeting the residential security challenges in 2020 and beyond: Hi-Tech Security Solutions will host the Residential Estate Security Conference 2020 in Durban on 12 March 2020.