Determining and mitigating risk: Where to begin?

November 2019 Editor's Choice

In a country where serious crime such as robbery with aggravating circumstances, assault with intent to cause grievous bodily harm, and attempted murder, has increased significantly again, it is disconcerting to be aware of the sheer number of properties in South Africa which do not undertake regular risk determinations for the purpose of the development of, or continual re-calibration of, the specified security strategy.

Security spend is often limited, or allocated elsewhere, as a result of the fact that people and assets have not yet experienced a significant incident.

Yet risk itself is defined as having little to no protection from something ‘potentially’ harmful. It follows that managing risk means proactively reducing the severity or seriousness of that which has not ‘yet’ occurred.

While it is encouraging to hear that this beautiful country of ours still boasts numerous areas which innately just feel safe to live in, work and go to school, it seems that if one were going to travel to a yellow-fever ridden area, for example, one would fully vaccinate ahead of time? And so, in the interest of good governance, does risk not by its very definition require the same proactive approach?

Undergirding principle 1: Accept that risk cannot be retrospective

The first step in being asked to undertake a risk consultation often involves needing to encourage a changed ‘mindset’ on the part of the client’s senior decision-making team. Facilitating this shift may fall to me as the consultant, but frequently I am only echoing the sentiments of an already frustrated risk or security manager, trying to secure critical spend.

No property can embark on a security journey before all senior decision-makers have come to terms with the fact that what is to be discussed, will be that which might yet still happen – that we will be identifying potential incident, to prevent or minimise potential impact.

This absolutely must be step one and is often the step that consultants spend significant facilitation time on.

Undergirding principle 2: Embrace ownership

Furthermore, the ultimate ‘responsibility’ for a risk determination and risk management cannot rest in the hands of the security service provider/s onsite, current or future. Responsibility must remain with those with the fiduciary duty to protect people and property.

Service providers can and should be held accountable to contracts and KPAs, and this can certainly be made more effective through the results of a risk determination process. Further, I am also a great believer in leaning on the specific expertise of these providers, by having their senior representatives contribute toward the risk determination process itself.

Yet, I cannot advocate that my end-user client place primary responsibility for the regular analysis of risk and/or the adjustment of security strategy, in the hands of any manufacturer, distributor, turnkey system integrator, guarding company, CCTV installer, remote monitoring service provider, or investigative, tactical or armed response team, all of which ultimately have a specific business interest in the property.

A risk, safety and security strategy is a serious practice. It is about good governance. Accountability is key.

Undergirding principle 3: Understand the intrinsic roles of these security industry role players

With apologies for a little bias here, it seems pertinent to note therefore that while most companies in today’s world are familiar with the benefits of using an independent consultant to assist in critical decision areas, within the security industry a slightly different approach prevails. In our field, pressure tends to be placed directly on these same provider/s within the value chain mentioned above, to provide consultative services which would ordinarily be the domain of an independent consultant.

This pressure often lands on sales staff, expert in specific products and chasing steep targets, now required to provide consultative services (as a value add) for which they simply do not have the necessary freedom, breadth of experience, or time.

These statements are made with no disrespect. Many of my friend-colleagues in the industry have skills in certain areas far, far better than my own. And, understandably, end-user clients under severe budgetary constraints must often extract as much value out of their on-site providers as is possible.

Yet savvy clients understand that one cannot be an unbiased expert in, or have the time for, everything. Thus, bringing in an independent consultant does not mean that they see their service providers as ineffective or unable. Rather, it means that they innately understand the individual contribution that each link in the value chain is best poised to make.

For risk consultants there is nothing more satisfying than to sit around a boardroom table with the right manufacturer/distributor team, a great integrator of manpower and technology, and the client decision-making team, all contributing together to address the results of a thorough risk determination. This is the ideal result of what we consultants do.

Lesley-Anne Kleyn.

Risk determination phase 1: Know what you (really) currently have in place and how effectively it (really) is working

In my opinion, the most important part of a risk determining exercise lies in first establishing – really establishing – what is currently in place. This part of the project will examine the manpower, processes, and technology currently on site, and within each of these important pillars, will consider the client’s CCTV network infrastructure, pay special attention to command and control of the site, examine access and egress, outer and inner perimeters, buildings, warehouses and retail outlets, deterrence, detection and response, the maintenance contract in place, and a host of other factors, both safety and security. These will all be evaluated against industry best practice principles.

This is not a good, yet general, survey of the property. This is an in-depth analysis, carefully and thoroughly documented.

It will include CCTV as-built surveys, technology designs, intrusion test results, processes analyses, budgetary costings, and other relevant information. This will also be the springboard from which an RFQ is determined and tenders are adjudicated when the time comes.

Risk determination phase 2: Determine risk categories, likelihood, and potential impact

At risk of being repetitious, risk management is by its very definition the process of proactively identifying and then reducing the severity or seriousness of ‘potential’ danger.

Phase 2 is therefore the part of the project that gets me enthused. During this phase client senior decision-makers must participate in at least one facilitated session. Typically, a workshop is conducted with the decision-making team, the members of which will already have been presented with where the vulnerabilities have been revealed during phase 1, all in the form of a heap of logical and precise written information with easy-to-skim summaries.

This information now on the table, we can turn our attention to risk. The macro-environment is examined, and crime is rated and categorised. Potential threat, the vulnerabilities revealed during phase 1, and the target attractiveness of various aspects of the property, give the team an indication of ‘likelihood’. Then potential ‘impact’ is examined in terms of financial impact, reputational damage, and so on. Likelihood multiplied by impact gives us quantifiable risk within each risk category.

Risk determination phase 3: Develop, re-evaluate, embed or adjust the three- to five-year risk, safety and security strategy

At this stage, the client decision-making team begins to get to grips with tangible, measurable information and unifies over discussions around a security strategy.

It was a management consultant Peter Drucker who said that stated objectives can be compared to a compass bearing by which a ship navigates. He put it that a compass bearing is firm, whilst in actual navigation, the ship may veer off course for many miles. Without a compass bearing, he stated, a ship would neither find its port nor be able to estimate the time required to get to it.

So to journey with my client to this phase means that I have achieved my original objective of enabling my client to formulate (or in some cases, recalibrate) a clear, written strategy around which future decisions will be made.

The client team now knows exactly, in detail, what risk, safety and security measures are currently in place, as well as how effectively these are working, is in agreement as to the specific risks which could impact this particular property in the future, has strategised accordingly in order to reduce these risks as far as possible, and now has a plan in place which can be regularly revisited, regardless of changes to specific portfolio-carrying individuals, as a decision-making team.

The property can now be carefully and communicatively handed over to one of the many excellent manpower and/or equipment providers in the industry, which can pick up the baton and turn vision and decisions into an impenetrable reality.

Kleyn Consulting is an independent risk, safety and security consultancy with experience in a range of verticals. Based in the Western Cape Winelands, Lesley-Anne travels across South Africa. Contact her on +27 64 410 8563 or [email protected]

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

2024 Southern Africa OSPAs winners announced
Editor's Choice
The 2024 Southern Africa Outstanding Security Performance Awards (OSPAs) winners were revealed on Tuesday, June 11th, at the Securex South Africa Seminar Theatre hosted by SMART Security Solutions.

Local manufacturing is still on the rise
Hissco Editor's Choice News & Events Security Services & Risk Management
HISSCO International, Africa's largest manufacturer of security X-ray products, has recently secured a multi-continental contract to supply over 55 baggage X-ray screening systems in 10 countries.

NEC XON shares lessons learned from ransomware attacks
NEC XON Editor's Choice Information Security
NEC XON has handled many ransomware attacks. We've distilled key insights and listed them in this article to better equip companies and individuals for scenarios like this, which many will say are an inevitable reality in today’s environment.

The future of digital identity in South Africa
Editor's Choice Access Control & Identity Management
When it comes to accessing essential services, such as national medical care, grants and the ability to vote in elections to shape national policy, a valid identity document is critical.

Do you need a virtual CIO?
Editor's Choice News & Events Infrastructure
If you have a CIO, rest assured that your competitors have noticed and will come knocking on their door sooner or later. A Virtual CIO service is a compelling solution for businesses navigating tough economic conditions.

AI-enabled tools reducing time to value and enhancing application security
Editor's Choice
Next-generation AI tools are adding new layers of intelligent testing, audit, security, and assurance to the application development lifecycle, reducing risk, and improving time to value while augmenting the overall security posture.

Perspectives on personal care monitoring and smart surveillance
Leaderware Editor's Choice Surveillance Smart Home Automation IoT & Automation
Dr Craig Donald believes smart surveillance offers a range of options for monitoring loved ones, but making the right choice is not always as simple as selecting the latest technology.

AI enables security solutions to define business strategies
Regal Distributors SA Editor's Choice
While allowing technologies to do exactly what they should do with even more efficiency and precision, AI is also empowering these same technologies to break through their traditional boundaries and create an ecosystem where one interface delivers outcomes across highly segmented verticals.

Putting cyber into surveillance
Dallmeier Electronic Southern Africa Cathexis Technologies Technews Publishing Editor's Choice
Cybersecurity has become an essential part of the physical security industry. However, unlike other IoT technologies, of which security products are a part, surveillance technologies have more to protect.

2024 State of Security Report
Editor's Choice
Mobile IDs, MFA and sustainability emerge as top trends in HID Global’s 2024 State of Security Report, with artificial intelligence appearing in the conversation for the first time.