Keywords

risk management; asset assessment; operational risk; business continuity; risk assessment; criticality; operational risk; legal risk; access control; physical security; business continuity; compliance; reputational risk

Introduction

Risk is the potential for an adverse outcome assessed as a function of threats, vulnerabilities, and consequences associated with an incident, event, or occurrence. “Risk management” is defined by Department of Homeland Security (DHS) as the process by which society attempts to reduce risk “to an acceptable level at an acceptable cost.”¹

Risk is uncertainty.

Understanding Physical Security Risk

To understand how to perform an enhanced threat and risk assessment, it is important to understand the different areas that make up the actual process. In this text, the process is broken down into the different sections:

Risk management is a process used to implement security measures to reduce risks to a reasonable and acceptable level. Every organization should have some form of risk management in place to adequately protect their assets. Risk management studies the risk, vulnerabilities, and threats to any asset that an organization faces. Risk management can be used to address all the different hazards that an organization could potentially face. It’s not only used for protection against human-made attacks, but it is also used to protect against naturally occurring events such as tornadoes, hurricanes, and other natural disasters. This tool is used to manage risk to an acceptable level while remaining an affordable cost. Like everything else in the world, risk management does not come without a price. Having an effective risk management plan comes with a price, but by following our steps, you can have a cost-effective plan.

There are five main steps to risk management:

One formula that is used in risk management is as follows:

$\begin{array}{c}\text{Risk}=\text{Threat}\times \text{Vulnerability}\times \text{Consequence}\\ (\text{R}=\text{T}\times \text{V}\times \text{C})\end{array}$

Organizations need to decide if they want to effectively manage risk or have a risk averse approach. Whereas risk averse is when you are always addressing the worst-case scenario, risk management allows you to prioritize and address certain risks that could be detrimental to an operation.

At the beginning of the book, we discussed what risk was. Going forward, we will take a look at what equals risk.

Risk has many interpretations and the term is often used to describe dangers or threats to a particular person, environment, or business. The following is just one definition:

Understanding risk includes understanding of the different elements and how they fit together. For example, considerations from a business perspective may include:

Why is it important to understand the difference between these terms? If you don’t understand the difference, you’ll never understand the true risk to assets. You see, when conducting a risk assessment, the formula used to determine risk is a function of threats exploiting vulnerabilities to obtain, damage, or destroy assets. Thus, threats (actual, conceptual, or inherent) may exist, but if there are no vulnerabilities, then there is little or no risk. Similarly, you can have vulnerability, but if you have no threat, then you have little or no risk.

Accurately assessing threats and identifying vulnerabilities are critical to understanding the risk to assets. Understanding the difference among threats, vulnerabilities, and risk is the first step.

A security threat assessment is a systematic review or analysis conducted by professional security consultants to examine the effectiveness of current security practices. The assessment identifies security deficiencies and includes a review of all security measures presently in place to determine their effectiveness and functionality as well as their usefulness to the overall security effort. After the assessment is completed, recommendations are made to correct deficiencies, mitigate security risks, and protect the organization’s assets. Ideally, these recommendations become the road map that businesses can use to develop security plans as a part of their business plans.

Today’s business world is constantly changing—it’s unpredictable and volatile and seems to become more complex every day. By its very nature, it is fraught with risk.

Historically, businesses have viewed risk as a necessary evil that should be minimized or mitigated whenever possible. In recent years, increased regulatory requirements have forced businesses to expend significant resources to address risk, and shareholders in turn have begun to scrutinize whether businesses had the right controls in place. The increased demand for transparency around risk has not always been met or met in a timely manner, however, as evidenced by the financial market crisis in which the poor quality of underlying assets significantly impacted the value of investments. In the current global economic environment, identifying, managing, and exploiting risk across an organization has become increasingly important to the success and longevity of any business.

Risk assessment provides a mechanism for identifying which risks represent opportunities and which represent potential pitfalls. Done right, a risk assessment gives organizations a clear view of variables to which they may be exposed, whether internal or external, retrospective or forward looking. A good assessment is anchored in the organization’s defined risk appetite and tolerance and provides a basis for determining risk responses. A robust risk assessment process, applied consistently throughout the organization, empowers management to better identify, evaluate, and exploit the right risks for their business, all while maintaining the appropriate controls to ensure effective and efficient operations and regulatory compliance.

For risk assessments to yield meaningful results, certain key principles must be considered. A risk assessment should begin and end with specific business objectives that are anchored in key value drivers. These objectives provide the basis for measuring the impact and probability of risk ratings. Governance over the assessment process should be clearly established to foster a holistic approach and a portfolio view—one that best facilitates responses based on risk ratings and the organization’s overall risk appetite and tolerance. Finally, capturing leading indicators enhances the ability to anticipate possible risks and opportunities before they materialize. With these foundational principles in mind, the risk assessment process can be periodically refreshed to deliver the best possible insights.

Organizations that vigorously interpret the results of their risk assessment process set a foundation for establishing an effective enterprise risk management program and are better positioned to capitalize on opportunities as they arise. In the long run, this capability will help steer a business toward measurable, lasting success in today’s ever-changing business environment.

Risk Management

Risk management is the identification, assessment, and prioritization of risks (defined in International Organization for Standardization [ISO] 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and impact of unfortunate events.² Several risk management standards have been developed, including the Project Management Institute, the National Institute of Standards and Technology, actuarial societies, and ISO standards.

Security professionals must remember that risk can be minimized, but it will never be eliminated. Risk assessments are a systematic approach with multiple levels. Is it possible to quantify the process? An organization must consider the possibilities involved in an individual trying to harm an asset or another individual and how the organization will mitigate the consequences of an attack.

More than a decade after the attacks on the World Trade Center, facility executives find themselves increasingly focused on the well-being of tenants and employees when assessing physical risks and weaknesses. This attention to real-world concerns requires a comprehensive planning approach. Today, security safeguards generally fall into one of three categories: physical security, information security, and operational security.

Risk is uncertainty that surrounds actual events and outcomes that may (or may not) take place. The uncertainty surrounds actual events and outcomes for future events and actual events.

Risk management, in regards to physical security, impacts our ability to properly apply and maintain an efficient security plan; even more so, it impacts the protection plan based off the risk assessment completed for the organization.

It is important for organizations to remember to allocate material and funding to protect their most critical assets; whether this is the organizational infrastructure or the personnel.

To prioritize threats, an organization must assess the risks that the company faces and manage those risks by putting their resources to work in the most effective way.

Just as the DHS does not have unlimited resources to protect the nation’s critical infrastructure, neither do organizations, whether they are in the public or private sector. As a result, hard choices have to be made on how resources need to be allocated; this is usually done by using a risk management process that measures risk and can clearly show organizations how they need to spend their money and plan accordingly.

Regardless of anyone’s political beliefs, Americans want to prevent another terrorist attack from occurring in the United States, and organizations want to protect their assets. In the face of increasingly diffuse threats and adversaries asymmetrically pursuing vulnerable targets, the question is how can we best prevent such attacks?

When an organization prepares to complete a risk assessment and to properly address the risks that are “possible,” the following question must be included:

For the purposes of this book, we will define risk management as the identification and management of opportunities and threats.

A fundamental aspect of any organization is that all activities involve risk. Gains can only be realized when risks are taken. Risk management enables organizations to determine the level of risk that will provide the maximum overall gains.

When properly applied, risk management techniques have the potential to increase an organization’s profits over a period by minimizing losses. They allow clear decisions to be made about what level of risk is acceptable and what strategies are most appropriate for dealing with risks. A further benefit of properly applied risk management techniques is that organizations can obtain a significant competitive advantage by minimizing their risk management costs and identifying the real costs and gains of their activities.

Operational Risk

Operational risk deals with the day-to-day risks faced by an organization in areas such as:

Personnel risk deals with the risks that affect the safety or stability of personnel within an organization. The risks associated with the safety of personnel include areas such as workplace accidents. These are generally managed through occupational health and safety management.

Another personnel risk is in the area associated with the value that personnel contribute to an organization and the investment that the organization has put into them. The value includes the experience and training that they have gained, the criticality of their position in the organization, and the cost of replacing the personnel if they leave for any reason.

Property risk generally deals with the fixed assets of an organization and the risks of the value of these assets being diminished. Property risk management works closely in areas such as security and fire management, which deal with direct threats to these assets.

Technology risk, which is often included in property risk, looks at the technology that an organization has and the risks of it being unable to carry out the function for which it was designed. It may include areas such as equipment failures and technology becoming outdated.

Legal risk covers areas such as the legality of contracts and the risks of litigation. This is often a large area for organizations to manage because it is concerned with all contracts such as purchase orders, employment contracts, and major contract agreements.

Regulatory risk deals with the rules that an organization must legally follow during normal operations. It includes areas such as company reports and financial accounting standards. These risks are generally straightforward to manage but may present very high risk if they are incorrectly managed.

Reputation risk is an area that can be very difficult to quantify. The value of an organization is often largely dependent on the value of its goodwill. The goodwill itself is dependent on the organization’s reputation. This area of risk is one that may be very easily damaged through adverse publicity or the efforts of competitors. When attempting to quantify this risk, it is often useful to start by looking at the cost of promotion that would be necessary to recover from a loss in this area.

Many areas contribute to these risks. These are addressed in this book according to traditional areas of responsibility within an organizational structure. These areas include:

Security is an area that directly affects the risk areas of personnel, property, and technology. To a lesser extent, it also can include the areas of legal and reputation risk. For example, security may be relevant to personnel in the areas of assault and robbery. It also affects property and technology in the areas of theft and malicious damage. Legal and reputation risks may be affected by security in the area of protecting confidential information.

According to Walker (2001), environmental, health, and safety directly affect personnel, legal, regulatory, and reputation risks. This is also an area where risk management of these areas can provide increases in an organization’s gains. When effective environmental, health, and safety programs are put in place, opportunities also exist to increase staff morale and productivity. An organization’s reputation may also be enhanced through these programs.

Technology failures affect personnel and technology risk. Personnel are affected when technology is linked to staff health and safety. For example, the failure of a piece of technology may cause industrial accidents or fires. Technology risk is affected if the failure leads to a loss of production.

Natural disasters can directly affect personnel, property, technology, and reputation. When a natural disaster such as a flood or earthquake occurs, the effect on these areas may be enough to put an organization out of operation. Natural disasters may not be able to be accurately predicted, but organizations can take steps to minimize their exposure to them and manage the consequences if they do occur.

Industrial relations are an area of risk that affects personnel and reputation. Industrial relations are often concerned with maintaining low staff costs. However, a risk management approach also takes into account other costs and benefits. The cost of staff replacement through resignations is one of the areas that risk management can address. Whenever a person in an organization is replaced, there are significant costs associated with recruitment and training of new staff. There are also costs associated with low staff productivity caused by low morale or lack of experience. Good industrial relations minimize these risks and can provide an organization with a competitive edge through low staff replacement costs and highly experienced staff.

Litigation or legal risk is an area where an organization can benefit from a risk management approach. When faced with a legal claim, executive management needs to decide if it is going to defend the claim or negotiate a settlement. Risk management tools can assist in this decision-making process.³

Legislative compliance is an area where organizations need to continuously monitor changes to minimize their exposure to losses. Legislation is an area that constantly changes, and it is possible for an organization to have procedures and contracts in place that are out of date. For example, health and safety legislation may change and impose new standards of managing workplace risks. If the new standards are not implemented in an organization and a workplace accident occurs, then significant penalties may be imposed on the organization and its management. Legislation may also change in more complex areas such as the requirements of business loans. Failure to comply with new legislation in this area may result in debtors not having to repay interest on loans. Naturally, this is an area of significant interest to financial institutions.

Day-to-day business activities have risks in areas such as contracts and the estimation of time and material costs. Risk management of these areas has the potential to make significant improvements in an organization’s profitability. If, for example, an organization is experiencing continual losses in a particular area, it may be partly attributable to inappropriate management of the risks. By applying risk management techniques, it may be possible for an organization to define what activities or projects it should participate in, which ones it should outsource, and which ones it should avoid altogether.

Finally, payment and processing system errors contribute to losses and are also an area of interest to operational risk.

Although we have discussed operational risk in the context of a number of classifications, it is important to remember that they are all interconnected. If the risks are treated in isolation, then conflicts and inefficiencies may arise. This is often seen in the areas of security and fire, for example. Whereas the needs of security may be for locked doors, fire safety may require the doors to be left unlocked. By taking an overall operational risk management perspective, these risks can be prioritized and treated accordingly. An overall perspective can also provide opportunities for treating a number of risks in a single manner. A particular area of an organization may have significant security risks associated with poor industrial relations. Instead of investing in costly security measures, an outsource strategy may address both risks at once and provide higher benefits at lower cost.

Treating risks with an overall operational risk perspective also allows organizations to maximize the effectiveness of their current resources. When developing risk management strategies, the human, technological, and physical resources of the organization may be applied. An overall perspective allows the most appropriate resources to be used in the most appropriate manner. This is an area where significant cost savings in managing risks may be available.

Operational risk management is an area where organizations have the opportunity of turning losses into profits. It provides the tools needed to do this.

A major challenge in operational risk is the quantification of the value at risk. The historical data necessary for quantifying the value at risk are far more fragmented in operational risk than in the areas of market or credit risk. As a result, operational risks are often measured in terms of high- or low-risk priority ratings. However, the data necessary for making quantitative operational risk measurements are available in most cases but require significant research to collate and evaluate.

When we examine the entire operational risks of an organization, it is necessary to also look at the areas of credit, market, and strategic risk. Although this book deals with operational issues, all risks facing an organization are interrelated. It is important to remember that the different categories of risk are only management definitions to enable effective application of staff skills within an organizational structure. For example, a major operational project such a building construction or a technology implementation will come across issues of finance (including credit risk); the stability of the financier (market risk issues); strategic risk; and, of course, the operational risk issues associated with contracts and costs.

The areas of risk management are often isolated functions within large organizations, both structurally and strategically. It may be argued that to achieve the full benefits from risk management techniques, these areas be combined within an organization’s structure.

Legal Risk (Information Security)

Outside of the individual state laws and industry-specific laws and regulations, there are a number of different physical security laws and regulations that organizational management and security professionals need to keep in mind when they are completing assessments.

Although this book does not focus information security, protecting the key asset of an organization’s network, is beneficial for the survival of a company both in prevention and during an incident. ISO 17799 and BS 7799 are guides to making sure an organization is in compliance with federal laws and regulations.

Reputational Risk

How much is your reputation worth? How much should a company spend to protect its reputation? The threat to a company’s good name can happen to any organization no matter how big or small. Reputational risk can be caused by the company itself as a result of the employees or investors or by a product produced by the company. It is important that the organization follows best practices and is socially and environmentally conscious to protect its reputation.