Skip to main content

Breaking the Risk Chain

Finding the solution to break the Risk chain

For Risk Mitigation the “Risk chain” needs to be broken in a cost-effective way. Risk chain components are required to be mapped with different Security layers i.e., Infrastructure, Equipment, Application, Processes, and Manpower to determine the optimal Security solution. Once a company starts mapping Security layers against Risk chain components, it will likely be possible to identify several measures that can be enhanced. It is important to involve Security as early in the planning process as possible. The best time to involve Security is in design phase where the 'Infrastructure', link (+) of 'asset', 'vulnerability' and 'weakness' can be broken or at least weaken.

Examples include :
While designing factory layout, keep separation between core operational area(s) and areas where external vehicles/personnel are required to come.
While designing the building Security, keep the visitor lobby outside core areas.
While laying hydrocarbon pipelines along the road, construct drains between roads and pipelines and/or keep low risk pipelines near the road.
Ensure adequate Standoff distance.
Implement a “Green belt” (an area void of other building and people) away from perimeter as a security buffer.
Plan Gates to include a screening point, a denial/rejection lane, adequate illumination.

There may be other additional examples and all are best implemented during the initial designing stage using the concept known as Crime Prevention Through Environmental Design (CPTED). In addition to minimizing risk(s) using intelligent CPTED design may also help reduce manpower for Security enforcement. The majority the Security measures are implemented in breaking the link (+) between Adversary and Weakness i.e. Access Control wherein Adversary is kept away from the vulnerable assets, whereas this is not the most cost-effective way of not designed properly. As shown below a simple matrix can help identify the most cost-effective way to properly design physical and technical security interfaces.
 

Implementation of Security measures' (layers) dependents upon balancing three parameters –
  1. How much risk to mitigate? Or what is Organization’s Risk appetite? Please remember 100% Risk mitigation is not cost-effectively practical.
  2. How much cost can be allocated to Security? Implementing cost-effective Security helps meets Management expectations to spend as little as necessary to achieve an acceptable residual level of Risk.
  3. How much inconvenience to the user or customer is acceptable? How much will additional Security increase inconvenience?
Ideal Security provides an acceptable level of residual risk at lowest possible cost and minimum inconvenience to the users. The struggle for Security Manager is to find the optimum balance.
 
In next blog, each Security layer will be further examined and discussed in detail with implementation in isolation or in combination of multiple layers providing defense in depth.

Labels:
Location: India

Comments

  1. UnknownAugust 1, 2021 at 8:27 PM

    An insightful note on fundamentals of Risk Management. Looking forward for the next series.

    ReplyDelete
  2. UnknownAugust 1, 2021 at 8:39 PM

    Insightful... Looking forward to upcoming blogs

    ReplyDelete
  3. Tarun JAugust 1, 2021 at 8:40 PM

    Thanks for sharing knowledge indepth .. Looking forward for more blogs ..

    ReplyDelete
  4. Sandeep MoitraAugust 1, 2021 at 8:47 PM

    Yes very true ..from enterprise wide risk mitigation ...Very few organisations consult security SMEs before the planing stage and then do nudging with faults caling for many change management practices apart unwanted cost and delagacy challenges within ..... Sandeep Moitra .

    ReplyDelete
  5. UnknownAugust 1, 2021 at 8:50 PM

    Well elucidated Author. Thanks for sharing. Looking forward to the next Blog.
    Bhuv

    ReplyDelete
  6. Rakesh RudraAugust 1, 2021 at 9:31 PM

    Risk is inevitable, if organisations do not realise to include Security at Planning & Designing stage. Its high time when Engineers, Startegists, & Visionories also involve Security SMEs to get the best.

    ReplyDelete
  7. shivaAugust 1, 2021 at 10:11 PM

    Great blog.. nicely brought out the building blocks of Security. 👍

    ReplyDelete
  8. UnknownAugust 1, 2021 at 11:46 PM

    Valuable inputs, if the said planning if considered during initial stage of establishment of infrastructure, it will be well planned and safe in terms of security and safety aspect for any plant / organisation. Looking forward for the further blog.

    ReplyDelete
  9. UnknownAugust 2, 2021 at 8:13 AM

    Crisp & precise inputs,
    JSD

    ReplyDelete
  10. Rohit HoodaAugust 2, 2021 at 8:18 AM

    Knowledgeable blog

    ReplyDelete
  11. UnknownSeptember 24, 2021 at 5:31 PM

    Its really Helpful to have a greater vision in the part of Physical security

    ReplyDelete
  12. Rita DevMarch 8, 2022 at 5:02 PM

    Great blog and well written blog for this topic thanks for sharing this info I find this info very useful for myself in my PGDM course which I am pursuing in finance form distance learning center.

    ReplyDelete

Post a Comment

Popular posts from this blog

The Five Layers

There are five important layers in Security for risk mitigation (refer last Blogs on Risk Chain and Finding Solution to Break the Risk Chain). Implementation of these layers is generally in combination of each other. Correct balancing the implementation of layers at appropriate risk chain link and at right timings will result into Cost-effective and Optimum Security, which every management is looking for. But to have this achieved it is important to understand the components within these five layers. It is also important to note that while you are changing any layer, other layers will be affected. Therefore, change management is not one time activity, need to observe the impact in long term. The five layers includes ‘Infrastructure’, ‘Equipment’, ‘Application’, ‘Process’ and ‘Human Resource’. We will go in detail of each layer, understand the components and interconnections between the layers. All layers together should be seen like an engine, wherein each layer is individual gear, sho...
11 comments
Read more

Speaking Risk

Earlier blogs on Risk Chain and Security tools gave understanding on Risk components and risk treatment (five layers of Security). Even after implementation of Security measures, ‘Risk will exist’. The fact which Security Manager and Management must accept. There are many reasons for existence of Risk even after treatment. 1. 100% risk mitigation is not possible. This is one of the facts Security Manager and especially Management must accept. Known risk but not treated may be due to lower probability or practically not possible to treat due to cost of treatment or risk is low impact-low probable. This is known as ‘Risk Appetite’ of the organization. So, the condition here is, risk still exists but in knowledge. 2. Risk Treatment is not done properly – this is where Security manager or management have not measured the risk properly or not given proper treatment. Risk not estimated or missed in assessment is possible when adequate preparation in Risk assessment is not done – old risk...
9 comments
Read more

Effective Access Control nearly completes Security

In earlier blogs overview on ‘Risk Chain’, ‘Methodology to break’ the chain and ‘Five layers’ of Security was presented. There are various Security processes which contribute to complete the de-risking need. If we try to put score on each component of Security need, we will be able to prioritize the implementation requirement vis-à-vis risk. Threat” exposure is not possible without movement of men, material, or information. Therefore, controlling, regulating, and monitoring movements to-n-fro Secured - Non-Secured area is important.   Crime is not possible without access breach therefore, reasoned ‘Access control’ establishment nearly completes the Security. Access control is “The practice of regulating entrance to a property, a building, or a room to authorised person”, access could be physical or digital. Un-authorised access could be for property or information (damaging Or stealing). Out unauthorised movement of material (property) and information is also access breach.  G...
12 comments
Read more