Speaking Risk

Earlier blogs on Risk Chain and Security tools gave understanding on Risk components and risk treatment (five layers of Security). Even after implementation of Security measures, ‘Risk will exist’. The fact which Security Manager and Management must accept. There are many reasons for existence of Risk even after treatment.

1. 100% risk mitigation is not possible. This is one of the facts Security Manager and especially Management must accept. Known risk but not treated may be due to lower probability or practically not possible to treat due to cost of treatment or risk is low impact-low probable. This is known as ‘Risk Appetite’ of the organization. So, the condition here is, risk still exists but in knowledge.

2. Risk Treatment is not done properly – this is where Security manager or management have not measured the risk properly or not given proper treatment. Risk not estimated or missed in assessment is possible when adequate preparation in Risk assessment is not done – old risk history or no information of risk or appropriate team members not kept in risk assessment team.

3. New risk originated after assessment – this is most common as it is a race between adversary (the bad guy) and the Security manager. Winner is who knows the weakness first. The main cause is poor change management or lack of risk factor or no process of periodic risk assessment.

In all three above scenarios, it is important that Risk remain audible and that is Blog’s title, ‘Speaking Risk’. Audibility means that even if risk is not assessed (missed), or assessed but accepted or new-born, the Speaking Risk philosophy will act like an alarm or pre-warning to the Security manager and Management to take advance steps. (please note – surprises are the biggest enemy of Security i.e., happening of what’s not happened or even imagined).

The most common mistake by the Security Managers and even Management, not to discuss the risk, create no record of pity issues, not to report the issues upward. There are various reasons for hiding Risks / issues like:

1. Security Manager considers revealing risk will negatively affect his performance appraisal. Security Manager takes this as his failure (which may be true in circumstance) in identifying the risk or giving implementing appropriate risk treatment or wrong risk acceptance decision. He considers reporting will back-fire.

2. Sometimes risks are not reported or brought on records considering it may be exploited by the adversary – so better to keep it secret.

3. Management sometimes consider that showing risk may repel the Customers or Clients and affect Business negatively. It is considered that Brand image may be impacted.

4. Management considering showing risk will increase the EMI and they will loss rebate.

The most common mistake is, do not consider or give value or time to discuss the new risk and consider “status quo” as ideal situation, as ‘all is going well’.  There are various examples of such mistakes. Reference report on 9/11, Section ‘General Findings’ last paragraph “https://govinfo.library.unt.edu/911/report/911Report_Exec.htm”, it states that “missed opportunities to thwart the 9/11 plot were also symptoms of a broader inability to adapt the way government manages problems to the new challenges”.  What is important, when Risk is known, the acceptance of risk should be responsibility of appropriate authority.

Another example of avoided speaking risk is blast on Beirut's port, 4 August 2020. Roughly 218 people were killed, 7,000 injured and properly worth US$15 billion got damaged. As per investigations, it was matter of overseen storage and security of COI (Chemical of Interest) even after frequent reports and alarms.

New Risk will strike silently unless Management and Security Managers gives Risk an opportunity to speak. The aim of ‘Risk Assessment’ process by Security Manager should not be to scare the management and overkill or over-spend for Security measure. The aim should be to keep eyes and ears open. As with medical treatment, medicine should not be taken without diagnosis, in Security Risk treatment adopting right risk assessment tool is very important to know ‘where’ and ‘how much’ is the risk. There are various Risk Assessment frameworks, assistance form subject matter experts is important to know which framework and how to use the same.

1. Failure Modes and Effects Analysis (FMEA)

2. Bowtie Model

3. ANSI 780

4. ISO 31000

5. CARVER analysis

Several of these models are also available as digital platform enable the Management and Security Managers to carry out Risk Assessment in a structured manner. In addition to periodic Risk Assessment, there are many ways Risk can speak and alarm, like audits, mock-drills, SMEs brain storming sessions, Risk assessment before Change, Trend analysis, effective intelligence & vigilance network for situational awareness etc. With new technologies like Big Data Analysis and AI, Risk prediction is also possible. Analyzing and Correlation of events and/or matching of circumstances and condition(s) can provide advance Risk warning. But such predictions demand very strong base of historic incident data and many other related information. The model can predict where, what and when an event is probable in terms of percentage, in simple words this is possible by accurately capturing of data affecting an incident.

One of the roles of Security Manager is to avoid bad surprises and remain one step ahead of threat by creating process of Risk to speak and remain audible to concerns.