Security Threat & Risk Management
You will have to identify the areas in which you are vulnerable before you can begin to assess and ultimately manage those risks that you’ve identified. Take a moment to write down the risks your company is currently facing, and then consider the potential losses that could result.
Types of Risk
There are basically two types of risks: controllable and uncontrollable.
Controllable risks are those that you can do something about. These would include physical security devices such as locks, maintaining good lighting, maintaining safe landscaping design, having regular security and safety inspections, etc.
Uncontrollable risks might include anything from unforeseeable criminal acts of third parties to natural disasters (floods, storms, etc.). It is difficult to prevent these from happening, but you can at least mitigate damage by preparing for such emergencies or taking out insurance.
To calculate your risk, multiply the probability of a foreseeable event by the impact of the potential loss. Theoretically, this makes it possible to prioritize foreseeable events in the order of their risk. Risk Management stems from your decisions based upon that data. If not properly assessed, that data can be unreliable and/or inaccurate.
It is important to realize that overstated probability of risks may lead you to unnecessary expenditures that are not properly targeted or directly related to your potential impacts, threats, and existing vulnerabilities. That may leave you susceptible to litigation. Likewise, an understated probability of risk may lead to complacency, which could leave you even more susceptible to litigation.
Threats – Examples might include natural disasters, internal theft, or criminal acts of third parties, to name a few. Threats are present for every type of business.
Vulnerabilities – These are weaknesses that make a business more prone to the threat of a loss. Vulnerabilities may provide the opportunity for an attack to have a more severe or devastating impact. For example, regarding criminal activity, vulnerability could be found in the absence of sufficient security lighting or the absence of an adequate security system.
Controls – These are countermeasures taken to overcome the threats and vulnerabilities. They are:
Risk Avoidance – Deterrent Controls are used to completely avoid the likelihood of certain deliberate attacks.
Risk Reduction – Detective Controls discover the risk of deliberate attacks and then initiate preventative or corrective controls to reduce the likelihood of these attacks occurring.
Risk Spreading – Corrective Controls serve to mitigate the impact of an expected attack.
Risk Transference – Preventative Controls are used to protect vulnerabilities and make an attack unsuccessful or greatly reduce its impact.
Of course, there is a fifth type of approach to Risk Management. It is called Risk Acceptance. Here, you simply “take your chances” that nothing will happen, and you accept your risks by making little or no effort to control or eliminate them.
Frankly, that isn’t using good business sense. In our litigious society, willful negligence in this regard can certainly lead to catastrophic consequences.
The Chief Risk Factor
It’s a fact that your competition has a better chance of beating you if you are weaker in one or a number of areas. Therefore, you may actually be the Chief Risk Factor in your business. “Chief” because it all starts (and ends) with you. This is true if you are running a large corporation or managing a small business.
Safety and security is like water; It always runs downhill. From the boardroom to the lunchroom and every room in between, good safety and security practices must be adopted by the Chief Executive Officer and supported by the Chief Financial Officer.
The first step in any thorough risk management strategy is risk identification.