Risk Assessment
To achieve this goal, security practitioners need to understand the role of business generally and, more specifically, how to educate their Clients in order that these Clients purchase the consulting services that the security practitioner is offering.
An effective way in doing this is to highlight how Risk Management leads to business success. Although Clausewitz is credited with the phrase “no plan follows on from the initial contact”, the fact that one engages in a risk planning exercise has been shown to enhance the probability of success in a range of areas. Simply by engaging in the process of Risk Management, you will reduce or eliminate the risk of certain kinds of events happening or having an impact on your business.
Although Risk Management is often viewed as an academic discipline in first world environments, the reality is that in Africa, a range of risks can affect your business – in some cases, literally, overnight. Whilst some of our corporate clients have prepared generic Risk Management plans to mitigate against common risks like accidents in the workplace, fires, earthquakes and floods, they often failed to include legal risks like fraud, theft, substance abuse and sexual harassment lawsuits. Also, other risks that are often not identified relate to business practices: security and storage of data; uncertainty in financial markets; failures in projects; and failure to understand cultural differences in emerging markets.
The philosophy behind Risk Management practices is to limit your company’s vulnerability to the range of risks that it might or will face. An NGO providing a feeding scheme to displaced persons in Bangui, Central Africa Republic, could face risks from malicious and religious zealots that would be of a different nature than the risks faced by an NGO in Blantyre, Malawi, that offers HIV/AIDs education and counselling. Yet, both organisations face risks and these need to be assessed in order for the business of both NGOs to be a success.
Not all threats are risks, although all risks are threats. The difference lies in the analysis of a threat based on two factors – the likelihood of that threat occurring and the level of impact such an occurrence will have on your corporate assets.
For example:
* The Cape Town Civic Centre had a large and heavy metal statue secured to a stone plinth outside the front entrance to the building. Because municipal workers frequently went on strike in Cape Town, the municipal security team identified the threat by striking workers of using the statue as a battering ram to break into the building. Consequently, substantial financial resources were deployed to place the statue under CCTV surveillance and to have guards posted at the statue’s plinth. Yet, the likelihood of striking municipal workers of being able to use the metal statue as a battering ram was virtually nil; and the consequences of breaking through the front door into a secured hallway represented a minimal impact. Agreed, the cost of replacing the glass entrance way was a financial consideration, but the likelihood of the imagined threat materialising was highly unlikely.
- All types of threats are identified and the risks prioritized. This is achieved by reviewing a history of incidents, interviewing local emergency and discussing similar incidents with competitors and others in a neutral forum.
- Assess the vulnerability of your key assets (property, people, information and reputation) to the identified threats. By adopting a scale of 1 (minor vulnerability) to 4 (major vulnerability), you can quickly classify the vulnerability of your assets.
- Determine the anticipated consequences of specific risks to your assets. By adopting a scale of 1 (minor consequence) to 4 (major consequence), you can quickly classify the impact of identified threats to your assets.
- Using fact-based analysis, consider how to reduce risks by self-insuring, transferring, closing down or implementing security solutions.
- Prioritize the risk management procedures based on their ranking (1 = delay; 4 = immediate).
Before you undertake any security consultancy role with your Clients’ you need to conduct a Risk Management audit so that you understand the business and the Client understands the actual, rather than the perceived, risks threatening their business.
If you think that your business requires a professional and independent Risk Management assessment before you undertake a major capital expenditure or new project, give us a call so that we can design a strategy to protect your buildings, your employees, your information resources and your reputation.