lunes, 6 febrero 2023
Visitas totales a la web: 88326566

El portal de los profesionales de seguridad y emergencias

Nº 1 del mundo en español en seguridad global

Soluciones de seguridad global

Six Questions to Ask Yourself About Security Risk Assessments

Security Executive Council

Getting back to basics to align your security risk process with the rest of the business.

Businesses are more in tune to risk than ever before – it has become a part of corporate culture. Corporate leaders have improved their understanding of the role risk assessments play; however, Security and the rest of the business are not always in agreement on the «why» and the «how». Therefore, Security’s risk assessment activities may not be in line with the rest of the organization.

This paper is designed to help security executives evaluate their current risk assessment program. The SEC has found that while many security leaders are performing risk assessments, they are not being conducted at the enterprise level; instead they are assessing at the site or building level. Although there are practitioners that are advanced in the practice of risk assessments, our research shows that as more people are moving into corporate security leadership roles, many are not starting with the basics – like conducting an enterprise-level risk assessment related to security issues.

The SEC has found that conducting a risk assessment at the enterprise level is a first and essential step for successful programs. In a recent Security Barometer poll on risk assessment, security practitioners shared the steps they use to assess risk and how well they feel their organization is tackling significant security risks overall.

To evaluate where your risk assessment program is, begin by answering the following questions:

  • Do you have a working definition and process for risk assessment?
  • Is there a risk assessment program in place that’s embraced and followed from the top down within your organization?
  • When was the last time you did a risk assessment? And how frequently are they updated?
  • Do you re-evaluate and update your program on a regular basis—especially, but not limited to, after incidents or threats?
  • Do you review the results with senior management and obtain concurrence on the risks?

If you can’t answer these, or if the answer is «no,» it’s time to examine what you are doing and how you can improve the risk assessment program for the betterment of your organization. Creating a common risk definition and language between security professionals, security executives and senior management is critical.

Risk Management Definitions

For security and business to be a truly unified discipline, there needs to be a shared language for defining risk and mitigation and articulating the success or failure points for any given initiative. The common language needs to be accessible and inclusive to all units within an organization, including executives, human resources, legal, finance and security.

There are plenty of definitions to be found for risk, threat and vulnerability. But an example is useful to clarify the terms.

For illustration purposes we chose an example that can impact several areas of risk: event security, which has become of importance in many companies based on recent incidents. This example highlights the complexity of risk.

Corporate Events (sponsored or held at a Corporate location)
We’ll start with examples of general categories of risk and the threats:

People Risk
Threat = Personnel death or injury at a corporate event

Brand Risk
Threat = Brand name associated with a catastrophic incident at an event (e.g., the Mandalay Bay Resort and the Las Vegas shooting)

Product Risk
Threat = Products used/featured at an event cause damage (e.g., food contamination)

Property Risk
Threat = Fire or riot at an event at a company facility

The vulnerabilities and mitigation are basically the same for all four risk areas listed:

Vulnerability = Lack of adequate planning, contingencies, preparedness and inappropriate contractual requirements.

Mitigation = Pre-event risk ranking, attendees risk analysis, appropriate contractual requirements for security and crisis management, risk assessment/emergency response plan, and adequate security measures in place.

Of course, probability and impact levels of any risk will need to be determined as well.

It’s important for security executives to establish and maintain an ongoing process of risk assessment to drive security and resource planning. Risk assessment statements ultimately should represent key risks to the organization and characterize a measurable, effective security program.

Six Critical Questions

Can you answer these questions about your company’s business/security risk alignment? Write down your answers in the boxes below. This can also be used to document progress.

image showing six critical questions about your company's business/security risk alignment

If you gave the same six critical questions to each member of your security leadership team, would they come up with the same results?

The goal of this exercise is to provide a resource that solidifies and documents key success factors and provides assurance your program is working. It’s also a way to determine if the plan and processes you have in place are significant enough to mitigate the risk.

There are other targeted questions that can be posed internally to conduct this exercise:

  • Is the mitigation program run uniformly throughout the company so you are providing the same services throughout the organization?
  • Have criticality, profitability and single points of failure been incorporated into the risk assessment to make sure that adequate mitigation has been provided to those sites or businesses?
  • If security is not a main provider of risk assessment and mitigation—what support should you provide?

Failure Points

The SEC has found the five most common failure factors for a security risk assessment:

  1. Risks aren’t aligned with the enterprise risk assessment that executive management has completed.
  2. There is no stakeholder input and concurrence.
  3. Security executives don’t map and align their mitigation strategies to risks.
  4. Security executives don’t prioritize risks.
  5. There is no identified process.

Many times, there is too low a level of scope in the risk assessment, and potential risks are missed. Or, personal opinion was applied, and security executives only look at the process from their perspective and not from the perspectives of other business units within the organization. There are additional variables, such as outside contractors. If they don’t have the right foundational knowledge of risk and the organization, there is no cumulative quality, only «currency».

Security executives need to regularly reassess their established risk assessment plan to determine if it is up to date. Do elements need to be added? Have you determined what has been effective and what has not? There may be a better, more targeted program than the one currently in place. In reality, this type of deep thought and analysis on risk assessment is not taking place at many organizations – but it should.

Fecha de publicaciónseptiembre, 2021

BELT.ES no se hace responsable de las opiniones de los artículos reproducidos en nuestra Revista de Prensa, ni hace necesariamente suyas las opiniones y criterios expresados. La difusión de la información reproducida se realiza sin fines comerciales. 

Listado de Expertos


Profesión militar: Obediencia debida frente a la obligación de disentir

Con ocasión de la realización de estudios en el Instituto Universitario Gutiérrez Mellado tuve la ocasión de leer y analizar una serie de documentos de opinión que trataban en profundidad las diferentes facetas presentes en el campo de las relaciones cívico-militares; temas que , habitualmente, no han estado presentes en los diferentes cursos y actividades formativas en la enseñanza militar, ni, por supuesto, en la civil.

El amor de Macarena Olona por la Guardia Civil empieza por su pareja, un joven oficial condecorado

El padre de su hijo llegó a la Benemérita como militar de carrera y, los que le...

La artillería ‘made in USA’ comprada por Marruecos que deja fuera de juego a España

El país magrebí sigue reforzando sus fuerzas armadas a golpe de talonario, y no lo hace de...

Últimas noticias

El Plan de seguridad. (El Esperado modelo estatal para eventos)

La seguridad de un evento deportivo o recreativo requiere objetivos, planificación, dotación, implantación y evaluación de resultados.

Sistemas de Extinción por Gas: Manual Práctico para el Diseño, Instalación y Mantenimiento

Este Documento Técnico tiene como objetivo dar a conocer las peculiaridades de los Sistemas de Extinción por Gas, sus puntos fuertes y...

A CSO’s challenge for building a global risk strategy

Without a strategy, security plans are almost impossible to implement, and C-suite engagement can be jeopardized Global security risks...

Este timbre para bicicletas es el lugar perfecto para esconder un AirTag sin que los ladrones lo sepan

Los AirTags de Apple desbancaron con su nacimiento al resto de opciones del mercado entre los usuarios de Apple. Esta solución de rastreo se...

Este timbre para bicicleta es el lugar perfecto para esconder un AirTag sin que los ladrones lo sepan

Bajo un timbre o un portabotellas, esta compañía ha ideado unos escondites para colocar los rastreadores a prueba de robos y pérdidas.