RiskUKSeptember2017
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
The Security Institute’s View<br />
and, in turn, risk and resilience management –<br />
are related.<br />
It’s not enough for C-level directors of risk to<br />
consider risks in isolation. They should be<br />
focused just as much on resilience measures.<br />
Furthermore, resilience to organisational<br />
interruption and resilience for organisational<br />
response and recovery must be proportional.<br />
Resilience measures are not cheap. Rather,<br />
they’re investments which need justification as<br />
well as suitable resourcing. By linking risk and<br />
resilience management, it’s then possible to<br />
create a single mindset in the organisation that<br />
focuses on both as one.<br />
Port security risk<br />
In my joint study with Professor David<br />
Menachof 1 , and drawing on my experience of<br />
working as a leading Lloyd’s underwriter of<br />
marine war, terrorism and political violence<br />
risks, we presented a model of port security<br />
risk. Here, threat is defined as the probability<br />
that an attack occurs, vulnerability is defined as<br />
the probability that an attack results in damage<br />
given that an attack occurs and consequence is<br />
defined as the expected damage given that an<br />
attack occurs and results in damage. Thus Risk<br />
= P (attack occurs) * P (attack results in<br />
damage | attack occurs) * E (damage | attack<br />
occurs and results in damage).<br />
We go on to show how port security risk can<br />
be quantified and, when combined with<br />
performance data for security systems obtained<br />
from a series of interviews with port security<br />
experts, the resultant residual risk of each port<br />
facility can be calculated. This data was used as<br />
the basis for assessments of the performance<br />
of each of the security systems as a whole.<br />
Developing the model, which is now the<br />
focus of my research with Dr Alison Wakefield<br />
at the University of Portsmouth, if we were to<br />
substitute ‘event’ for ‘attack’ and ‘consequence’<br />
for ‘damage’ in the above equation and further<br />
model the impacts of both resilience to<br />
organisational interruption and resilience for<br />
organisational response, we arrive at the<br />
following model for residual risk: Residual Risk<br />
= P (event occurs) * P (event results in<br />
consequences | event occurs) * f (resilience to<br />
organisational interruption) * E (consequences |<br />
event occurs and results in consequences) * f<br />
(resilience for organisational response).<br />
Here, f (resilience to organisational<br />
interruption) and f (resilience for organisational<br />
response) are functions of resilience to<br />
organisational interruption and resilience for<br />
organisational response respectively which<br />
reduce organisational vulnerability and<br />
consequence. The way in which these are<br />
calculated isn’t elementary and reflects the<br />
complex landscape of the relationship between<br />
risk and resilience.<br />
To further inform the model, I’ve identified in<br />
excess of 400 individual elements that can<br />
contribute to an organisation’s resilience. They<br />
stem from Health and Safety, security,<br />
environment, quality management, training,<br />
business continuity planning, redundancy<br />
capability, crisis management capability, cyber<br />
security and media management.<br />
Within each of these elements there’s the<br />
potential for a non-conformance or near miss to<br />
be manifested without warning. Risk managers<br />
and directors will recognise the importance of<br />
identifying an appropriate methodology for the<br />
collection and analysis of non-conformances<br />
and near misses, given their clear potential for<br />
impacting a firm’s vulnerability.<br />
An organisation’s vulnerability can be<br />
modelled in a two-dimensional matrix assigning<br />
an individual score for the significance of each<br />
performance indicator of resilience to<br />
organisational interruption in tackling a<br />
potential hazard, both man-made and natural.<br />
The modelling of non-conformances is thus<br />
significant because they will affect the<br />
individual vulnerability scores in the matrix.<br />
As this matrix is then used to calculate the<br />
organisation’s overall residual risk and the<br />
resilience to organisational interruption has a<br />
direct bearing on vulnerability, it’s possible to<br />
link the performance of resilience to<br />
organisational interruption and the presence of<br />
non-conformances to residual risk.<br />
Similarly, the resilience for organisational<br />
response consists of performance indicators<br />
that have a direct bearing on the consequences<br />
of an extraordinary event affecting an<br />
organisation. In turn, these may be modelled in<br />
their capability to reduce consequences and<br />
thus reduce residual risk overall. This is the<br />
methodology that links resilience to<br />
organisational interruption and resilience for<br />
organisational response and, therefore, overall<br />
resilience to organisational risk.<br />
In only a few years from now, the lines<br />
dividing risk management and resilience<br />
management will be sufficiently blurred, not<br />
only through a better understanding of their<br />
impact on residual risk, but also through the<br />
necessity of allocating efficient resources to<br />
tackle organisational risk and resilience.<br />
Reference<br />
1 Talas R and Menachof D<br />
(2014): ‘Using Portfolio<br />
Optimisation to Calculate the<br />
Efficient Relationship<br />
Between Maritime Port<br />
Security Residual Risk and<br />
Security Investment’,<br />
International Journal of<br />
Shipping and Transport<br />
Logistics, Volume 6:3,<br />
pp46-59<br />
Dr Risto Talas BA (Hons) MBA<br />
PhD: Lecturer in Security Risk<br />
Management at the University<br />
of Portsmouth’s Institute of<br />
Criminal Justice Studies<br />
“It’s not good enough for C-level directors of risk to<br />
consider risk in isolation. They should be focused just as<br />
much on resilience measures”<br />
49<br />
www.risk-uk.com