RiskUKSeptember2017

More documents

Recommendations

Info

Reflections on Risk and Resilience Risk and resilience as fields of research have engaged academics for several years now. That research has spanned many fields, including – but by no means limited to – finance, sport, supply chain management, social work, security and terrorism. Nonetheless, there remains something mystical about the concept of risk. Will the lines dividing risk and resilience management continue to blur and pave the way for a new form of thinking? Dr Risto Talas believes so There exists a settled consensus that risk consists of three elements: threat, vulnerability and consequence. Consider the English language student who sat his finals at Cambridge University in 1953. The questions set included one that read: ‘What is a risk?’ The student’s answer was simply: ‘This is a risk.’ By answering as he did, the student demonstrated a clear understanding of risk. What represented the threat in the answer? The threat was a failed examination if the examiner viewed his answer as an arrogant attempt to be clever. Or might the examiner see that the answer was really quite insightful? Either way, the threat level could be considered to be quite high. In terms of vulnerability, the student could resit the examination towards the end of the year. What would be the consequences of doing so? A delayed graduation and the inability to begin the teaching job for which he had successfully interviewed only the previous week. The student showed quite elegantly that he understood risk very well. He also highlighted the distinction between individuals who are risk averse (ie those students who laboured for the full three hours) and those who, much like himself, are risk-seeking. Academics often consider risk and resilience together, as a quick search on Google Scholar will reveal. Resilience is often described as the ability to ‘bounce back’ after a crisis or an adverse event, to be able to return to normal working conditions or to absorb the impact of an adverse effect. Many academics see risk and resilience not necessarily as two opposing sides of the same coin, but also not as related as I believe them to be in the real world. Risk management may be viewed as the constant assessment of whether to treat, tolerate, terminate or transfer the risks an organisation faces. Why constant? Put simply, because risks are dynamic and change constantly. A risk assessment conducted on paper and left on a shelf is a dead end exercise. Ultimately, organisations should have their latest risk assessment digitally available to them at all times. Remember Ericsson’s supply chain crisis back in 2000? A lightning strike affected a semiconductor factory in Albuquerque owned by Philips that was the single source of supply for all of Ericsson’s chips for its mobile phones. The lightning strike caused a fire which meant that all of the chips in the factory were rendered useless. Nokia also ordered some of its chips from the same factory. Within hours of the fire, Nokia’s supply chain management team in Finland was alerted to the disruption and ordered more chips from Philips’ other plants while beginning to reconfigure its (then) current factory line mobiles to accept the chips from the different sites. What of Ericsson in the intervening period? It took the business a full two weeks to wake up to the scale of the disaster, by which time it was Finland 1 Sweden 0. Resilience management What, then, is resilience management? My definition is the constant assessment, implementation and monitoring of efficient active and passive systems which address an organisation’s threats, vulnerabilities and consequences in the face of an extraordinary event. This definition links the two dimensions of resilience: resilience to organisational interruption and resilience for organisational response and recovery. Resilience to organisational interruption comprises the active measures that are focused on reducing an organisation’s vulnerability to an extraordinary event, while resilience for organisational response and recovery encompasses the passive (but which can become immediately active) measures that are focused on reducing the consequences to the organisation from an extraordinary event. Essentially, this is how risk and resilience – 48 www.risk-uk.com
The Security Institute’s View and, in turn, risk and resilience management – are related. It’s not enough for C-level directors of risk to consider risks in isolation. They should be focused just as much on resilience measures. Furthermore, resilience to organisational interruption and resilience for organisational response and recovery must be proportional. Resilience measures are not cheap. Rather, they’re investments which need justification as well as suitable resourcing. By linking risk and resilience management, it’s then possible to create a single mindset in the organisation that focuses on both as one. Port security risk In my joint study with Professor David Menachof 1 , and drawing on my experience of working as a leading Lloyd’s underwriter of marine war, terrorism and political violence risks, we presented a model of port security risk. Here, threat is defined as the probability that an attack occurs, vulnerability is defined as the probability that an attack results in damage given that an attack occurs and consequence is defined as the expected damage given that an attack occurs and results in damage. Thus Risk = P (attack occurs) * P (attack results in damage | attack occurs) * E (damage | attack occurs and results in damage). We go on to show how port security risk can be quantified and, when combined with performance data for security systems obtained from a series of interviews with port security experts, the resultant residual risk of each port facility can be calculated. This data was used as the basis for assessments of the performance of each of the security systems as a whole. Developing the model, which is now the focus of my research with Dr Alison Wakefield at the University of Portsmouth, if we were to substitute ‘event’ for ‘attack’ and ‘consequence’ for ‘damage’ in the above equation and further model the impacts of both resilience to organisational interruption and resilience for organisational response, we arrive at the following model for residual risk: Residual Risk = P (event occurs) * P (event results in consequences | event occurs) * f (resilience to organisational interruption) * E (consequences | event occurs and results in consequences) * f (resilience for organisational response). Here, f (resilience to organisational interruption) and f (resilience for organisational response) are functions of resilience to organisational interruption and resilience for organisational response respectively which reduce organisational vulnerability and consequence. The way in which these are calculated isn’t elementary and reflects the complex landscape of the relationship between risk and resilience. To further inform the model, I’ve identified in excess of 400 individual elements that can contribute to an organisation’s resilience. They stem from Health and Safety, security, environment, quality management, training, business continuity planning, redundancy capability, crisis management capability, cyber security and media management. Within each of these elements there’s the potential for a non-conformance or near miss to be manifested without warning. Risk managers and directors will recognise the importance of identifying an appropriate methodology for the collection and analysis of non-conformances and near misses, given their clear potential for impacting a firm’s vulnerability. An organisation’s vulnerability can be modelled in a two-dimensional matrix assigning an individual score for the significance of each performance indicator of resilience to organisational interruption in tackling a potential hazard, both man-made and natural. The modelling of non-conformances is thus significant because they will affect the individual vulnerability scores in the matrix. As this matrix is then used to calculate the organisation’s overall residual risk and the resilience to organisational interruption has a direct bearing on vulnerability, it’s possible to link the performance of resilience to organisational interruption and the presence of non-conformances to residual risk. Similarly, the resilience for organisational response consists of performance indicators that have a direct bearing on the consequences of an extraordinary event affecting an organisation. In turn, these may be modelled in their capability to reduce consequences and thus reduce residual risk overall. This is the methodology that links resilience to organisational interruption and resilience for organisational response and, therefore, overall resilience to organisational risk. In only a few years from now, the lines dividing risk management and resilience management will be sufficiently blurred, not only through a better understanding of their impact on residual risk, but also through the necessity of allocating efficient resources to tackle organisational risk and resilience. Reference 1 Talas R and Menachof D (2014): ‘Using Portfolio Optimisation to Calculate the Efficient Relationship Between Maritime Port Security Residual Risk and Security Investment’, International Journal of Shipping and Transport Logistics, Volume 6:3, pp46-59 Dr Risto Talas BA (Hons) MBA PhD: Lecturer in Security Risk Management at the University of Portsmouth’s Institute of Criminal Justice Studies “It’s not good enough for C-level directors of risk to consider risk in isolation. They should be focused just as much on resilience measures” 49 www.risk-uk.com
Page 1 and 2: September 2017 www.risk-uk.com Secu
Page 3 and 4: September 2017 Contents 42 Meet The
Page 5 and 6: Editorial Comment More zones, more
Page 7 and 8: News Update “Employees pose great
Page 9 and 10: News Analysis: British Standard 859
Page 11 and 12: They see a well secured airport. Yo
Page 13 and 14: News Special: Cortech Open Innovati
Page 15 and 16: Opinion: ISO 22316 Security and Org
Page 17 and 18: Opinion: Apprenticeships in the Sec
Page 19 and 20: BSIA Briefing With an estimated eig
Page 21 and 22: “ MY PASSION IS PERFECTION IN EVE
Page 23 and 24: Enterprise Security Risk Management
Page 25 and 26: Bribery, Fraud and Corruption: Risk
Page 27 and 28: Crisis Management: Leadership in Pr
Page 29 and 30: www.coie.uk.com Cortech Open Innova
Page 31 and 32: Lone Worker Security and Safety wor
Page 33 and 34: The Changing Face of Security Servi
Page 35 and 36: Multi award winning security servic
Page 41 and 42: Tel: 08707 508070 Fax: 08707 508066
Page 43 and 44: Meet The Security Company: Doyle Se
Page 45 and 46: Fire Safety Planning: Emergency Eva
Page 47: National Association for Healthcare
Page 51 and 52: In the Spotlight: ASIS Internationa
Page 53 and 54: FIA Technical Briefing: Gaseous Fix
Page 55 and 56: Security Services: Best Practice Ca
Page 57 and 58: Cyber Security: Risk Management in
Page 59 and 60: Training and Career Development ‘
Page 61 and 62: Risk in Action Cambridgeshire Fire
Page 63 and 64: Technology in Focus SPC Connect’s
Page 65 and 66: Appointments Magnus Ahlqvist The Bo
Page 67 and 68: thepaper Business News for Security
Page 69 and 70: CCTV CCTV Rapid Deployment Digital
Page 71 and 72: SECURITY ANTI-CLIMB SOLUTIONS & SEC

RiskUKSeptember2017

Create successful ePaper yourself

Delete template?

Save as template?