SECURITY RISK MANAGEMENT: INEFFECTIVE AT BEST, DANGEROUS AT WORST

mainimage-art1-104

Since the late 1990’s, the protective security services of both government and private sectors have been motivated by the belief that the implementation of Risk Management and Security Risk Management practices will reduce the likelihood of criminal attacks. Some states within Australian have actively enforced this concept through legislation, specifically requiring the acquisition of knowledge and the implementation of Risk Management practices within organisations.

But do Security and Risk Management processes prevent or reduce the likelihood of attacks by criminal offenders?

Do the specifically developed processes outlined in the Standards Australian Hand Book HB 167:2006 actually work?

This article will identify that implementing Security and Risk Management practices, especially those outlined in ISO 31000:2009, or its predecessors AS/NZS 4360:1999 and AS/NZS 4360: 2004, and the Australian Standards hand book HB 167:2006, does not lead to a decrease in crime. Instead the article will show that where these standards have been implemented, crime rates increase.

The concept of Risk Management and Security Risk Management is a well established discipline within the protective security services. For example the Australian Government, through the Attorney General’s Department, promotes the Protective Security Policy Framework (PSPF). This framework requires all federal government agencies to apply Security Risk Management processes. These processes are outlined in the International Organisation of Standardisation (ISO) Standard ISO 31000:2009 and the Australian Standards Hand Book HB167:2006.

Also, individual states require (sometimes through legislative enforcement) processes that those persons who provide consultative advice on protective security requirements, must have as a minimum knowledge of ISO 31000:2009, and HB 167:2006. For example, the NSW Security Industry Act of 1997 legislates that “a person who provides advice on security issues must have completed a Certificate IV Security and Risk Management course, to gain a licence”.

As can be seen from the above, Risk Management and Security Risk Management play an important role in determining the knowledge required to advise organisations on methods to prevent or reduce the likelihood of criminal attack. The Australian Standards Handbook HB 167:2006, states that Security Risk Management is a new paradigm, “which provides a means of better understanding the nature of security threats and their interaction at an individual, organisational, or community level”. Also, that Security Risk Management “has become a powerful tool in assisting prevention and management of the consequences of events that are often outside an ‘organisation’s’ normal understanding and experience” As HB 167: 2006 notes, “Security Risk Management introduces the concept of a person intentionally seeking to harm an organisation by deliberately seeking to overcome controls that are in place”.

The above belief is also reinforced by government. For instance, in a Fact Sheet published by the NSW Justice Department, it is stated that current reductions in the incidents of robbery have been made possible due to the implementation of security risk treatment options such as quality locks on doors, irregular banking procedures and appropriate lighting. This belief is further reinforced with data provided by the Australian Institute of Criminology (AIC) which in the latest report ‘Australian crime: Facts & figures 2013’ found that there has been an overall reduction in crime rates across a variety of crime types. These rates, which include the incidence of robbery, have been generally falling since 2002.

In addition the AIC, through the National Armed Robbery Monitoring Program (NARMP), monitors the incidence of armed robbery at a variety of locations such as Post Offices, pubs and licensed premises, private residences, and service stations. In the most recent publicly available report, the AIC identified that there is a general decreasing trend in the incidence of armed robbery across Australia.

However, taking credit for the drop in armed robbery crime rates due to the implementation of Security and Risk Management practices may be presumptuous. Although general trends in crime rates have been reducing since the early 2000’s, closer analysis of the crime types specifically targeted by Risk Management and Security Risk Management practices show an entirely different view.

For instance, in commercial organisations there is a strong financial, and sometimes legislated requirement to implement Security and Risk Management practices. Where these practices are implemented, it would be reasonable to expect a decrease in the incidence of crime. This would especially be the case where the ‘self-stated’ paradigm changing Australian Standards Hand Book HB167:2006 is implemented. It would also be expected that the incidence of criminal attack at these locations would at a minimum, mirror the downward trend seen in the general incidence of armed robbery. However, it is precisely the opposite trend that is occurring.

At licensed premises, the implementation of security risk treatment options such as closed circuit television, additional security guards, strict cash handling procedures and controlled access to high risk areas is common. It would be reasonable to expect that with these mechanisms in place, the incidence of crime would decrease. In fact, and according to the NARMP, since 2004 the incidence of armed robbery at these locations has increased by approximately 20%.

Likewise in the case of service stations which have been a target of armed robbers since the 1980’s. Although service stations have implemented such mechanisms as security guard patrols, surveillance systems and anti robbery screens, the incidence of armed robbery attacks has increased. The AIC’s latest publicly available data showing the increase to be around 30%.

Finally the Cash In Transit (CIT) industry. This industry, which has even undergone Industrial Relations Commission inquires, routinely uses security control mechanisms such as armoured vehicles, CCTV, and uniformed and covert security guards. It would be reasonable to expect that the incidence of armed robbery attacks would decrease since the implementation of Security and Risk Management practices. This should especially be the case with the implementation of AS/NZS 4360:1999 in the year 1999. However, the AIC report ‘Cash in transit armed robbery in Australia’ identified that since the year 2000, and specifically following the implementation of Australian Standards AS/NZS 4360:1999, the incidence of armed robbery against CIT operations has increased by around 900%.

There is limited available information that would provide evidence as to the reasons for these findings. However, if the organisations concerned followed the sometimes enforced implementation of processes outlined by ISO 31000:2009, its predecessors AS/NZS 4360:1999 and AS/NZS 4360: 2004, and HB 167:2006, there should have been an increase in efficiency and effectiveness in risk treatment measures designed to prevent or reduce the likelihood of crime. At the very least, the implemented security risk treatments should reduce the incidence of crime to match the overall societal decrease in crime. This has not occurred.

Statistically, if a large data population set, such as the overall armed robbery crime rates in Australia indicated a decreasing trend, it would be reasonable to expect that smaller sub-data sets, such as armed robbery at service stations, CIT and licensed premises, would also indicate a decreasing trend during the same period. As identified above, the deliberate utilisation of Security Risk Management risk treatment measures has not led to a decrease in the incidence of criminal attacks. In fact the reverse has occurred.

Such opposing trends in subordinate population data is significant, and highlights a flaw within the structural methodologies of the practice of Security and Risk Management practice. This trend strongly suggests that the implementation of Security Risk Management processes is counter-productive to the aim of preventing or reducing the likelihood of criminal attack. In short, crime seems to be increasing specifically where Security and Risk Management is being implemented.

Government and private industry place significant emphasis and importance on the concepts of Security and Risk Management and in some cases these concepts and methods have been legislatively enforced for use. However, the above research has identified the ineffectiveness of Security and Risk Management as a way and means to prevent or reduce the likelihood of crime. Given this identified ineffectiveness, it would seem appropriate for research to be conducted into more effective and directed methods to prevent and reduce the likelihood of crime.

The above article is a brief outline of an academic essay published in the Australian Security Research Centre (ASRC). That essay titled ‘Security Risk Management: a dangerously over-rated and broken paradigm’, can be obtained by contacting the ASRC.

David Harding has over 30 years experience working within government and private security fields, including service in the Australian Army’s Special Air Service Regiment, and the Australian Federal Police’s Air Security Officer Program. As Director of Anshin Consulting, David has conducted security operations across the Middle East, Asia and Australasia. This includes advising leading business persons and diplomats on non-state security threats. David holds a Masters degree, is a Registered Security Professional, and has researched, lectured, written, and blogged about international risk, threat and security management.