When I started my research in the late 1980s, I quickly came to the view that risk management is a simple idea that is implemented easily in most routine circumstances. However, there are some situations when there are many complicating factors that can result in poor decisions and risk management failure. The authors of standards like AS/NZS 4360, ISO 31000 and ANSI/ASIS/RIMS RA.1-2015 cannot provide a standard risk management solution for every operational environment and therefore the best they can do is define a common terminology and suggest auditable processes for making and implementing decisions about risk.
Security professionals were quite adept at assessing and managing risk before the publication of AS/NZS 4360. However, some specialised risk analysis processes were abandoned in Australia in favour of using those recommended in the 1995 version of AS/NZS 4360; for example, some simple risk matrices. Those generalised risk matrices were not part of the standard as such; they were in an appendix giving information intended to provide examples of what a risk analysis tool might look like. However, there is much anecdotal evidence that many security professionals (or their bosses) believed they had to use the matrices in AS/NZS 4360:1995 instead of the specialised security risk analysis methodologies that had been formerly in use. The result in some cases was a drop in the quality of security risk analysis. The authors of AS/NZS 4360 deleted the examples of risk matrices in a later version, but by that time the matrices were embedded in many corporate risk management plans and in software that organisations were using for their enterprise risk management programs.
Standards are important to set minimum requirements, but it is vitally important that security professionals implement security risk assessments and management to a degree that gives some control over the operational environment. This would normally involve providing security that meets the goals (and policies) of the key stakeholders.
If comparing the security industry with the building industry, some stark differences might be seen. Professional engineers and architects regularly produce building designs with features that are in addition to those prescribed in Australian or international standards. How often do security designers include features that are non-standard or truly innovative?
Recently I had the privilege of attending a forum hosted by the Australian Security Research Centre in Canberra. The theme of the forum was about challenging security paradigms by bursting assumptions commonly made in the profession. The papers presented and subsequent discussions were meant to be thought provoking, and certainly were. Some offered innovations and others were more critical.
At the forum, I heard an argument from an Australian security professional that security risk management has had no measurable impact on crime reduction statistics at licensed premises, service stations or ‘cash-in-transit’ operations. Indeed, he believed that crime had increased at these facilities since the introduction of security risk management systems.
Licensed premises and service stations are not facilities that are easily hardened with security measures. However, measures can be put in place to protect staff and most of the cash collected. It is important to define the goals of a risk management system in order to determine its effectiveness. For example, if a risk management goal at a service station is to protect the staff that work there, then comparing crime statistics with this goal is only valid if the statistics relate to harm to the staff at this type of facility. The same principle would apply to the majority of the cash collected at a service station; preventing people from driving off without paying for petrol is a different problem altogether. To give another example: in a hotel, preventing one patron from punching another is also difficult to address with security measures.
The argument that security risk management is a contributing factor to an increase in crime at the facility being protected is self-contradictory. Perhaps the security risk management goals in these cases were not clearly defined or were simply not achieved? Alternatively, the statistics used in the analysis might have included drive-offs at petrol stations or assaults at licensed premises. The detail was not provided in the argument given by the speaker at the forum.
It is very important when using statistics in risk analysis to show those statistics in the analysis to ensure they are relevant and to allow others to verify the analysis. It may be possible that security has been successful in providing the protection for which it was designed in service stations and licensed premises. However, the security design goals need to be stated in the risk assessment and the crime statistics need to be relevant to the risk management goal.
The security profession’s assumptions need to be constantly challenged, but it also needs to use a scientific or valid epistemological approach to its research.
The papers presented in the forum were collated in the publication Challenging Security Paradigms: Bursting the Assumptions Bubble and were published by the Australian Security Research Centre.