PART
I
Analyzing and Assessing Security and Risks
The chapters in this part of the book will help you understand, analyze, and assess security and capacity (Chapter 2); risk (Chapter 3); hazards, threats (the sources of negative risks), and contributors (the sources of positive risks) (Chapter 4); target vulnerability and exposure (Chapter 5); probability and uncertainty (Chapter 6); and events and returns (Chapter 7).
In the process, readers will learn how different advocates and authorities contest the definitions, analysis, and assessments, how different activities, operations, and missions face imperfect trade-offs that are exacerbated by poor analysis and assessment, and how some simple rules and practical techniques dramatically improve understanding and functionality.
Introduction: Why Security and Risk Management Matters
What is this book about?
In this book, readers will learn how to understand, analyze, assess, control, and generally manage security and risks from the personal to the operational.
Security, as described in Chapter 2, is, essentially, freedom from negative risks. Risks, as described in Chapter 3, are the potential returns (consequences, effects, etc.) of an event. Risks are inherently uncertain, and many people are uncomfortable with uncertainty, but security and risk management is a practical skill set that anyone can access. Readers of this book do not need to learn theory or many facts but will be introduced to the processes by which security and risks can be managed and to the contexts of many real risks. Readers will be left informed enough to start managing security and risks for themselves or to further investigate the subject.
We all should care about better security and risk management because, if done well, we would live in a more secure and less risky world. Awareness of risk is entirely healthy, because everything we do is literally risky; by simply interacting socially or undertaking any enterprise, âeveryone willingly takes risksâ (Adams, 1995, p. 16).
Unfortunately, not all security and risk management is conscious or sensible. People tend to obsess about certain risks and ignore others or manage risks in distorted ways that discredit the whole practice of management. Unfortunately, in the past, security management and risk management were routinely separated, with all sorts of disciplinary and professional incompatibilities, but security and risk management are complementary and properly tackled together.
Public expectations for security continue to grow, but sensitivity to certain risks and dissatisfaction with their management also continue to grow. In the last two decades or so, official and private authoritiesâinternational institutions, governments, trade associations, general managers, employers, contractors, and employeesâhave formally required better management and specified how it should be delivered, stimulating more disputes about proper definitions and practices.
This book provides a new practical guide to the proper synthesis of security and risk management.
Private Requirements for Security and Risk Management
Outside of government, private citizens and managers of commercial activities want or are expected to take more responsibility for their own security. For instance, public authorities urge private citizens to prepare for emergencies at home, to consult official advisories before they travel, and to rely less on public protections. Commercial organizations reserve more internal resources or acquire their own protections after finding public protections or private insurers less reliable. Managers of projects, operations, information, acquisitions, and human resources now routinely include security or risk management within their responsibilities. According to Gary Heerkens, âRisk and uncertainty are unavoidable in project life and itâs dangerous to ignore or deny their impact . . . Risk management is not just a processâitâs a mindsetâ (2002, pp. 142, 151).
Public Attention to Risk
Security is a primary responsibility of government, which acquires militaries, police forces, coast guards, border protections, health authorities, and various regulators to ensure the security of their territory and citizens. By the 1970s, public authorities managed security and risks mostly in the sense that they managed public safety and controlled crime. For instance, in 1974 the British legislated in favor of a Health and Safety Executive, passed new legislation protecting employees, and increased public entitlements. However, these actions failed to control other risks, such as terrorism, and encouraged inflated views of some risks, such as workplace risks (which have declined), while neglecting other risks, such as sexual risks (which have increased). Even where risks have not increased in any real sense, societies have developed into risk societies that show increased sensitivity to risk in general, though they neglect or activate certain hazards, such as environmental hazards, due to misplaced attention to some risks over others (Beck, 1995; Beck, Ritter, & Lash, 1992; Wisner, Blaikie, Cannon, & Davis, 2004, pp. 16â18).
Requirements for Better Management
The increased salience of both security and risk is indicated by the shift in United Nations (UN) operational management from an official objective of safety and security to security risk management (since 2005), followed by the Humanitarian Practice Networkâs similar objective (2010). A publicly accessible online tool (http://books.google.com/ngrams) suggests that use in books of the terms risk, security risk, international risk, and global risk grew over the last three decades by several orders of magnitude each and peaked around 2006 (the data runs out in 2008).
Increased attention to security and risk does not always produce better management of security and risk. The requirement for wider security management is often met by narrower sets of skills. Requirers could outsource to specialist security or risk management contractors, but some of these providers have betrayed their clients with superficial skills and even ethical or legal violations. For instance, in February 2013, the U.S. Government unveiled a civil lawsuit, following similar suits by several states and the District of Columbia, alleging that a risk rating agency had defrauded investors by supplying ratings of the risks of financial products that were not as independent as the agency had claimed.
Organizations usually lack a manager trained to manage risks across all domains and levels, although general managers may have some training. Organizations often assign corporate responsibilities for risk management to their finance, information, or project managers, who should offer some generalizable skills in security management or risk management, although each domain has peculiar risks and a particular approach. Financial risk management and project risk management are not perfectly transferable and have suffered crises of credibility since the latest global financial crash (2007â2008).
Project risk management is tainted by repeated official and corporate failures to manage the largest acquisition projects. Information managers also often lead corporate risk management, but national governments continue to complain about growing information insecurity. Meanwhile, many corporations are in the habit of hiring former law enforcement or intelligence officials as security or risk managers, but their particular skills usually do not extend to generalizable skills in security and risk management.
Criminologists generally âmaintain that security is a subject that has yet to be adequately covered by any specific discipline or in a satisfactory interdisciplinary fashionâ (Van Brunschott & Kennedy, 2008, p. 18). Even in practices and professions of relevance (such as policing), security and risk management is not necessarily a focus, as noted in the following:
Official Standardization
Some of the dissatisfaction with security and risk management has prompted more standardization, in the hope that the many competing and loosely defined ways in which people manage security and risk can be replaced by the best ways. Standardization is the process of defining standards for behavior and understanding. Standards describe how concepts should be understood and how activities should be performed. Standardization certainly helps interoperability and accountability and may replace inferior practices with superior practices.
Over the last few decades, more international authorities, national authorities, trade associations, and private corporations have developed standard practices for managing risk and security and for describing their management of security and risk to each other. From the late 1980s, after comparisons with the apparently superior performance of the private sector in delivering services or acquiring items as planned, democratic governments started to escalate the importance of risk management and standardized how their agents should manage risks, initially mostly in the context of the acquisition of capabilities. For instance, in 1989 the U.S. Defense Systems Management College issued guidance on risk management. In 1992, the British Ministry of Defense (MOD) started to issue risk guidelines. In both cases, the emphasis was on defense acquisitions.
In 1995, the Australian and New Zealand Governments issued their first binational risk management standard, which was adopted by or influenced many other governments, including the British, Canadian, and U.S. Governments. However, the latter three governments continue to negotiate between international standards and departmental standar...