In the previous articles, we discussed the effectiveness of using a Three-Stage Risk Management Process to manage the risks and incidents effectively.
- Risk Assessment is conducted to identify and mitigate the risks and their potential impact on any organisation’s functions and resources.
- Risks can be man-made, as a result of natural disasters or technical failures
Today, we will be looking at 5 underlying principles governing risk control measures. They are: Avoid, Reduce, Share, Transfer and Retain the risks.
1. Avoiding risks
To avoid risks, organisations must first be aware of the potential for these risks to occur. They must also understand the contributing factors of these potential risks, the probability of them occurring and the magnitude of their impact.
Scenario: Imagine the hypothetical situation where your company is planning to open a new research and development (R&D) office overseas as part of its expansion plan. All is well except that the proposed office location is in close proximity to a young or minor fault line. There has been no earthquake recorded in that area for the past 50 years and reports show that the probability of one occurring is low. However, if an earthquake does occur, the company would be in dire straits as the R&D processes and technology would be largely irreparable.
As the leader of the Security and Risk Management Department, you decided to strongly advise against this proposal, substantiating your rejection with a comprehensive Risk Analysis. You counter-propose to open the office in a safer location far away from the fault line.
The above example is an exaggerated scenario. In our day-to-day business, there are often many other decisions involving risks – how should the business operate, what IT restructuring is required or even what appropriate security protocols to go with. For instance, a company may have to choose between a security surveillance system which is cheaper but less reputable as compared to a more recognised and expensive solution. Weighing the pros and cons, it may be more prudent to go with the latter as the company should not risk having a security surveillance system that may fail or perform below expectations and jeopardise the security of the company.
2. Reducing Risks
Reducing risks is all about minimising the likelihood of a risk occurring or minimising the consequences caused by a risk. This is especially relevant in situations where risks cannot be fully eliminated or avoided. Take, for example, an employee is required to make a business trip abroad to a country infamous for drink spiking, snatch theft and transport scams. While the employee tries to steer clear from danger, he would still be exposed to these risks while commuting or participating in a social event.
To avoid the employee from falling prey to these risks, the company should subscribe him to a real-time Travel Alert service which sends regular updates on the happenings and ‘danger zones’ in the country which should be avoided. Additionally, as cliche as it seems, it would be good to remind the employee of the DO’s and DON’TS and educate him on the cultural and etiquettes that should be noted when on a business trip.
Finally, depending on the seniority of the employee and the importance of the business trip, companies can consider engaging a recognised or approved third-party security vendor to provide journey management services. Journey management services ensure the safety of the employee to-and-fro the airport, as well as in and out of meetings/venues. One additional step that companies can take for extremely high-profile employees would be to provide them with a personal Close Protection Officer. Ultimately, it is never too much to think and plan for buffers or additional resources required to support the primary security plan, should it fail.
3. Risk Sharing
Risk Sharing is the practice of distributing risks within the organisation such across departments, teams or any other working groups. This strategy diversifies the impact of risk so no one particular group absorbs too much risk and fails in its functions.
4. Risk Transfer
Similar to risk sharing, risk transferring is also about the sharing of risk but particularly so to external organisations like a third-party or several organisations. It was originally derived from insurance where the signing of an insurance policy helped to transfer some of the risks from the policyholder to the insurer.
Back to the context of security, a risk transfer could mean outsourcing a unit of the security operation to a third-party vendor. Outsourcing does not necessarily mean that the company is not capable of managing the security operations — it could simply be that the third-party is more familiar or well-versed. By engaging the third-party, the company is essentially better positioning itself against the potential risks by sharing the responsibility with another qualified party.
5. Retaining the Risk
Some risks have low impacts but yet cost a lot to eradicate entirely. There is no fixed definition on the risks but here’s a guideline:
“When the cost of managing a risk is higher than the impact of the risk itself, it may be prudent to just contain the risk.
As long as the risks do not bring major disruption to the operations or safety of the firm, it may make monetary sense to simply retain it.
These 5 principles can be used in conjunction or in part to help organisations achieve just the right amount of risk control to mitigate risks without over exhausting resources. The bottom line is to choose a suite strategy that best suits the risks (vs cost), and the skills and competency of your organisation.
Credit for header image: https://www.energi.com/wp-content/uploads/2019/08/AdobeStock_146018928-1080×675.jpeg