The Three Golden Rules is a principle based on logical thinking and often used as a foundation to strengthen a firm’s Security & Risk Management Protocols. It is not a hard-and-rule but it is certainly helpful and has its origins from the Three-Stage Risk Management Process Framework. 



The first golden rule: ‘There is no random event’

Incidents rarely occur by chance. They are usually a result of overlooking or underestimating a risk such that preventive measures are not taken or implemented in a lackadaisical manner. To make matters worse, firms often respond to unanticipated incidents with an incorrect set of SOP that does not nip the risk in its bud. Over time, the risks culminate and aggravate silently. Finally, they re-emerge greater and more severe impacts.

Oftentimes, a risk is likened to a volcano. In the beginning, there may be small warning signs such as smokes or minor earthquakes but people tend to ignore them. Finally, the volcano erupts at unexpected dates and times, leaving people with no time to escape or respond. 

As demonstrated, there is a need to duly follow-up on a risk and not simply turn a blind eye to it. This brings us to our second golden rule.

Danger Meter Clip Art at Clker.com - vector clip art online, royalty free & public domain

Danger meter. Source: https://www.clker.com/cliparts/z/v/E/O/f/M/danger-meter-hi.png

The second golden rule: Early awareness of potential risks and responding quickly

Abiding by this principle, every member in the organisation has a duty to recognise, respond and escalate a potential risk if it requires further attention. Everyone has a part to play and contribute to the Security & Risk Management framework, thereby creating a safer environment for all to work in. Failing to recognise or detect a risk due to insufficient resources, equipment or manpower can be avoided and it should not be an excuse.
What if one does not proactively detect risks? The longer it takes for one to recognise a risk, the lesser time and options available to manage it. Furthermore, last-minute risk management actions may not only be expensive, they may result in utilising far more resources than necessary. Finally, the mission may fail.



The final rule: Controlling the risk

When it is not possible to eliminate or change a risk (e.g. volcano eruption), mitigation is the next best line of defense. It is worthwhile to develop a robust set of protocols and guidelines to control and even manipulate a risk to our advantage by minimising the impacts it brings.

For instance, the setting up of natural access control and surveillance measures through environmental design (CPTED) serves as a deterrence and helps to keep away suspicious agenda people or those with ill-intentions. Security counters as the first point contact, having CCTV cameras installed and turnstile gantries to gain access are all examples of simple measures that can increase the security and reduce risk in a physical premise.