It’s an easy principle really. The horse goes in front of the buggy. Not getting very far if you try the other way around. It’s not an earth shattering discovery, but one that is often mis-applied in security and risk program development.
The Risk Assessment is the foundation for a well focused security and risk program. Many security and risk programs are established without having even the thought of conducting an assessment. In addition many of those charged with these programs can’t explain why they have certain specific security and risk countermeasures in place. Quite often these countermeasures are implemented blindly and then never reviewed.
Security and risk countermeasures for many companies and organizations is a large investment needing great investigation before they can be added to the capital budget and expenditures. Large investments can be being very subjective to the company or organization looking to implement security and risk countermeasures. No matter how large or not large the investment is, the mere thought of these expenditures needs to be based on and the result of a thorough and proper risk assessment.
Risk assessments have take on several stages. These stages are best explained by questions you may already have and they include:
- What do you have? Identify your most important assets: people, property, information and reputation.
- How will you lose it? Specific loss events: burglary, fire, robbery, explosion, extreme weather, acts of terrorism, failure of IT systems, etc. (all of which could also be related to your neighbours events – discussion for another day)
- How often is this going to or could happen? The frequency: usually looked at over the span of a year. How often some or all of these event can or will occur will help in the determination of the type of countermeasure to be discussed, considered, evaluated and potentially implemented.
- How hard will this hit us? Effect: financial, psychological, reputational effect of the events
- What are my choices? Mitigation: various security and risk countermeasures. Countermeasures generally have three categories: personnel, hardware and documentation. If you don’t implement countermeasures that address each of these categories you run the risk of an incomplete security and risk plan. You didn’t get to this step to let it all fall apart here.
- Will the countermeasure work, how reliable is it, what is this going to cost us and how long will it take to implement and be effective?
- What is my ROI? Cost/benefit analysis: what am I getting for investment?
- What are you going to do? Decisions, Decisions, Decisions
Many business leaders know that following a process will you save money and time. Out of this process you want to know that you’ve selected the right and appropriate countermeasure. Selecting the wrong measure, although initially may give you that sense of comfort that something has been done may in fact increase your risk.
Security and risk program development, implementation and management should be left to those that do it everyday, the experienced security and risk professionals. Your accounting is done daily by accountants, not by members of the marketing department. So why have your security and risk program managed by anyone else?
Moral of the story; the horse can see better moving forward and pulling the buggy. Going at it backwards can only lead to losses.