The Application of Risk Management Principles to Security Management

Professor Geoff Chivers

Centre for Hazard and Risk Management Loughborough University

26 February 2003

The following paper was delivered to delegates attending a Security Risk Management
Forum at the Centre for Hazard and Risk Management Loughborough University on 26
February. Professor Chivers’ views, especially on the security management profession,
are frank, well meaning and present to us all food for thought as they reveal a surprising
widely held view throughout academia of the security management profession. Please read
through the article before attending the course and be prepared to comment on it during
Session One, Monday 11 August.

Introduction

The fields of endeavour concerned with reducing risks in society have grown to
considerable maturity over many years. Security management is a very ancient field. Even
the earliest social groupings sought ways of defending themselves against wild animals and
enemy tribes. Work safety similarly has very old antecedents, as workers sought to develop
ways to reduce risks in their day-to-day activities. Fields where the causes of the risks were
much less well understood developed risk management principles only in much more
modern times. This is certainly the case for public health risks, occupational health risks
and environmental risks.

Nevertheless, today security management is seen as still in its infancy as an academic

discipline, while occupational health and safety management, public health management
and environmental risk management are well-established academic disciplines.

In this paper I will consider some basic principles of risk management, which have been
established through these other disciplines in an attempt to demonstrate that they apply also
to security management. These risk management principles can offer some scientific
underpinning in the quest to bring security management forward as a discipline rather than
a collection of ad hoc techniques.

© Centre for Hazard and Risk Management, Loughborough University 2003

Risk Management Terminology

A very strong effort has been made in recent years to define more rigorously terms and
expressions which have been around in the risk management field for many years
(Wenham et al, 1995, p. 156).

The basic terms of importance for this paper are:

Hazard: An agent with the potential for harm (ranging from physical,
chemical and biological to psychosocial such as stress, and to
behavioural such as violence to others)

Hazardous event: The event which is the trigger which exposes the person to
harm (in safety terms the accident)

Risk: This is the product of the likelihood of the hazardous event

occurring and the consequences of that event (for example
hurt to people, property loss or damage, environmental damage)

Likelihood: The likelihood of a hazardous event occurring is, in effect,

the probability of its taking place (opening up scope for
mathematical analysis and prediction in some cases)

Consequence: The consequence is the outcome or result of the hazardous event

occurring (for example, hurt to people etc.)

A system: A whole composed of parts in an orderly arrangement

according to some scheme or plan

System boundary: A system operates within a boundary across which materials,

energy and living beings are imported and exported

System management: Control of transformations carried out by the system within

its boundary

Risk management: Assessment and control of risks during the management of

systems to agreed standards

Risk assessment: Identification, analysis and assessment of the extent of risks

within a system carrying out transformations

Risk control: Identification and employment of measures to eliminate, reduce or

otherwise control risks to a level acceptable to individuals, managers
and owners of systems, and to society

© Centre for Hazard and Risk Management, Loughborough University 2003

Risk Management in Work Organisations
To make this paper more manageable I will focus on risk management in work
organisations, although the principles discussed can be applied very widely (Booth, 1993).

The first step in any attempt to manage risks to work organisations is to consider them as
bounded systems. Without setting boundaries it is not possible to define what is at risk (Cox
and Tail, 1991). By regarding the work organisation as a system it is possible to identify all
the components within it, how they interact with each other and what and who is imported
and exported across its boundaries day-to-day and year-to-year. (Green, 1983).

A systematic approach ensures that all hazards and all hazardous events that can be
identified and predicted are comprehensively listed. This is a very demanding task, but is
the first step in managing risks systematically.

Risk Assessment

The process of risk assessment lies at the heart of risk management and today represents a
large and complex field (Wenham et al., 1995, p.57). It is this area of risk management that
the largest gap has opened up between security management and other areas of risk
management, especially safety management.

The reason for this is clear. The initial, extensive work in formal risk assessment as
understood today was taken forward by the large science-based industries through the 20th
century, but especially during and following the Second World War. These industries,
including the chemical, nuclear and aircraft industries, began to involve very complex
technologies, which, unless closely controlled from a systems viewpoint, could generate
high and unexpected risks.

The purely technological risks were attacked by undertaking very extensive quantitative
studies of the properties of materials, the behaviour of components designed and
manufactured from these materials in various ways, etc. Above all, the interplay of these
components with each other, when built up into plant and equipment, was extensively
studied (Billington and Alien, 1983). Much detailed research data was generated concerning
the reliability of components and technical systems made from them carrying out a wide
variety of tasks, under very varying environmental conditions (Thompson, 1987).

However, the safety performance of these complex technical systems was never as
satisfactory as predicted from all this scientific effort, because much less attention had been
placed on the practical working situation in which they were used. The systems approach
was therefore transferred into intensive analysis of work systems, in an effort to generate
rules for operating this complex technological equipment safely. Not only did this effort pay
off strongly, but it also brought much more recognition of the importance of establishing
safe systems of work.

More latterly, as serious accidents and 'near misses' have continued to far exceed the earlier
'scientific' estimates in fields as diverse as the nuclear industry (Chernobyl and Three Mile

© Centre for Hazard and Risk Management, Loughborough University 2003

Island), offshore oil (Piper Alpha) and the railway industry (Clapham, Paddington, Selby),
so there has been a need to throw much more effort into understanding human factors,
including human behaviour (Cox and Tait, 1991, p.93). This sequence is well exemplified
by research and teaching undertaken by CHaRM in the occupational health and safety field.
While research today involves an interplay of all three areas of concern, the focus has
moved from researching technological risks, to risks in work procedures, and now
substantially to the risk taking behaviour of people in and associated with workplaces of all
kinds (CBI, 1990). Risk assessment in the safety field takes account of all three areas.

From this brief summary of the way in which formal risk assessment has developed, it is
easy to see why the security management field has not taken proper account of its
principles. The focus of risk management here is on undesired behaviour by individuals and
groups in society. Given the diversity and unpredictability of individual behaviour it is
argued that there is little scope for quantified risk assessment, and therefore risk
management cannot be approached on any scientific basis.

Interestingly, when I was young much the same thinking applied to many areas of safety at
work, where accidents that we regard as unacceptable today were commonplace and widely
accepted as an inevitable consequence of the nature of the work. Workers were blamed for
carelessness, defined as accident prone and otherwise castigated when accidents occurred
which today we would relate directly to unsafe systems of work (if not technologically
unsafe plant and equipment).

Semi-Quantified Risk Assessment

While physical scientists took the lead in the risk assessment field, their drive for exact
figures for the likelihood of harm and its severity for technological systems limited the
value of formalised risk assessment.

However, through the 1970s and 1980s the management sciences grew up, drawing from
the social sciences at least as much as from the physical sciences and mathematics. Those
concerned with managing risks in work organisations began to see that there was a great
need to move beyond the purely subjective in determining how much effort to put into
reducing risks. This concern was very much sharpened by the Health and Safety at Work
Act 1974, implemented in 1975, within months of my arrival at Loughborough University
as a lecturer. This forward looking legislation codified in statute criminal law the civil law
and common law principle that those who create the risks at work have a duty to control
those risks 'as far as reasonably practicable'.

Without hazard and hazardous event identification, followed by some attempt to assess the
associated risks to workers and others affected by work activity, it was impossible for
employers to prove in court that they had done 'all that was reasonably practicable'.
Furthermore, it would be necessary to determine the extent to which risk control measures
introduced to reduce these assessed risks actually did so. Again, without a clear
understanding of how and to what extent possible risk control measures would actually
reduce risks, no court case could be properly defended.

© Centre for Hazard and Risk Management, Loughborough University 2003

Thus researchers and managers were driven to turn to the work done in the risk
management field for answers. What was soon recognised (and in the USA before the UK)
was that, for many practical purposes, the absolute exactness of earlier quantified risk
assessment work was neither feasible nor necessary.

The severity of the harm under consideration in the event of a nuclear plant meltdown, or
even a plane crash, was so great that huge effort to estimate the likelihood of the hazardous
event was recognised. However, for most workplaces the numbers of people likely to be
severely harmed by even the worst hazardous event scenarios was low. Indeed, for many
worrying hazardous events the severity of harm might not even involve a single fatality.

In these circumstances it was not necessary from a legal viewpoint, or a risk management
viewpoint, to spend enormous resources trying to exactly calculate the probability of the
event. Since many of the risks under consideration could be eliminated or greatly reduced
at a fraction of the cost of carrying out such exact quantified risk assessment, the effort
involved was then pointless.

From this thinking has evolved a range of methods of semi-quantitative (or semi-
qualitative) risk assessment methods. These attempt to estimate the likelihood of hazardous
events and then estimate the severity of outcome. For hazardous events involving one
person that can be closely defined, the severity of the outcome can be well predicted. For
example, placing one's hand under a large power press on the down stroke will always lead
to severe damage and direct or subsequent amputation of the hand. What remains is to
estimate the likelihood of the hazardous event. This was well established in Victorian times
as the ratio of down strokes to amputations became clear and machine guards followed!

In modern times, semi-quantitative methods are used where neither the likelihood nor the
severity of the outcome of a hazardous event can be predicted exactly, but both can be
estimated to a degree. The results of the estimates are usually displayed on a two-
dimension matrix, of more or less complexity (Wenham et al., 1995, p. 162).

The simplest matrix, used for risk ranking of hazardous events, is the 3x3 matrix, with low,
medium and high shown on each axis for likelihood and severity (Figure 1). More complex
matrices are used where some better estimate of the likelihood or severity can be made,
with 5x5 being common. Actual numbers can be sensibly estimated in other cases and the
product placed on a graph for visual purposes. A three-dimensional matrix has been
developed in the USA, where the third dimension is the 'extensiveness' of the harm,
meaning the number of people hurt, or the amount of property damaged, or water polluted
(Gloss and Wardle, 1984). The more historical data is available, the easier it is to carry out
the estimation process, hence the much increased emphasis on accident investigation and
data analysis (Glendon, 1991).

© Centre for Hazard and Risk Management, Loughborough University 2003

Risk Evaluation

Before any decisions can be made about the need for risk control measures, it is necessary
to carry out some form of risk evaluation. Where the risk level assessed is prescribed by
law, the organisation will need to take steps to reduce the risk. If not, as may well be the
case for property damage (or loss, in the security field particularly), then the risk evaluation
may rest on financial considerations. The cost to the organisation of taking forward the risk
as assessed needs to be fully evaluated. Research effort here has been patchy, despite the
vital interest of organisations (and their insurance companies) in quantifying the extent of
financial loss consequent upon their ongoing risk taking. In the safety field the direct costs
of different types of hazardous events occurring are sometimes clear from previous
precedents. However, indirect costs are often not estimated at all before the event, or are
grossly underestimated. I believe that the security management field is even more poorly
placed to determine the direct and indirect costs of the hazardous events it seeks to control.

From the process of risk evaluation there should at least be some clarification of whether
the risks being incurred are totally unacceptable, quite acceptable, or in the region where
some measures need to be undertaken to reduce the risk to an acceptable level. These
measures then need to be identified and costed and their effectiveness risk assessed
(Leighton, 1997).

At this stage we are ready to undertake decisions under the heading of risk management.

Risk Management
Risk management involves considering each risk situation in turn and determining whether
to retain the risk, eliminate the risk, transfer the risk (to a greater or lesser extent) or reduce
the risk.

Even if legally acceptable, most work organisations are not in a position to retain risks of
very high severity, even if the likelihood is very low. The problem with probabilities is that
you never know when your turn will come. While this is an argument presented by work
colleagues for staying in the National Lottery, it is less appealing when applied to planes I
am travelling on!

However, all human activity involves some risks and work organisations will often decide
to carry risks of low severity but higher likelihood. The costs involved are then carried as
part of the cost of running the business. Shoplifting clearly falls into this category today for
many retail chains. The big issue here is whether work organisations actually understand the
risks they are running in financial or other terms (from human harm to reputation damage).
This applies especially to security risks.

Risk elimination seems the obvious way forward once risks are assessed as unacceptable.
However, in eliminating the risk we may have to eliminate the activity creating the risk and
this may be unacceptable. Risks in the steel industry were greatly reduced in South

© Centre for Hazard and Risk Management, Loughborough University 2003

Yorkshire in the 1980s by eliminating 70,000 jobs! This point applies the more so to coal
mining or deep-sea fishing.

In the security field I believe much remains to be done in completely eliminating risks by
changing work practices without significant costs or reducing work activity in this way. Not
to do so is foolish in risk management terms.

Risk transfer can be achieved by negotiating for another organisation to take the risk
instead. This might mean transferring a risky activity. In terms of reducing work activity in
the organisation this could be seen as a disadvantage but it will, of course, increase work
elsewhere (e.g. conveying money off site). If the other organisation has the appropriate
staff, organisation system and technology to carry out the same activity at lower risk then
this makes sense in overall risk terms if the contract conditions are acceptable (i.e. the
reduced costs from no longer carrying the risks within the organisation are less than the
charges made by the other organisation to undertake the activity and carry the risks). Risk
transfer otherwise is achieved via insurance. This is the option of first choice for managing
low probability but high severity risks. However, the organisation cannot insure away the
pain and suffering! Furthermore, consequential losses are often not insurable and insurance
cannot keep managers out of court!

While risk transfer via insurance can make good sense for some forms of financial risk, it
has been greatly overused in terms of organisational risk management as a substitute for risk
reduction. The results are everywhere to be seen, for example the 3000 deaths per year in
the UK from asbestos-related disease (expected to rise to 12,000 per year by 2020), which
has done more to bring some insurance companies to their knees than any one other
hazardous event (barring now 9/11 unless the stock market picks up soon).

Insurance companies are becoming sadder but wiser and are increasing premiums steeply on
many insured risks, from car driving to employers' liability, and fire risks. These increases
are doing more to force organisations into risk reduction measures than all the legal
enforcement efforts of all the risk management enforcement bodies since the 1920s!

The fourth risk management option is risk reduction.

Risk Reduction

This is a huge topic and only a few main points can be made here. Firstly, the risks
organisations face today are complex and the days of 'magic bullet' risk reduction solutions
are largely gone. Risks usually arise from a sequence of undesired events. For example, in
the university we often have:

a) Staff leaving their office doors open or ajar when in the next office or briefly the toilet;
b) On warms days, staff leaving their jackets on the backs of chairs in their offices;
c) Other staff deciding to open up the corridor for large groups of students to use from
time to time, where previously few people passed by the open office doors;
d) Individuals taking to using this route routinely now they are familiar with it;
e) Wallets going missing.

© Centre for Hazard and Risk Management, Loughborough University 2003

Control measures could include many, from punishing staff for leaving their office doors
open, sending them on a behavioural modification course, to using CCTV secretly to catch
the culprits, to threatening students with expulsion if they are ever caught stealing, to
finding alternative walkthrough routes for student groups, etc. Determining which of these
measures would be most effective, alone or in combination, to break this sequence of
undesirable events, involves some effort.

Risk assessment and costing of risk control measures can do much to help. However, often
a process of iteration is necessary, typically starting with low cost measures known to be
effective in similar circumstances elsewhere. The key here is proper monitoring of the
outcome of introducing the risk control measure. Unless there is a well-established baseline
against which to monitor and measure improvement, it is not possible to evaluate the
effectiveness, and cost-effectiveness, of risk control measures introduced. Methods for
influencing human behaviour are now well recognised, alongside technical and systems
management control measures (Glendon, 1991).

Because of the so-called 'special nature' of the security management field, this more
scientific and logical approach to risk management is often disregarded. So we see, week
by week, huge amounts of money being spent on security control measures, especially
impressive-looking technological measures where:

a) The root cause of the adverse outcome has not been properly identified (e.g.
increasingly poor students, high money theft opportunity, low risk of detection);

b) The hazard(s) and hazard event(s) are not properly defined (thefts from staff offices not
reported or poorly reported in terms of circumstances);

c) The likelihood of the hazard event is not at all known in particular circumstances (poor
reporting of thefts, no knowledge of how many staff leave their doors open with their
jackets on chairs, etc.);

d) The severity of the outcome is poorly understood (no follow-up to cost the direct
and indirect costs of the wallet thefts);

e) There is a rush to find a 'quick fix' control measure (today, probably CCTV) without
considering all the possible control measures on a risk assessment and measures cost-
effectiveness basis;

f) Little monitoring/measurement is carried out to evaluate the effectiveness of the control

measure (although the costs may by now become clear!);

g) Nevertheless, we persevere with the chosen control measure until we have the next
outcry about the losses or dangers being incurred;

h) We work hard to adjust the chosen control measure over and over again in an attempt to
get it to work effectively. It achieves some small improvement;

© Centre for Hazard and Risk Management, Loughborough University 2003

i) We move on reactively to the other security problems already on our desk, in a reactive
fire-fighting mode (Heamden, 1993, p.4).

There needs to be more research and more data sharing on the cost-effectiveness of security
control measures in a wide variety of circumstances. Further research is also needed on
planning for security emergencies and planning for disaster recovery, as is happening in
other risk management fields.

Conclusions

The above analysis leads me to conclude:

• At the extreme, it is possible to imagine behaviour of individuals and groups against

other individuals, groups, organisations or societies/countries which is so extraordinary
that it could never have been predicted, so its likelihood or severity could never have
been risk assessed.

• However, the vast majority of security-related hazardous events are eminently

predictable. I would certainly include the events of 9/11 in New York. The Twin
Towers were highly prestigious, full of head offices of major US and international
companies, fragile and dangerously likely to collapse in serious fires, very vulnerable to
terrorist bomb attack (which had already nearly succeeded), in the middle of the
financial district of New York and highly visible.

• Suicide bombings are taking place virtually weekly in Israel and there seems to be no
shortage of volunteers. The USA keeps Israel afloat in all kinds of ways and seems to
condone its behaviour towards Palestine and the Arab world. US airports have had
minimal security measures applied to internal flights. Hijackings of planes have often
taken place in and around North America.

• Security staff in work organisations have often come from uniformed services, where
the focus is on reaction to events rather than preventative risk management work. They
have limited background in the risk management field at the outset and their formal
development is patchy.

• The security field is still dominated by the macho culture of strong action as against the
quiet reflection needed above all in risk management work.

• Catching and prosecuting the bad guys is no substitute for scientifically based risk
management (for a start, it rarely stops them from doing it again and, in any case,
the damage has been done and we don't always catch them).

• Risk management principles apply to the security management field just as much as any
other risk field.

• Risk assessment is key to any effective approach to risk management. Most security
professionals are disregarding approaches to assess risks that go beyond the subjective,

© Centre for Hazard and Risk Management, Loughborough University 2003

 anecdotal approach. This seems to be due to a misunderstanding that risk assessment is
a highly complex, purely quantitative method not applicable to security concerns, in
reality, risk assessments are most commonly carried out on a structured, but semi-
quantitative bases, and are proving highly valuable in reaching logical and readily
defensible decisions about risk control priorities and effective risk control measures in
many areas of risk management.

• The more clear and full data is properly collected, analysed, and openly reported about
security related adverse incidents and near misses, the more accurate can be the
likelihood and severity estimates in the risk assessment process.

• The more we know about the effectiveness of security control measures, the more we
can target control measures so that they are cost-effective.

• All kinds of activities are routinely carried out in the occupational health and safety
field, including: hazard identification, risk assessment, root cause analysis of accident
causation, detailed accident and near miss data collection, accident costing (direct and
indirect costs), safety audits (Arnold, 1993), safety inspections, safe systems of work,
emergency planning, disaster recovery planning, workforce communication and
training (including behavioural training), etc., all under the heading of risk
management.

Where are the security management equivalents?

Recommendations

• An important area for safety and security professionals to work together on concerns
reckless behaviour. Here the border between non-compliance with safety rules, and
outright dangerous and illegal activity, is thin or falls away (e.g. reckless driving).

• Some of the fastest growing problems that we face lie in this area, for example
vandalism and arson, violent behaviour of the public in the workplace, driving internal
works transport recklessly, interfering deliberately with safety systems, use of weapons
by criminals in attacks on workers doing their jobs, etc. Here staff from both sides
should work together on a team basis, using the risk management methods outlined
above to address these newer or growing types of risk where much remains to be done.

• The mystique around security management needs to be removed and the whole field
brought out into the daylight, where our modern scientific risk management methods
can be brought to bear.

• There is much to be done in terms of research, consultancy, staff development, database

development, benchmarking, etc. to bring security management forward as a modern
academic and professional discipline.

• It is very important that higher education plays a full part in this process, but this must
be done in full partnership with leading security professionals in practice.

© Centre for Hazard and Risk Management, Loughborough University 2003