Managing Risk and Protecting the Organization: A Military Team Approach
Nov 1, 2003 12:00 PM, By Daniel Ward
During the 1990s, the Department of Defense (DoD) established so-called Force Protection Programs with the purpose of increasing awareness of the threat of terrorism, and to take appropriate measures to prevent terrorist attacks and to mitigate terrorism's effects. The DoD recognized that protection and risk management are more than defining “who does what.” It established that leadership must be held responsible for assessing what the true risks are to the force. With a formal, standardized, and trainable risk-assessment process, the DoD committed to assisting leaders with the Herculean task of implementing equal effort on all identified threats.
Applying DoD Principles
The task is similar for corporate and institutional security directors. Much of the time, however, senior leadership forgets that managers face constraints and restraints in accomplishing their missions. It would be nice if managers could focus solely on security and applied protection issues, but the reality is, they have other daily missions and tasks to accomplish. In addition, with today's economic challenges, managers have fewer resources to allow them to accomplish the same task load or more. Key challenges to security planners and managers are identification of the critical risks, assessment, education of the employees/staff, application of resources and controls, acquisition of additional assets and controls, and/or risk acceptance.
Combining an effective risk management process with associated training/education programs can maintain the tempo of the organization's productivity during fluctuations in national threat levels. Leadership's ability to apply assets to offset a perceived threat or hazard becomes more constrained as the available resources are realigned or reduced for economical reasons; organizational leadership must perform more with less.
Given today's new national threats, now more than ever, leaders must develop and implement efficient and effective risk management methods without creating additional bureaucratic layers to impair operations. Success entails incorporating processes and training to give, take and analyze information in a manner that aids the organizational decision-making process.
Emphasis on ROI
Organizations should approach risk management and associated training as they would any new program — that is, from a return on investment (ROI) standpoint. When performing the ROI analysis for implementing a risk management program, both tangible and intangible returns should be considered. Tangible returns include such obvious things as facility damage, lost production, etc. Examples of intangible benefits include employee sense of security, reduced stress and customer impressions. All have a monetary impact, direct or indirect, and must be considered. It is important to remember that the effort is all about conserving the organization's resources so they may be applied to other productive areas while maintaining a safe and secure organizational environment.
Let's begin the process by defining what the terms risk management and protection mean, then develop a standardized, consistent, trainable risk-assessment methodology for the organization. Relating to security, what do the terms risk management and protection mean? Risk management is the process of identifying, assessing and mitigating risk, while protection refers to the efficient application of resources to achieve a mitigating effect. Protection is the result of effective risk management.
Risk Management Teams
A primary premise in developing an effective, trainable and adaptable risk management process is that it must include the entire spectrum of expertise available to the organization. The organization's leadership, management and staff must look beyond intuition and use a systematic approach to assess threats, risks and impacts. Organizations should therefore form a team with the specific, focused purpose of managing risk.
A risk management team enables continuous analysis and assessment of hazards and risks. It maintains a heightened and comprehensive focus to apply assets and resources without creating another bureaucratic layer or distraction. Essentially, the risk management team is the organization's continuous risk and hazard mitigation component.
Who should be on the risk management team? The single, essential characteristic of an effective team is that its representation be from all functional areas of the organization. This approach reduces the likelihood that risk decisions and adapted measures could impair or negatively impact the organization's functions. The team should also be diverse in staff level (management and labor). The more diverse the team, the broader its view.
Once formed, the risk management team should incorporate a systematic approach to be efficient and effective. The following paragraphs describe a methodology based on the very successful DoD process. While it may not suit every organization's personality or need, it provides a starting point to gain a greater understanding of the benefits of having a risk management process. In addition, it provides a basis from which an organization can begin to create a more tailored solution.
| RISK | LEVEL | MITIGATION | RESPONSIBILITY | COST | ADJUSTED LEVEL |
|---|---|---|---|---|---|
| Outside Explosion | High | Mylar Barriers | Facilities & Security | $7,666 | Low |
| Armed Intruder | High | TBD | Security | ||
| Gas | Medium | TBD | Facilities | ||
| E-Attack/Hacking | Medium | TBD | IT & Security | ||
| Aerial | Medium | TBD | Security | ||
| Mail Device | High | TBD | Security Distribution | ||
| Sabotage | Medium | TBD | Security & Management |
Risk Management: Using the DoD Model
Risk management must be focused. It must have clear and concise guidance from organizational leadership. Leaders should offer weekly staff updates during which they identify critical items for risk review and/or outcomes from the risk management team. Focus should be on specific events, activities or locations, which allows the risk management team to narrow its efforts. There should be a time window established.
Now the risk identification and assessment process begins.
The team's primary responsibility is to identify hazards, risks and threats to the organization based on focus factors/items provided in the leader's guidance. The team itself will also identify additional items. This is perfectly acceptable and actually a desired outcome. Each risk management team member uses these focus items to perform a risk assessment based on his or her area of expertise. Effectively performing this task in a decentralized mode requires that the team adopt a risk-assessment method to provide a consistent definition to the risk level and to answer the question “What determines high, medium and low risk?” The team must have a consistent, reliable system to define the risks they identify in terms of intensity or level.
The figure on page 44 shows a modification of a simple matrix used by many DoD entities to illustrate what can be construed as varying levels of risk. This matrix is not intended to be the absolute solution or defining authority for risk, but provides a basic example of how risk can be measured in a consistent manner. As the matrix illustrates, risk level is defined by correlating the probability of the risk/threat occurring versus the impact if it occurs.
The next task for the risk management team is to track and manage the risk assessment process. Using a simple spreadsheet (as shown above) aids this effort. The spreadsheet becomes a mechanism to track progress on identified risks/threats and serves as a decision-making instrument. During the initial steps of the process, the risk management team is simply identifying and classifying the risks.
Solutions: Simple or Complex?
After completing the initial risk assessment, the risk management team identifies appropriate controls to mitigate the risks. Here again, the diversity of the team is critical. What seems to be a simple solution to some may be complex to others; therefore, all mitigating measures should be discussed thoroughly. These risk decisions are then presented with recommendations to the organization's leadership for a decision (yes or no) and/or additional guidance. Use of the risk management spreadsheet comes in handy as an organizing tool to prepare presentations.
When the risk management team meets again, it analyzes the identified risks versus associated controls and mitigation measures to estimate effectiveness and to revise its initial assessment.
Inherent in this process is balancing resources (controls) and their applications. Because reality limits the number of controls available, the risk management team must determine where they would have the greatest payoff in mitigating risk. The team now plans for control application in detail, preferably using a synchronization matrix as a management tool. It is important to ensure that risk mitigation is actually accomplished. In addition, tracking task completion should be a risk management team agenda item as follows:
- Execution
Responsible parties execute controls and mitigation events/actions take place.
- Assessment
The risk management team monitors controls and mitigation effectiveness, and makes adjustments as necessary.
- Leader's guidance
The risk management team brings those risk items/threats that were controlled through the risk-management process to the leader's attention for a risk decision. At this point, the leader has four choices:
Accept the risk.
Raise the decision to a higher level.
Obtain the assets to mitigate the risk.
Return it to the risk management team to reassess (do not use this option to delay action).
The leadership's dilemma is weighing the cost of controls and mitigation versus accepting risk. The risk management team has to be aware of this and provide the requisite information for making informed decisions.
Risk management teams usually become proficient at identifying and compensating for risk. As usual, maintenance of the process presents the real challenge and poses greatest risk to the organization. By incorporating a systematic approach and formal risk management process into daily staff activities, enhanced security and protection of organizational interests can become a reality. The addition of a staff-wide risk management process and associated training programs can pull the entire organization into the equation and better define individual roles for enhanced protection.
For the Record
ABOUT THE AUTHOR
DANIEL WARD is currently employed by Cubic Defense Applications as a curriculum developer for the U.S. Army Command and General Staff College.
Want to use this article? Click here for options!
© 2008 Penton Media Inc.
Today's New Product
|
Video Mount Products LCD Monitor Mount KitThe LCD-PV monitor mount kit from Video Mount Products includes a range of components required for public view monitoring. It provides two mounting points for a universal camera bracket and can rotate 260 degrees. The mount is adjustable from -5 degrees to a 30-degree tilt configuration, and its mast telescopes 18 in. to 30 in. from the ceiling. |
advertisement
This month in Access Control
- Opening Up About Door Closers
- An Enterprise Approach
- The Framework For Open Systems
- On A Higher Plane
- More from April's issue
advertisement
