HB 167:2006 Security Risk Management - The "blunt old axe" your grandfather still insists on using
Tony Ridley, MSc CSyP FSyI SRMCP
Group Manager Risk (incl. Resilience, Insurance & Internal Audit) | PhD Candidate, Researcher and Scholar
All too often, security, risk and security risk practitioners, professionals, governments and organisations cling to long outdated security management and risk management practices, ideology, cultures and even 'standards'.
HB 167:2006 Security Risk Mangement stands out as just one such example, which refuses to die and remains the stalwart terms of reference to security 'purists' and the unaware alike.
As a result, just like generations before, this 'blunt old axe' (read: blunt instrument) continues to be laboured and applied, over and over again, despite the obsolete nature of the content, instructions and positioning of the document, just like a beloved, well meaning grandparent might insist on using, because 'it was the tool of his time'.
While parts may seemingly remain useful or valuable, for the most part, the tool and concept(s) are long past retirement.
However, even today (2022), you will find government departments, standards, tenders and instructions, insisting on keeping this relic alive, and subscribing to this long outdated terms of reference.
"the document needs updating"
SAI Global (2022), p.2
Firstly, HB 167:2006 has an alarming lack of citations, external references or proven security/risk management practices.
Where it does, the references are also grossly outdated or straddle multiple jurisdictions and disciplines.
Conflating exactly what 'security' or 'risk' means in any given context.
"Security (Definition): The preparedness, protection and preservation of people, property and information, both tangible and intangible’" - HB 167:2006 Security Risk Management, p.93
"Risk (Definition): The chance of something happening that will have an impact upon objectives. It is measured in terms of consequence and likelihood." - HB 167:2006 Security Risk Management, p.93
Moreover, the lack of citations and objective, verifiable and reliable research informing the outcome...means the final result is a collection of random, unspecified, anecdotal narratives of an ad-hoc assemblance of author's, who's views, contributions or qualifications remain obfuscated or lack legitimate provenance.
Which raises considerable legal and liability concerns for those relying on the advice or demand adherence to the instructions contained therein. No wonder the disclaimer on page two seeks to mitigation this risk and liability.
"...no warranty is provided or implied as to the accuracy or practical applicability of the contents of this Handbook to any organisation or individual. " SAI Global, Page 2, 2006
But, drift, context and obfuscation are not unique to HB167:2006 Security Risk Management, with many other publications and contributions affected by a lack of consistency or unitary definition for security, safety, risk or resilience.
Notwithstanding the context of "security" may vary across national, public, private, commercial and corporate disciplines and jurisdictions.
Which, given the lack of disclosure, verification and reliability of 'security' or 'risk' content within HB167:2006 (or any other 'standard') for that matter, brings into the spotlight the specific qualifications and credentials of the contributors, including which particular parts/segments they personally contributed to...which is also unspecified.
Recommended by LinkedIn
Especially in a publication where "crime" and "prevention" present as footnotes, or minor aspects of a security risk management practice or body of knowledge.
Which is contradictory to both applied security/risk sciences and that of regulation/legislative requirements.
Along with the 'value' that security management or risk management may contribute to any one situation or organisation
However, "standards" are not the saviour either.
"The ISO standard, as is, should not be used to justify policies aiming at protecting the public’s health. " (Bialous & Yach, 2001)
Because 'standards' remain extremely bias, commercial products, in all contexts.
"Developing countries seldom enjoy this influence in standardisation...they remain ‘standard takers’ instead of ‘standard makers’ (Heires, 2008)
Due to the implied and practical attempts 'standards' seek to impose on professions, people and beliefs.
"..global governors as “authorities who exercise power across borders for purposes of affecting policy. Governors thus create issues, set agendas, establish and implement rules or programs, and evaluate and/or adjudicate outcomes." (Prakash & Potoski, 2010)
"As a global governor, the International Organization for Standardization supplies product and process standards to commercial actors. " (Prakash & Potoski, 2010)
Which results in the final stance, in a motte-and-bailey defence, to assert that HB 167:2006 Security Risk Management may then be interpreted as a 'best practice'.
Due to the age, lack of verifiable inputs, context and specifics of the authors... HB 167: 2006 could not be reasonable 'best practice' either. For governments, organisations, the discipline or practice of security and/or risk management.
Inclusive of the fact that "terrorism" seems to be largely excluded from the publication or asserts terrorism proceeds crime or criminological considerations.
"The field of security risk management is rapidly evolving and as such this Handbook cannot cover all aspects and variant approaches to security risk management." SAI Global (2006), p.2
In sum, security management, risk management and the conjoined discipline of security risk management needs to be more discerning, transparent, critical and professional in their utilisation and application of 'tools', resources or research.
This includes standards. Which so few are (critical, discerning, etc)...especially when addressing agile, intelligence, evolving and motivated bad actors who are intentionally seeking to circumvent or exploit 'defences', for profit, gain, damage or destruction.
From this perspective, HB 167:2006 Security Risk Management is not only long past relevant, strict or even loose adherence to this reference as a form of knowledge, application or discipline, exposes individuals, organisations and governments to liability and 'risk'.
Understanding or acknowledge of 'security decay' remains an example of security risk management as a science and profession.
In contrast, those that assert, advocate or cling for dear life to past knowledge, publications, 'standards', or any other form of content, fall short of contemporary professional standards and practice.
Which is ironic when some organisations, governments or individuals advocate this old, outdated standard. Therefore, much like grandpa and has beloved (only tool available), blunt old axe, so too is HB 167:2006 Security Risk Management, by any contemporary, professional or scientific measure, blunt, obsolete and outdated instrument for differing times and needs.
Security, Risk, Resilience, Safety & Management Sciences
References:
Bialous, S. A., & Yach, D. (2001). Whose standard is it, anyway? How the tobacco industry determines the International Organization for Standardization (ISO) standards for tobacco and tobacco products. Tobacco control, 10(2), 96-104.
Heires, M. (2008). The International Organization for Standardization (ISO), New Political Economy, 13:3, 357-367, DOI: 10.1080/13563460802302693
Prakash, A., & Potoski, M. (2010). The International Organization for Standardization as a global governor: a club theory perspective. CAMBRIDGE STUDIES IN INTERNATIONAL RELATIONS, 114(1), 72-101.