Risk, Security, Safety and Resilience Newsletter - Week of 31 Aug Jul 22
Tony Ridley, MSc CSyP FSyI SRMCP
Group Manager Risk (incl. Resilience, Insurance & Internal Audit) | PhD Candidate, Researcher and Scholar
The following is a summary of security, risk, safety and resilience articles, topics and issues ending the week of 31 Aug 22.
Key themes for this week include:
----------------------------------------------------------
Consideration, management and analysis of #risk occurs across different timelines. That is, 'risk' presents as past, present and future constructs, often simultaneously.
In other words, where risk is written, spoken or referenced, it may mean something that has occurred already, something happening now, or sometime in the immediate, near or distant future. It could also mean all three, at different times and scales.
In sum, risk is not fixed in time nor context.
“Ensuring effective #riskmanagement in any organisation is essential. This report takes a close examination of the practices organisations are adopting to embed risk management practices across the organisation. Using an in depth case study approach, it explores how businesses can overcome the common challenges presented in implementing effective risk management processes and suggests good practices for aligning these to the delivery of strategic goals.”
All too often, security, risk and security risk practitioners, professionals, governments and organisations cling to long outdated security management and risk management practices, ideology, cultures and even 'standards'.
HB 167:2006 Security Risk Mangement stands out as just one such example, which refuses to die and remains the stalwart terms of reference to security 'purists' and the unaware alike.
As a result, just like generations before, this 'blunt old axe' (read: blunt instrument) continues to be laboured and applied, over and over again, despite the obsolete nature of the content, instructions and positioning of the document, just like a beloved, well meaning grandparent might insist on using, because 'it was the tool of his time'.
While parts may seemingly remain useful or valuable, for the most part, the tool and concept(s) are long past retirement.
"Let’s start with some basics. All models are semiotic representations of something. The model or graphic is NOT the thing in itself. All models are like metaphors, they seek to describe something by what it is not (Lakoff and Johnson). All models are constructed by someone for a purpose and are either useful, helpful or ethical depending on their outcome. Without some level of critical thinking the purpose of such models often remains hidden. So, any graphic, whether drawn in science, engineering or safety is not the thing in itself but a representation of it. Such a representation is an interpretation of a concept or idea." - Dr Rob Long
“Cyber intrusion methodology evolves constantly, and sophisticated attackers have a strong incentive to defeat the defences you put in place. It should be assumed that at some point your defences will be breached and therefore it is also important to be able respond proactively by detecting attacks and having measures in place to minimise the impact of any #cybersecurity incidents.”
"The purpose of this framework document is to provide guidance for conducting risk assessments of government organizations. Risk assessments are part of an overall risk management process—providing senior leaders/executives with the information needed to determine appropriate courses of action in response to identified risks. In particular, this document provides guidance for carrying out each of the steps in the risk assessment process (i.e., preparing for the assessment, conducting the assessment, communicating the results of the assessment, and maintaining the assessment) and how risk assessments and other organizational risk management processes complement and inform each other. "
Enterprise security risk management and climate change are subject to similar, concealed, subtle, compounding and complex influences, inadequately summed up in topline reports, metrics, models or narratives.
Moreover, these dependent and independent variables amass over disparate timelines, geographies, and across varying disciplines or knowledge-based professions.
That is, both climate change and enterprise security risk management are routinely represented by summary findings in the form of reports, metrics or extended, simplified storylines, yet, as a phenomenon, are comprised of a complex, layers, highly variable and ever-changing network of influences, variances, natural forces and human actors.
In other words, what any one person, organisation or country understands about either climate change or enterprise security risk management is attenuated by countless factors, various observable facts, intangible or invisible influences and narrated or analysed by an array of qualified and unqualified representatives that are captured in a series of reports, opinions and research, culminating in a single, consolidated summary of all these factors.
"Disasters caused by natural hazards can trigger chains of multiple natural and man-made hazardous events over different spatial and temporal scales. Multi-hazard and multi-risk assessments make it possible to take into account interactions between different risks. Classes of interactions include triggered events, cascade effects, and the rapid increase of vulnerability during successive hazards "
Threats, hazards, danger, perils and risk(s) do not materialise or present with numerical values or self-authoring, objective units of measure. Humans conduct varying degrees of analysis, which result in numbers assigned to these risk factors or categories.
Therefore, both qualitative and quantitive methods are required and practices in real world risk environments. The question is, how are quantitative and qualitative risk(s) analysis converged, rationalised or integrated from various sources, literature or disciplines?
Recommended by LinkedIn
In other words, try as we may, risk(s) aren't spawned with prescribed, objective numbers such as numbers extracted in a lottery or other games of chance.
"This Guide presents a structured approach to business continuity management. The approach involves identifying preventative treatments for continuity risks that can be routinely managed, and developing an organisation- wide business continuity planto deal with the consequences should the preventative treatments fail. The approach should be tailored to meet organisational needs while satisfying the major steps identified for business continuity management in the context of overall #riskmanagement. "
Business travel safety, security and risk management have a modest, disparate and immature literature foundation.
That is, when speaking to either 'business travel risk management', or any number of derivatives such as 'travel security', 'business travel safety' or 'business travel risk', practitioners, organisations and researchers will encounter a myriad of unrelated, opinion-centric and marking-dominated content in the form of books, articles, white papers and websites.
Each competing for popularity, universal application and 'status' within corporates, the travel industry and the remaining few vendors competing in a predominately insurance-driven market, with an after market representation in the form of information subscription(s) and templated, unsubstantiated, non-comparative scales of risk.
Travel has always contained degrees of uncertainty, no matter how confident beliefs in forecasting the future and the complex, interconnected actions of others. The pandemic created by COVID-19 has reminded us all of this reality. The post-pandemic world will be different in many ways. #Security, #safety, #crime and #terrorism are just some of the critical areas for change and uncertainty likely to be experienced by travellers. Therefore, greater knowledge of past vulnerabilities and essential life safety and security principles will assist in reducing uncertainty and the identification of a change to modify actions and behaviour. To remain safe and secure at all stages of the journey.
"Human #security addresses the full range of human insecurities faced by communities including, but not limited to, violent conflicts, extreme impoverishment, natural disasters, health pandemics, etc., as well as their interdependencies, both across human securities and geographically. In particular, as an operational approach, human security:
- Underlines the importance of addressing the totality of conditions that impact human beings and highlights the need to refrain from looking at people’s lives through the lens of specialized entities or interested parties, which often results in silo- or supply-driven responses.
- Addresses the root causes of threats both within and across borders, and advances multisectoral/multi-stakeholder responses to advance integrated and prioritized solutions over the short, medium and long run. "
"Effective #businesscontinuitymanagement reaches beyond developing of business continuity plans. It requires all of us to acknowledge uncertainty as a natural part of business planning. We all need to be aware that #risk is inherent in all decisions and activities and that some risks have the potential to interrupt services, and we need to be prepared to respond to and manage such interruptions.
Successfully applying this Business Continuity Management Framework will increase our ability to absorb, respond to and recover from disruptions. It also offers opportunities to understand how we create value and establishes direct relationships to dependencies and vulnerabilities inherent in delivering our outcomes. "
For the past couple of decades, I've been immersed in data, numbers and statistics informing #risk, #security, #safety, #resilience and management. More specifically, the way in which numbers are complied, interpreted, distributed and influence confidence, findings and decisions associated with #riskmanagement , #securitymanagement, #safetymanagement and the pursuit of resilience objectives. Including the quantitative and qualitative 'wars'. As the Dunning-Kruger model promises.... the task is never 'done' and there is always 'more' to learn, consider and comprehend. However, diverse consideration of opinions, applications and research help improve my understanding and contribute to informed critiques of risk calculations, computations and algorithms. Here are a few of my favourite desktop references and resources. Let me know, what are yours...and why?
Risk, Safety, Security, Resilience & Management Sciences
#security #risk #resilience #safety #management #sciences #enterpriseriskmanagement #enterprisesecurity #corporatesecurity #enteprisesecurityriskmanagement #ERM #ESRM
Alumni:
University of Leicester - Master of Science (MSc), Security & Risk Management
Doctoral Candidate:
Charles Sturt University - Doctor of Public Safety
Member:
The Security Institute (MSyl)
CP Provider for over 40 years Private and Govt. contracts. Well travelled. CP training, Local Liaison, investigation services for CP Teams travelling to Iberian peninsula+LATAM Physical combative solutions. Educator
2yTony Ridley, MSc CSyP MSyI M.ISRM Very interesting in general Tony. I would like to comment more but unfortunately (or indeed fortunately) I have spent all my lunch break "reading more" ! You hooked me good. So good I forgot to eat lunch haha. So much I had forgotten I´d learned and so much more to learn. Thank you for the share.