Security, Risk, Safety and Resilience Newsletter - Week of 7 Apr 22
Tony Ridley, MSc CSyP FSyI SRMCP
Group Manager Risk (incl. Resilience, Insurance & Internal Audit) | PhD Candidate, Researcher and Scholar
The following is a summary of security, risk, safety and resilience articles, topics and issues ending the week of 7 April 22.
Key themes for this week include:
------------------------------
Security and risk management spending is inherently susceptible to prioritisation based on the last known, visible or experienced failure, loss, breach or drama. That is, security budgeting is routinely distributed left of right of the last 'boom'. In other words, if security ideology is to be distilled into a simple binary cohort, there are those that invest pre-incident with prioritisation on avoidance, mitigation, prevention and protection. Meanwhile, there are those that are compelled, motivated, shamed or restrained in security expenditure until an event, loss, failure or disruption focusing on response, recovery, insurance or other after the fact initiatives. Notwithstanding, there may also be those that are distributed unevenly along this continuum, but somewhere within all organisations, communities, governments or cultures is a dominant or subordinate sense of security as either a cost or profit centre.
"The concept of #risk combines an understanding of the probability of a hazardous event occurring with an assessment of its impact represented by interactions between hazards, elements at risk and vulnerability. (Geoscience Australia) "
Expectations and demands of 'service continuity' remains a complex interplay between contributing factors such as risk, resilience, crisis, security and management.
That is, distinct from the introspective, dispassionate concepts of 'business as usual' (BAU), service continuity remains customer/client centric, viewing the need to keep services and supply maintained...regardless of what is happening or how you would typically/routinely conduct business. Especially when there is nothing 'usual' about what is occurring, has happened or required to change.
In other words, BAU is about you and your business, when customers/consumers don't really care. The priority is on what the customer/consumer needs...service, hence the emphasis on continuity in the wake of delay, disruptions, risk, etc.
"The main finding is that #terrorism increases with the intensity of conflict. Both the Georgian conflict in 2008 and the Ukrainian conflict of 2014 saw substantial spikes in terrorist activity around the wars, and as the current war intensifies increased one. #terrorist activity should be expected. "
Threats, protection and security, are applied and tolerated differently across industry, location and cultures. As a result, relative risk is also inherent and residual.
That is, security levels before and after the intervention are highly variable, meaning that 'high', 'medium' and 'low' levels of vulnerability, risk or security are highly contextual and routinely incompatible between facilities within the same sector or even geography because of varied threats, expectations and utility provided to the community.
In other words, what you think, measure and think your security level is at any given time is not the same as another site, location or facility because how security is applied is not the same, nor is a threat, resulting in varying levels of risk, even within the same industry.
"Risk appetite is an inherent part of human decision- making and, in an organisational context, should be considered explicitly when comparing the potential outcomes of decision alternatives. It also plays a key role in the way reasonable assurance over the adequacy of #riskmanagement is formed and communicated to the Board – with emphasis on balanced risk-taking within agreed limits. "
Consideration and investigation of threats that may affect a business or operations is often limited by time, resources, expertise and experience.
Moreover, the shortlist of threats are routinely carried over from year-to-year or practitioner-to-practitioner with limited, legitimate risk analysis or supporting evidence, before leaping into controls development, risk ratings and crisis or continuity planning.
That is, potential threats is more likely a mental accounting list or 'top of mind' consideration than detailed, informed and analytical approach to environment, operational or organisational related threats, actors, hazards or harm.
The necessitation of an all-hazards approach to risk and threat analysis may seem obvious, but is constantly restated by professionals and practitioners because it remains inconsistently and unevenly applied across organisations and industry.
Recommended by LinkedIn
"In 2021, America experienced an unprecedented increase in cyber attacks and malicious cyber activity. These cyber attacks compromised businesses in an extensive array of business sectors as well as the American public. As the cyber threat evolves and becomes increasingly intertwined with traditional foreign #intelligence threats and emerging technologies, the FBI continues to leverage our unique authorities and partnerships to impose #risks and consequences on our nation’s cyber adversaries. "
Personal and collective response to seemingly obvious 'risk' is neither consistent nor guaranteed.
That is, even with the communication, open knowledge and declaration of risk over varying times and scales, routinely inadequately estimates or assures individual, community, government or organisational response to danger, threat, peril or hazards.
In other words, even when told of a risk, there are numerous modifiers and variables that influence and distort action at a singular or collective level.
"The #risk of major shocks to the global economy is increasing. Over the next three years, the estimates suggest that risk will be significantly elevated over its long-term baseline. The baseline itself – a ten-year projection – is trending upwards. Our Global Risk Index of probability-weighted losses from 22 different types of shocks to 300 of the world’s leading cities is estimated to be 1.48% of annual global economic output. Between 2017-19, the Index is estimated to be elevated above the ten-year baseline at around 1.51% of annual GDP. With nominal GDP for 2017 forecast to reach around $77.7 trillion, the Global Risk Index of 1.51% means an expected loss of $1.17 trillion. "
Continuity of business and operations remains a complex, persistent series of discreet and wholesale change.
That is, there is no one aspect of business continuity management (BCM) that remains static in the modern context, let alone the system as a whole remaining sufficiently the 'same', not requiring constant monitoring, update and adjustment.
In particular, threat, risks, vulnerability and harm, which should impose revision of the impact and entire systems as a result of these upstream variations.
In short, preservation of the 'the system' should be secondary to remaining aware, prepared, responsive and resourced for the 'now', not past nor prior approved or accepted 'plan'.
Moreover, not only is each phase important but even more so are the boundaries and points of crossover between each step or iterative process.
"Risk assessment is a process to determine the nature and extent of #risk, and is critical for laying the foundations for developing effective policies and strategies for disaster #riskmanagement. The process of undertaking risk assessment allows for identification, estimation and ranking of risks. This includes potential losses of exposed population, property, services, livelihoods and environment, and assessment of their potential impacts on society. Generally, the client, regulator or an elected/government representative will then use this assessment to decide upon the course of action to be taken. The concept behind #riskassessment is that it is a structured, transparent, scientific process that is independent of politics. This allows it to be repeated, added to, and reused when political priorities change. "
"#Resilience provides a framework to assess a system’s likelihood to succeed in its mission even as disruptions perturb the operations. A system’s resilience is therefore essentially a #risk proposition of the mission succeeding and as such can be quantified using probabilistic risk assessment (PRA) techniques developed over the past three decades. Reliability engineering methods for evaluating hardware are insufficient by themselves, as they do not examine procedural mitigations, system margin, or human training applied to overcome anomalies "
Tony Ridley, MSc CSyP MSyI M.ISRM
Security, risk, resilience, safety & management sciences
Bachelor of Commerce - BCom from Nizam College at Hyderabad Public School
2y👍👍