Mike Jay examines neglect of security risks through the prism of the FPA’s new security handbook publication
WHAT HAS been the single most damaging and far reaching neglect of business risk that we know of? Surely that must be the financial crisis of 2007. I say ‘neglect’ of risk rather than miscalculation, since we are led to believe that those in a position to manage the risks leading to the crisis simply didn’t recognise that credible risk existed or, if they did, they didn’t have the slightest idea how to assess it.
The risking of billions on ‘credit default swaps’ and ‘collateralised debt obligations’ by financial businesses was surely a textbook example of ‘it won’t happen to us’. In that sense, the losses were self inflicted, but when risk is posed by malevolent outsiders, there is even more reason to be sure that risk has been recognised and assessed.
An irony is that, in contrast to the management of those large financial institutions that happily piled on risk exposure between 2000 and 2007, it is modest operations like the local post office where you will find the most security risk aware staff and managers.
Even in a sleepy village where ‘we never need to lock our doors’, the chances are that the post office will have had at least one terrifying raid, and there are many other examples of targets regarded as ‘soft’ or highly remunerative where risk awareness is found in abundance. Such custodians probably find a culture of ‘it will probably never happen’ unbelievably complacent.
Not just theft
Security risks are not only about theft. There are, of course, plenty of other ways, most obviously wanton destruction and arson, in which a business can be damaged by criminal acts.
When Reckitt and Benckiser, makers of Dettol and Air Wick, suffered a ransomware attack in June last year, the disruption to their manufacturing and distribution meant that they would ‘lose revenue permanently’. The company was obliged to publish profit warnings and, at the time of writing, its shares have not recovered.
So neglect of security risk appraisal and management can have expensive consequences if a serious security incident occurs. The need for remedial action deflects management focus from the business, staff will be distracted and may be upset, sales can be lost, and competitors may be able to take advantage.
A loss avoided is as good as a banked profit, so it pays to prepare for the worst. Hard won income is easily squandered unnecessarily in a complacent security culture. Senior management need to stay alive to the danger of a trouble free run inculcating a false sense of immunity from crime.
The Reckitt incident mentioned earlier demonstrates how the unexpected can tilt a stable and profitable operation with an optimistic view of the future into one having to divert significant resources from business development to business survival.
More fortunate organisations lucky enough to have avoided serious security shocks might still have a nasty surprise, if they looked at the attritional cost and cultural impact of regular small security losses that individually fail to register on the radar of senior management.
Expect the unexpected
When an organisation is hit by a security breach, ignorance of up to the minute security does not cut a lot of ice with shareholders and stakeholders. It’s no good lamenting after an incident that nobody in the business realised that, for example:
- certain basic precautions could have sidestepped our serious cyber attack
- we could have saved on guards yet had better, cost effective security
- security lighting would have been affordable using the latest technology
- radical security action is unavoidable
- if a building falls vacant
- there are only certain types of fencing effective against skilled intruders
- we could have remained secure without jeopardising safe escape from fire
These and a wide range of other insights are to be found in the up to the minute FPA Security Handbook. In a reader friendly style, and avoiding unnecessary technicalities and jargon, the handbook
is a practical work of reference to have on hand for those responsible for the security of premises.
Its publication comes at a time when, after 20 years of declining crime, the Home Office has published statistics showing that this has reversed. The latest police figures point to an overall increase in crime of 14%, following a similar increase in the previous period, with more crimes featuring the use of weapons. Simultaneously, the figures for cyber based crime and fraud continue to mount.
Most crimes in the built environment are of course acquisitive crimes. Such crimes do not occur through accident or bad luck. They happen when criminals reason that the potential reward trumps the risk taken. So, no matter how impulsive or bizarre the offender’s decision had been, the fact that a financial loss was incurred points to the failure of the owner to manage that particular security scenario.
Of course, owners can’t be blamed if they have accurately assessed a particular risk scenario, yet decided that the risk and its consequences were sufficiently remote to be accepted. Provided, that is, that a careful and structured risk assessment had been carried out. One should have sympathy for the owner having to strike the correct balance when formulating a security strategy to protect the assets of the organisation.
If the assumption is made that securing the assets will be a relatively straightforward process – albeit possibly expensive – the assessor will probably be disabused. Some investment of time in understanding the issues and what can be expected of the huge range of security products and services is unavoidable.
Assess the risk
By their own admission, the providers and installers of security products and services are often not the best equipped to determine the customer’s security requirements. Someone, if not the owner – perhaps an employee or adviser – must take on the job of assessing the risk, determining the organisation’s risk tolerance and formulating a security strategy. It is that individual for whom this handbook aims to provide practical support during the process.
Readers familiar with that process can use the publication to be updated on particular elements of premises security where things have moved on. Those who are tasked with formulating a security strategy from scratch, yet are less familiar with the subject, may prefer to look through the opening pages overviewing the issues and the UK security environment generally. With that as a background, the handbook guides the reader in areas of procurement and security management, including help with obtaining additional advice.
A description of the principles and the ‘state of the art’ in the various sectors of security then follows – physical security, access control, electronic security, manned services and CCTV, including the essential topic of privacy legislation. However, the book recognises that there are security challenges for managers for which a purely technical solution may not be enough – namely robbery, cyber risk and the increasingly troubling threat of building occupation by groups of travellers, who wreak havoc and are not easily dislodged.
There was a time in the ’60s and ’70s when acquisitive crime was rampant and our criminals were held to be the best in Western Europe, if not the world. However, at a point in the ’90s, technological development allowed security products to become more effective and respectable.
Experts hold that such technological advancement, as well as the huge national rollout of security in our country over the years, lay behind the improvement in crime statistics following their peak in 1995.
Now however, there is no room for complacency, since the trend appears to be reversing at a time when a lot of the security out there is now of the ‘legacy’ variety. Academic studies involving interviews with offenders leave no doubt that most crimes involve calculation and planning to one degree or another, and that criminals differentiate between outdated equipment and our present day technology.
Therefore, there is all the more reason to revisit the security exposure of the organisation, and to consider whether the action originally taken has stood the test of time. If not, I commend the pages of the Security Handbook as the place to start the remedial process.
Mike Jay is convenor of the RISCAuthority security group and author of the Security Handbook. For more information, view page 5