Risk, Security, Safety and Resilience Newsletter - Week of 30 May 23
Ridley Tony
Experienced Leader in Risk, Security, Resilience, Safety, and Management Sciences | PhD Candidate, Researcher and Scholar
Of the 110 articles, quotes, resources, research and visuals viewed nearly 98,092 times, clicked 27,404 times, liked 873 times and reposted 44 times, here are 10 of the top-rated ones. Included are a number of other articles and posts that are the most popular (2,000+ views) as of 30 May 23.
Members & Subscribers get more at:?https://www.patreon.com/riskmanagement
----------------------------------------------------
The following is a summary of security, risk, safety and resilience articles, topics and issues ending the week of 30 May 23.
Key themes for this week include:
----------------------------------------------------
"Structure of Risk Analysis:?#Riskanalysis?can be broadly structured into three main parts: risk assessment, risk management, and risk communication. During an outbreak event, risk assessment assigns a level of risk to the pathogen (as the hazard or threat), risk management weighs the options for managing public-health risks (including mitigation measures), and risk communication supports informed decision-making by members of society, positive behavior change, and public trust. This report focuses on methodologies that inform risk assessment and management, focusing on the four parameters listed under “risk assessment” in Figure 1 as well as the first two under “risk management.” The remaining features (option implementation, monitoring and review, and risk communication)
are critically important in an overall risk analysis framework. However, available methodologies give limited attention to these remaining parameters. An assessment would involve searching and reviewing a broader range of additional guidelines and policy documents that lie beyond the scope of this review."
The application and outcomes or benefits associated with 'security' do not exist in a vacuum, nor should security tactics, mitigation or controls be applied in the absence of specific, considered and realistic threats.
In other words, security management is not the arbitrary deployment, purchase or management of security widgets, tech, people, processes or practices.
Evidence, analysis, assessments and risk measurement are mandated.
Pursuit of hypothetical 'Boogey men', unrealistic threat actors and the idea that evil, criminals and terrorists are concealed or lurking around every corner diminishes the practice of legitimate security and results in considerable wastage, fear and unnecessary social anxiety.
Moreover, the blind application of posterior security control and management measures is not consistent with legitimate risk management.
"Bring Your Own Device (BYOD) refers to the practice of performing work-related activities on personally owned devices. This practice guide provides an example solution demonstrating how to enhance security and privacy in Android and iOS smartphone BYOD deployments. Incorporating BYOD capabilities into an organization can provide greater flexibility in how employees work and increase the opportunities and methods available to access organizational resources. For some organizations, the combination of traditional in-office processes with mobile device technologies enables portable communication approaches and adaptive workflows. For others, it fosters a mobile-first approach in which their employees communicate and collaborate primarily using their mobile devices.?"
In short, service continuity is the desire, demand and requirement of most businesses, governments and systems. They don't care if your business is running, profitable, aware or concerned if your business is acting as 'usual' or not.
Moreover, they typically get angry, vocal or take action when deceived or lied to when a company can't deliver on the promise, honour an agreement or deceive as to why they aren't getting what they paid for, need or received in the past.
"Security specialists have historically played a key role in Federal facility protection and emergency planning efforts. However, security specialist qualifications have largely been determined at the individual agency level, resulting in wide-ranging skill sets across the interagency community and revealing a clear need for consistency in security personnel qualifications and training in today’s threat environment. Therefore, based on the Government Accountability Office’s recommendation to promote strategic management of human capital, the Interagency Security Committee (ISC) convened a working group to develop a recommended baseline level of skills, knowledge, abilities, and competencies that security specialists throughout the Federal Government should possess.?"
Expressions of risk, resilience and guidance on urgent business actions such as crisis are routinely dearth of specific organisational contexts or characteristics.
That is, risk and resilience are not neutral nor universal across all types of organisations and typologies meaning that crisis or any other extraordinary ‘call to action’ must be planned, considered and actioned within the context in which the organisation exists.
Moreover, threats and crisis that impact multiple organisations, industries and geographies must also consider a multitude of organisational constructs, typologies and characteristics too.
Not to mention that most large, contemporary organisations, like culture, may exhibit and demonstrate more than one version of these typologies at any one time, creating further complexity, tension and friction.
For example, relatively ‘simple’ organisational structures delivering highly regulated, controlled and consistent services in relatively ‘stable’ environments produce what is considered a machine bureaucracy. Same thing, over and over with a high degree of reliable or expected consistency. Years of policy and procedures, routine delivery and scheduled refreshment of talent and processes. “This is how things are done around here, and there is little latitude for variance” type cultures.
Not only do various layers of the same organisation conceive and implement safety, security, risk or resilience differently, but they also tend to have varying beliefs and practices on how to control visible strategic failures such as 'accidents', mistakes, errors and fiascos.
That is, while regulators may insist upon greater risk constraints, frontline actors remain dependent upon experience, education, knowledge and psychological factors to identify, mitigate and control a wide variety of actions, factors and probabilities.
This process and variance only compound and varies with greater layers such as teams, management and executive leadership.
As a result, good/bad strategy may be perceived as either the saviour or catalyst for failures and accidents but accidents may also be manipulated or positioned as an escape clause or 'act of god' (Force Majeure) that no human could have reasonably foreseen, therefore absolving management, leadership and organisations.
"This guide is designed to help people to enact Learning as Management Strategy by framing the task of management in terms of creating connected Learning Cycles (which we’ll describe in Section 3). It frames the whole job of management as planning, organising and undertaking these learning processes.
The task of creating and running Learning Cycles, and making sure they are managed and governed effectively, is called System Stewardship.
This guide is written for System Stewards. It is designed to assist those who are thinking about how to plan, organise and undertake structured learning processes by helping to frame questions to consider, while offering reflections and examples from those who have done similar work.?"
领英推荐
Any reasonable urgent action, emergency, crisis or disaster will initially trigger an operational and administrative 'follower' focus.
That is, chase the drama, respond to the incident, and manage from issue to issue, which inherently presents the notion of crisis management or administration.
Many organisations and individuals seek credentials and associated experience by restating these actions as means of asserting crisis management pedigree or competency.
However, crisis leadership, much like the distinctions between management and administration, leadership remains considerably distinct from that of management, particularly during a crisis.
Not surprisingly, far fewer organisations and individuals have commensurate experience, knowledge or pedigree when it comes to crisis leadership.
In very broad terms, crisis management follows the events and is responsive or constrained to very short time cycles for response to crisis, emergency or disaster.
Whereas crisis leaders, remaining aware of all factors and events, are focused on anticipating and steering towards the desired end state.
"The objective of this document is to define a scheme and the required set of components (common terminology, assets classification, threat taxonomy and impact/risk scales) that will allow for the interpretation of the risk analysis outputs that result from different Risk Management (RM) frameworks.?"
In short, risk, security and resilience within any system, including business continuity requires constant surveillance and scans of the horizon, long before high-level or blanket statements can be substantiated of safe, secure, resilient or 'bounce back'.
"Organizations are also cautioned that risk assessments are often not precise instruments of measurement and reflect: (i) the limitations of the specific assessment methodologies, tools, and techniques employed; (ii) the subjectivity, quality, and trustworthiness of the data used; (iii) the interpretation of assessment results; and (iv) the skills and expertise of those individuals or groups conducting the assessments.
Since cost, timeliness, and ease of use are a few of the many important factors in the application of risk assessments, organizations should attempt to reduce the level of effort for risk assessments by sharing risk-related information, whenever possible.?"
Threats, protection and security, are applied and tolerated differently across industry, location and cultures. As a result, relative risk is also inherent and residual. That is, security levels before and after the intervention are highly variable, meaning that 'high', 'medium' and 'low' levels of vulnerability, risk or security are highly contextual and routinely incompatible between facilities within the same sector or even geography because of varied threats, expectations and utility provided to the community.
In other words, what you think, measure and think your security level is at any given time is not the same as another site, location or facility because how security is applied is not the same, nor is a threat, resulting in varying levels of risk, even within the same industry.
For example, layers of security actors, resources, and support in a general public setting such as a shopping complex or corporate office are much lower than that of a critical infrastructure facility or system of national/state significance.
"...provide the results of the risk assessment for all the risk scenarios that they will run in the form of a list. Moreover, they have to name the method and/or tool they have used for the risk assessment. The provided information will allow the toolbox to be used to normalise risk values and compare results. "
Safety, security, risk and resilience are informed by and remain highly dependent upon effective intelligence. That is, the direction, collection, processing and dissemination of data, information, knowledge and what may formally or informally referred to as 'intelligence' is routinely the first, essential step in the creation and understanding of what ultimately presents as safety, security, risk and resilience narratives, assessments or analysis.
As a result, formal processes, qualitative comparisons and overall rigour is mandatory criteria for both intelligence and subsequent utility of such work product.
Conspicuously and concerningly, few safety, security, risk and resilience processes and procedures adequately consider, disclose, articulate or reasonably consider how intelligence is collected, manufactured or to what degree quality is derived.
"#riskmanagement?covers all the processes involved in identifying, assessing and judging risks, taking actions to mitigate or anticipate them, and monitoring and reviewing progress. Or as the OGC defines it – ensuring that the organisation makes cost-effective use of the risk process. Risk management requires processes in place to monitor risks; access to reliable, up-to-date information about risk; the right balance of control in place to deal with those risks; and decision-making processes supported by a framework of risk analysis and evaluation; and"
"handling risk – we have used this as a broader term, including the processes of risk management, but also embracing wider issues, such as the government’s approach, its roles and responsibilities and its organisational culture.?"
Scales of ‘maturity’ within risk, safety, security, and resilience conceal and confirm vulnerability, weaknesses, fragility and current levels of diminished preparedness and readiness. That is, scales of maturity in the face of extant human threats, adversaries, bad actors, criminals, and terrorists are little more than confirmation of how easy or likely you are to become the next target or victim.
In other words, if your adversary, across physical and digital domains, is ready, prepared, resourced, capable and motivated, whereas you are ‘emerging’ or ‘maturing’, you are ill-prepared for the real-world battles in today’s business environments and geopolitical landscape. In short, what you lack in ‘maturity’ is your minimum level of vulnerability. And your level of maturity is commensurate with the threat, not administrative reporting or governance protocols.
Victimisation and repeat victimisation (victimology) are advanced criminological and security/risk sciences principles and considerations. In other words, what factors, states, traits, and behaviours make you and your business more or less susceptible to becoming attacked, breached, assaulted, harmed or otherwise a victim in various forms? Especially where there are predators, human actors, threats and malevolent agents seeking fame, fortune, reward or results.
Therefore, ‘maturity’ remains a foolish concept or categorisation for entering or surviving in the real world. It isn’t a proxy or scientific principle for risk or security. In other words, you don’t enter a mixed-martial arts octagon to fight with a world-class, disciplined, conditioned, experienced and hungry opponent and then recite your levels of current, future and aspirational ‘maturity’ against some arbitrary, subjective, accounting and general management scale of governance and comparison.
----------------------------------------------------
Tony Ridley, MSc CSyP FSyI
Risk, Safety, Security, Resilience & Management Sciences (Applied)
Members/Subscription -https://www.patreon.com/riskmanagement
Realtor Associate @ Next Trend Realty LLC | HAR REALTOR, IRS Tax Preparer
1 年Thanks for posting.