Security, Risk, Safety and Resilience Newsletter - Week of 30 Jun 22
Ridley Tony
Experienced Leader in Risk, Security, Resilience, Safety, and Management Sciences | PhD Candidate, Researcher and Scholar
The following is a summary of security, risk, safety and resilience articles, topics and issues ending the week of 30 Jun 22.
Key themes for this week include:
----------------------------------------------------------
The question of discretionary study, qualifications and accreditation remains a ludicrous paradoxical notion to established professions such as medicine, engineering, law and education, yet it remains a dominant opt-in/out choice across the security, risk and management disciplines asserting they too are professions.?
In other words, you simply don't assume the title of doctor, nurse, lawyer, engineer, teacher or other professional qualifiers without demonstrating considerable, specific, consistent and verifiable, objective education underpinning one's qualifications and rights to practice in said area.
Neither?#securitymanagement?nor?#riskmanagement?are static vocations or sciences. As a result,?#securityriskmanagement?, as with all sciences, is prone to evolution, discovery, refinement and informed contribution. The Handbook of?#Security?personifies this evolution. I have secured my 3rd edition in the series, in a digital format. Over the years, I have used the 1st and 2nd editions for security and?#risk?management roles, consulting, expert witness, a master of science and doctoral degree in public safety. This latest edition will only improve and challenge my thinking and practices further. Therefore, if you only purchase one academic or informed text book this year, I recommend you start with The Handbook of Security, Gill, M. (ed), 3rd ed, Palgrave Macmillan. A huge thank you to?Martin Gill?for not only pursuing the elevation of the profession(s) but also in leading these publications over the past few decades.
Defence-in-Depth is an extremely popular security and risk management expression that rarely achieves the universal, unassailable and reliable safety or security outcome the concept evokes or it fails to effectively deliver on the promise of a shroud of multi-layered protection for people, data or assets. That is, many 'defence-in-depth' assertions are symbolic statements or?in name only?as the various layers and measures are not synchronised nor required because 'once you're in...you're in!'.
As?is?often?the?case?with?most?emergent?professions?transitioning?to?a?technical?discipline,?the?security?profession?and?broader?security?industry?typically?struggle?with?the?distinction?and?understanding?of?security?management?versus?that?of?security?leadership.?In?other?words,?it?generally?is?unclear?as?to?what?explicitly?they?consider?as?security?leadership?as?opposed?to?that?of?security?management.?These?highly?subjective,?individual,?or?localised?beliefs?rarely?remain?valid?or?consistent?across?geography,?culture,?or?time.?For?that?reason,?this?research?and?analysis?aim?to?contribute?to?the?nascent?corporate?security?management?and?corporate?security?leadership?understanding?through?an?applied?literature?review?and?contextual?experience?within?the?security?profession.?We?consider?them?across?the?international?security?industry,?across?countries,?jurisdiction?and?regulatory?territories?with?decades?of?practical?application.?In?sum,?this?analysis?explores?popular?perceptions?of?security?management?and?security?leadership?by?analysing?management?sciences,?contexts,?and?definitions,?which?is?used?to?analyse?security?management?and?security?leadership?literature.
"In some form,?#riskmanagement?(RM) has always been an integral part of virtually every challenging human endeavor. A formal and, at that time, qualitative RM process known as Continuous Risk Management (CRM) was introduced to NASA in the latter half of the 1990s. More rigorous quantitative RM processes including Risk-Informed Decision Making (RIDM) and an enhanced version of CRM have only recently been developed for implementation as an integral part of systems engineering at NASA. While there will probably always be vigorous debate over the details of what comprises the best approach to managing?#risk, few will disagree that effective risk management is critical to program and?#project?success and affordability.?"
It seems everyday there is a new 'perfect storm', displacing blame and lack of risk or resilience preparedness to some unforeseeable act, circumstances or phenomena. A 'once in one hundred years' occurrence...every few days.
That is, there are too many variables that nobody could have reasonably seen coming or the random assemblance of occurrences are the product of a?force majeure. For some, an act of god(s).
Regrettably, this is far from the reality or fact of the matter.?A significant, yet rarely disclosed/discussed aspect, is the practice and human representation of 'risk' and the management of factors under that heading.
In particularly, just how wanting people, practices, pedigree, models and levels of education/qualifications really are when it comes to?risk management.
A guidance note on how machine learning can be used for disaster?#riskmanagement, including key definitions, case studies, and practical considerations for implementation”
"#Risk?and?#RiskManagement?issues represent a continuing theme:
1) Weakness in Risk Identification and Analysis
2) Poor Risk Mitigation and Tracking
3) Lack of strong Systems Engineering
4) Limited application of Risk Assessment tools?"
领英推荐
Risk-At-Location is derived from many varied data points, analysis, disciplines and preparedness over various time and complexity scales.
That is, not only do hazards vary but so too do degrees and efficacy of vulnerability and exposure, thus influencing identifiable risk at any one geographical location.
As a result, risk communication models need to be comprehensive in consideration but simple enough to convey the gravity, threat, resilience or remediation results to a broad cross-section of stakeholders.
“Responsive governance remains the key in mitigating cyber?#risks. The disruptive nature of cyber?#risk?goes beyond traditional company structures and requires a change in organisational mindset as well as appropriate investment in protection. There is an emerging argument that advocates a paradigm shift assuming the inevitability of attack and consequently preparing oneself through active defence. Assuring cyber?#resilience?requires a focus on leadership, people and processes, not just on purchasing technology that will counter threats.”
"There are many recommended approaches to enterprise?#riskmanagement?(#ERM) and several different guides and risk management system standards have been published. This guide explains the approach used in the COSO ERM frameworks and identifies the importance and relevance of these frameworks. This guide also outlines the practical application of the COSO ERM frameworks and provides commentary on implementation."
Natural hazards, including those precipitated/aggravated by humankind, such as earthquakes, floods, storms, fire and droughts, require risk analysis to support informed resilience and preparedness strategies.
However, conventional risk assessment methodologies, used by individuals, corporates and governments, remain inadequate due to inherent complexities and nuances associated with both the natural phenomena and advanced community preparedness, resilience and recovery capabilities.
"'"#Risk?= The effect of uncertainty on objectives.?note 1: an effect is a deviation from the expected. it can be positive, negative or both, and can address, create, or result in opportunities and threats. note 2: objectives can have different aspects & categories; can be applied at different levels. note 3: risk is usually expressed in terms of risk sources (3.4), potential events (3.5), their consequences (3.6) and their likelihood (3.7)."
The essential elements of corporate, commercial or private sector?security?risk management are often invisible to only those who understand the?required?anatomy, or only becomes visible during the?autopsy?of failure.
In other words, security risk management exclusions, omissions and inadequacies are glaringly obvious to experienced professionals, with this discovery/disclosure routinely becoming the focus of failure in the wake of bad happenings, catastrophic failures, crisis and other public enquiries.
The architecture for adequate and comprehensive?security risk management?is not measured by policies, procedures, departments or reports.
"Failure to comply with relevant regulatory requirements can have significant consequences for your <organisation>. These include loss of trust, loss of support, reputational damage, regulatory censure, increased costs and financial penalties. Serious incidents of non-compliance can even result in the closure of your <organisation>. There have been several incidents where charities have failed to comply with regulations. These incidents have been widely covered in social and traditional media. These incidents not only damaged the individual charities but the wider charity sector.?"
"If you are applying behavioural economics concepts in the field, high on your list of undesirable outcomes is witnessing an intervention that had an effect in the lab fail to have an effect in the real world.
In the wake of the replication crisis in behavioural science, many improved research practices have been recommended, from pre-registering studies, to placing materials in open archives, to collecting more data. Collecting more data, however, can refer to a variety of things. The typical interpretation of the advice is to run lab studies with greater numbers of participants, which in turn leads to more precise estimates of treatment effects, which then leads to better decisions about what interventions to transfer from the lab to the field.?"
Tony Ridley, MSc CSyP MSyI M.ISRM
Security, Risk, Resilience, Safety & Management Sciences