Security, Risk, Safety and Resilience Newsletter - Week of 19 May 22
Ridley Tony
Experienced Leader in Risk, Security, Resilience, Safety, and Management Sciences | PhD Candidate, Researcher and Scholar
The following is a summary of security, risk, safety and resilience articles, topics and issues ending the week of 19 May 22.
Key themes for this week include:
- Risk: Data, identification, management & assessment
- Security Management: Culture, operations, protection & travel
- Resilience: Workplaces, Continuity of Service & Structures
- Business Continuity: Capability, disaster and threats
----------------------------------------------------------
Risk Management Follies, Failures and Data Delusions
"If I assign numbers to each of these things, then it becomes data, and I can do math on it".... the folly of so many seemingly 'quantitative' #riskanalysis formulas and calculations.
Introduction to Managing Risk
"What is risk? ‘#Risk is a condition in which there exists a quantifiable dispersion in the possible outcomes from any activity. It can be classified in a number of ways.’ Risk has also been defined as:
‘Uncertain future events which could influence the achievement of the organisation’s strategic, operational and financial objectives.’
Business Continuity, Organisational Resilience & Risk Management: Potential Threats Inside & Outside the Process
Business discontinuity, disruption, delay and failure originate from specific, contextual, complex and even networked threats.
Many of them are invisible to observation or systems of measurement.
However, try as we may, these threats are unrelated, and vary in scale and complexity, resulting in varying harms with primary, secondary and tertiary impacts.
In other words, the only place threat conveniently lines up and appears the same or remotely similar, along with shared scales of risk, is artificial summations of real-world events such as risk registers, risk assessments or risk matrices.
Risk Identification and Analysis: A guide
"As used in this guide, the term #risk refers to a possible loss or other adverse event that has the potential to interfere with a public entity’s financial stability or ability to fulfill its mission. By identifying risks and implementing an action plan to address them, public entities can protect their financial stability and their ability to provide services. Because risk is inherent in most productive activities, even the most conscientious efforts cannot eliminate all risk; they can, however, help public entities avoid or reduce the impact of risk on their operations. By including risk in its strategic planning process, a public entity can also plan safely to expand into service areas that it might otherwise avoid. "
Enterprise Risk Management for Financial Institutions
"Assessing #riskmanagement from an enterprise perspective is something that Standard & Poor’s has always done. This initiative is part of our culture to continually enhance our internal process, tighten it, make it more robust, put in more structure, and delve deeper. It’s just good business practice. In the past, assessing the risk management practices was done at a more general or aggregate level. Now we’re getting more specific and going deeper into certain aspects so as to get a firmer understanding of the robustness of an institution’s risk management practices. "
Risk Assessment Procedures: COVID-19
"...advocating a #riskassessment approach using a hierarchy of control common in good health and safety management and various pieces of legislation. We are advising no work should start without a up to date #risk assessment in place, this is particularly important in workplaces that are ramping up or re - opening based on current advice. There needs to be robust systems in place identified by the assessment with detailed hygiene procedures and control measures for social distancing. NOTE: Where the term Reasonably Practicable is used in any Government or organisational guides, this legally interprets to mean that a risk assessment has to be undertaken. "
Security Culture: Essential metrics, measures and assurance of organisational and enterprise resilience
Cultural aspects and factors specific to security are routinely hidden within broad, often unsubstantiated perceptions of organisational culture.
However, security-specific culture can be empirically evaluated and measured by means of specific units of analysis.
Conversely, assertions or general claims of security culture in the absence of specific, objective and verifiable units of analysis remain little more than personal opinions or unsubstantiated, unscientific cultural tropes.
Risk Management: A snapshot
"Think of #riskmanagement as a stepped process of identifying hazards, assessing risks, controlling those #risks and then reviewing the efficacy of control measures over time or in response to an event. Events can change circumstances. If an event occurs; like a change in the work task, new tools, a workplace injury, a dangerous incident or even new legislative or industry practice—safe work procedures, risk assessments and the like must be reviewed since they will also change. Don’t forget that any change relating to a risk document may also require a review of induction or any other safety training offered at the workplace."
Information Technology Risk and Controls
"IT controls provide for assurance related to the reliability of information and information services. IT controls help mitigate the #risks associated with an organization’s use of technology. They range from corporate policies to their physical implementation within coded instructions; from physical access protection through the ability to trace actions and transactions to responsible individuals; and from automatic edits to reasonability analyses for large bodies of data. "
Metadata: Good Practice Guide
"Metadata #Security Constraints: The presence (or absence) of security restrictions on a metadata record may be important to document. Potential users need to be informed of any restrictions and responsibilities that apply to the use of such metadata."
Global Assessment: Disaster Risk Reduction
"#Risk creation is outstripping risk reduction. Disasters, economic loss and the underlying vulnerabilities that drive #risk, such as poverty and inequality, are increasing just as ecosystems and biospheres are at risk of collapse. Global systems are becoming more connected and therefore more vulnerable in an uncertain risk landscape. "
The Selfish Herd: False assumptions and narratives associated with resilience, risk management and protection
Individual or specific risk is routinely concealed in narratives of herd or community resilience.
That is, collectively, 'the herd' will survive if we all endure the risk together, as 'we are all in it together'.
However, in reality, threats, hazards, danger and peril are not equally or universally consistent across the herd or community.
Moreover, different 'victims' are exposed to threats at different times and in different ways but also may feel the full brunt of the risk on behalf of the group.
Health and Safety Risk Assessment
"A #riskassessment is not a paper exercise; it provides a method to ensure that all appropriate precautions or “controls” have been considered to make the work as safe as reasonably practicable, and a means of monitoring to check that improvements are being implemented effectively. A #risk assessment should be “suitable and sufficient” i.e. it should contain the following information: 1) Identification of significant #hazards 2) Identification of the existing precautions to reduce the risk i.e. “risk controls” (taking into account that elimination of the hazard is the first choice and that reliance on personal protective equipment should generally be the last choice) 3) Identification of any further controls required, in accordance with legislation and good practice, and based on the knowledge and experience of the assessor 4) Identification of the person responsible for completing any actions to implement the controls, and a target date for completion 5) Confirmation when the action has been completed, including date. "
Security Management Operations Manual
"For the purposes of this document, a “Special Event” is defined as any event, conference, meeting and special conference sponsored or organized by a United Nations #Security Management System organization that meets all of the following criteria:
a) The event is held at a venue other than on the premises of a United Nations Security Management System organization,
b) Personnel and other individuals of the United Nations Security Management System organization2 and third parties (i.e. government officials or private individuals) are participating in the event, The United Nations Security Management System organization concerned has concluded or intends to conclude a legal agreement with the Host Country with respect to the Special Event. "
Risk Assessment: Example
"This #riskassessment is provided as an example only to demonstrate possible scenarios which may be applicable. Activities may vary considerably dependant on the nature of the particular event and therefore all events should be individually assessed to address associated #risks associated and relevant control measures. Accordingly, additional or alternate risks and control measures may be applicable for your event. "
Business Travel Safety, Security & Risk Management: Dynamic, Variable States of Safe, Secure & Threat
Threats, hazards and risks to business travellers are neither static nor consistence. That is, as an individual moves through the journey/trip process, they are exposed to dynamic, disparate and variable harm, threats, perils and dangers.
Moreover, the individual's status changes too.
In other words, you are not the same person with the same foreseeable or routine threats and hazards at home or where you routinely work as you are when you travel, with each stage of travel introducing variables at all phases, as you continually transition from a 'local' to a foreigner, 'other', traveller or tourist. In short, you change, the context changes, the location changes therefore, the risk is constantly changing too.
"The ACAPS #risk methodology defines risk as the probability of a hazard or multiple hazards materialising, combined with the estimated impact of such hazards. The associated risk level (low, medium, or high) rises with the hazard’s probability of occurring and the severity of its expected impact. "
"A #risk is an event or condition that, if it occurs, could have a positive or negative effect on a project’s objectives. #RiskManagement is the process of identifying, assessing, responding to, monitoring, and reporting #risks. This Risk Management Plan defines how risks associated with the <Project Name> project will be identified, analyzed, and managed. It outlines how risk management activities will be performed, recorded, and monitored throughout the lifecycle of the project and provides templates and practices for recording and prioritizing risks."
"What is risk assessment? A #riskassessment is nothing more than a careful examination of what, in your work, could cause harm to people, so that you can weigh up whether you have taken enough precautions or should do more to prevent harm. The aim is to make sure that no one gets hurt or becomes ill. Accidents and ill health can ruin lives, and affect your business too if output is lost, machinery is damaged, insurance costs increase, or you have to go to court. You are legally required to assess the #risks in your workplace. "
Physical Security: Body of Knowledge & Best Practice
"Professional knowledge is based on combinations of explicit and implicit domain specific knowledge, used in such a way that an individual can solve new problems within a professional domain by drawing on existing cognitive structures. The developing profession of #Security Science requires a means of transferring domain category knowledge in an efficient and meaningful manner for enhanced problem solving capabilities. It is therefore essential that novice learners (students) within the security domain are explicitly presented with an organizational structure of physical security knowledge categories to ensure they are able to employ a rich framework of cross referenced concepts in their future problem solving endeavours. "
Capability maturity model (CMM)
"Maturity level indicates level of process capability: 1) Initial 2) Repeatable 3) Defined 4) Managed 5) Optimizing"
Tony Ridley, MSc CSyP MSyI M.ISRM
Security, Safety, Risk, Resilience & Management Sciences
??Certified ESG Expert ?? Personal Resilience Guardian : ?? MBCP(DRII, USA) :??Speaker : ?? Author : 'The Continuity Moment Insight'- Invest -> Imbibe-> Initiate -> Introspect -> Innovate' ?? CCIO
2 年Good newsletter Tony Ridley, MSc CSyP MSyI M.ISRM
Working as CSO - RGA (PRITECH PARK -SEZ ) BANGALORE
2 年Tnks sir once again for ur articles posted. I have gone through ur articles and benefitted by developing knowledge from ur articles.