The protection of company and organizational assets from loss, howsoever caused, is critical to maintaining and increasing business capability and profitability.
The key to the successful protection of an organization’s assets lies in a radical, pragmatic and balanced approach to the company’s overall security. It is also the case that what works for one organization may not necessarily work for another, even if those organizations operate in the same sector.
Our Security Consultants apply a lateral problem-solving approach, involving understanding the organization’s business model to ensure the effective introduction of measures not only to improve security and reduce loss, but also to enhance and support business operations. This four-phase process is applicable to all organizations including those in retail, finance, manufacturing, service, leisure, Government (including local government), entertainment and construction sectors.
What We Do
Phase One – The Identification of Areas at Risk
The first stage in the process is the identification of areas that are at risk. But the risks to an organization’s operations can be diverse and include for example, reputation, product contamination, fraud, theft and supply chain disruption, as well as the more obvious, IT equipment, buildings and people.
Working at both strategic and operational level throughout the organization. Our Security Consultants will identify all areas within organization’s operations that may be at “risk”.
Phase Two – Risk Assessment
Quantitative and qualitative assessment of risk tends to be complex. As a direct result most risk assessments become threat assessments rather than assessment of actual risk.
Threat assessments apply a mathematical formula that takes into account the probability of loss or an event occurring and the magnitude of the potential loss. The problem with this approach is that even if the magnitude of loss is potentially catastrophic the rating of risk is low as the probability of loss or event occurring is taken into account.
Our Security Consultants take on a different approach and assess ‘pure risk’ and rate the risk according to the potential impact on the organization, irrespective of the likelihood. In broad terms, the risk assessment process can be broken down into the following three areas:
- Loss Event Profile – this analyzes all the ‘pure risk’ events, which are likely to happen. The analysis looks at all factors which could produce an incident, utilizes statistics, previous experience and eventually determines the complete range of threats and risks
- Loss Event Probability – this stage in the process analyzes the likelihood of threats and risks identified in the Loss Event Profile becoming a reality. The physical environment, social environment, past data, criminal trends, etc. are all taken into account in determining the probability of the risks actually taking place. Risks can then be rated under a variety of headings. For example, virtually certain, down to probability unknown
- Loss Event Criticality – This stage looks at the financial costs whether they are direct or indirect, which would result from an incident taking place. Direct costs are easy to estimate, but account must be taken of the indirect and consequential costs – e.g. reputation, goodwill, community relations and employee morale to name a few. Criticality may be rated as fatal to the organization, down to seriousness unknown, with a number of divisions between. The final step in the process is to arrange the entire body of rated risks into a sequence of priority for counter-measures attention – The Risk Management Plan
Phase Three – Security Survey
The security survey is essentially a physical examination of the client’s premises and the immediate environs, including a thorough inspection of all operational systems and procedures. Following completion of the first two phases, consultants produce bespoke security survey checklists to be used during the security survey.
The security survey has as its overall objective to
- analyze the client’s facility to determine the existing state of its security
- locate weaknesses in its current defence structure
- determine the degree of protection required
- lead to recommendations for establishing the Risk Management Plan.
Phase Four – Risk Management
Risk management is the application of the same broad principles that apply to solving all management problems. The primary objective is to save money by minimizing in a cost-effective way, the drain on resources brought about as the result of loss.
In this phase the results of the previous three phases are reported and form the basis of the Risk Management Plan.
It is widely accepted that the techniques to manage the risks identified fall into one or more of the following categories:
- Avoidance (eliminating the risk altogether)
- Reduction (reducing the severity of the loss or the likelihood of the loss occurring)
- Sharing (transferring the risk for example through outsourcing)
- Retention (accepting the risk)
The Risk Management Plan will propose applicable, proportionate and effective controls or countermeasures for managing the risks identified while taking into account the technique categories. Additionally, and most importantly the RMG Security Consultants would prepare a Risk Management Plan that will include an Action Plan for client ‘sign-off’ and implementation. The Action Plan will out outline the sequence in which the consultant recommendations (countermeasures) should be introduced while taking into account the following:
- the cost of implementation
- ease of implementation
- any risk associated with the countermeasure
- the benefit of the outcome from implementation while keeping into consideration of whether the benefits are realized in the short, medium or longer terms
The Risk Management Plan includes a cost benefit analysis to justify the introduction of the countermeasures proposed by consultants. Where recommendations indicate a range of countermeasure options, the comparative advantages and disadvantages of each option are assessed to enable the client to decide which option is best to implement.