Finding sensible PHYSEC solutions - Part 2

Applying Risk Assessments

In the previous instalment in this series, we looked at threat and risk, covering the high-level concepts in identifying the physical security risks to your organisation. This part looks at how to use that risk assessment.

Balancing detail:

Threats and risks can be expressed broadly (for example, the assessed threat of terrorism in New Zealand is Medium). A broad threat and risk analysis will, however, yield broad results, which may be less helpful when looking at specific risk mitigations.

Defining threats and risks in more detail can be beneficial – the more specific the risk, the more specific the risk mitigation. However, on the flip side, too much detail can become overwhelming and counterproductive.

A good place to start is to focus on the threats that are most relevant to your organisation. The categories in Table 1 of the first blog cover a wide gambit of threat sources and it is likely only a few will be particularly relevant to your organisation. Likewise, similar risks can sometimes be grouped together.

Handling risks:

Risks can be either tolerated, terminated, treated or transferred.

• Tolerate: Accept the risk without mitigation (or further mitigation). This may be employed when the risk consequence is assessed as being very low or the cost of mitigation is disproportionate to the risk rating. For example, just accept that tools will sometimes be stolen and need to be replaced. Tolerate is also employed once mitigations are applied to a risk to lower the rating to a level that is within the organisation’s risk appetite.

•  Terminate: Remove the object of the risk – for example, stop undertaking the work that requires tools to be stored at high crime sites.

•  Transfer: The risk is transferred to a third party. For example, the financial component of the risk of stolen tools can be transferred to an insurance company through an insurance policy.

•  Treat: Develop one or more options to mitigate the risk. This is usually the most appropriate option when it comes to physical security risks and is where physical security control measures come into play.

Determining where your organisation’s risk tolerance level, or risk appetite, sits is a key component of the risk assessment process. It gives a clear picture of what risks can be tolerated without mitigation and what physical security measures are needed to bring the other identified risks down to an acceptable level.

A risk can be mitigated by either reducing the likelihood of a threat action or event occurring, or by reducing the consequence or impact on your organisation should the threat action or event occur. Risk mitigation measures will generally operate on one or both of these risk aspects. For example, storing tools in a more robust shed with a high grade lock will make it harder to access the tools, thus reducing the likelihood they will be stolen. Ensuring a second set of tools is available at another site means work can continue even if one set of tools is stolen, thus reducing the impact of the tools being stolen.

In part one we looked at threat and risk, along with how to develop a set of physical security risks for your organisation. In part two we looked at how to put these identified risks into context within your organisation. In the next part we will diverge slightly and look at some of the concepts and principles around physical security and how they apply to physical security control measures before bringing all the components together in the final part.