Meaning of Risk Mitigation
Risk mitigation Management is a critical process that affects every aspect of organizational asset protection as well as the professional protection officer’s activities. There are many specific and formalized models for risk management, including some sophisticated computer models, but all are based on a basic “asset threat-vulnerability-impact” model. The simple goal is to make “smart security decisions,” whether they are about how to structure the security function of a large multinational corporation or how to word an incident report. Every security professional should become intimately acquainted with security risk management concepts and incorporate them into their mindset and business practices at all levels.
Risk management and Risk Mitigation Strategies are now fundamental concepts in the fields of security, asset protection, and crime/loss prevention. Risk management principles are used to help us conserve our limited resources (time, effort, manpower, and money), apply the right solutions in the right places, and adapt to changes in our operational environment. Furthermore, as demonstrated by the quote above, it keeps us alert to the wide range of threats that we face in any type of organization.
The five paths to risk management
Risk avoidance is the most direct way to address risk. Risk avoidance simply means removing any chance of causing a loss event. Many safety professionals regard risk prevention as impractical and thus essentially irrelevant because the actions required to fully avoid risk will essentially negate the company’s ability to carry out its mission or achieve its goals.
Risk spreading is to avoid placing “all of your eggs in one sack” a highly effective procedure. The best example of this is the distribution of a company’s assets geographically. If a company maintains, for example, a stock of high-value goods and stocks them all in a single warehouse, a possible loss could be 100% if the store is affected by a major loss (e.g., theft, flood, fire, etc.). If, however, these goods were distributed between three geographically separated warehouse facilities, the loss event could cause only about a third of the total inventory of such goods to be lost. This simplified example illustrates the concept of risk diffusion very well. The practice of off-site backups for computer data is another good example of risk diffusion. By stored in another location a copy of this valuable “asset,” the loss of the original data is relatively quickly recovered. Risk expansion can increase the cost of the operation. However, the decreased risk of critical assets generally compensates for the generally modest costs.
Risk transfer—purchasing insurance is a typical example of risk transfer. Although not commonly considered to be part of the traditional “security” function, insurance is a key component of a risk management strategy in an organization (or a person). Another way to transfer risks is by making yourself less attractive than other potential objectives (such as neighboring facilities). Even if it cannot be regarded as “happy,” it is a way to “transfer” a part of the risk to an individual neighbor. In some cases, the contractual clauses or other formal agreements may be used to transfer some of the risks to suppliers, vendors, or others.
Reduced risk—In essence, reducing risk implies any safety measures or other measures that reduce risk to the assets. Action that reduces the vulnerability of the risk equation is the most common and direct way to reduce risk (whereas risk spreading, and risk transfer primarily decrease the impact of a loss event). Common mechanisms for reducing the risks include security measures, policy enforcement, training, awareness, and financial and legal positioning of employees.
Acceptance of risk — after all, measures of risk spreading, risk transfer, and risk reduction have been taken, some risks will remain because all risk elimination is virtually impossible (except as discussed under risk avoidance). The risk is known as ‘residual risk.’ The setting of retail tolerances for declines is an example of risk acceptance. In addition, a formal risk acceptance process has been established by certain organizations. For instance, after reviewing the threat and protective measures in place, the U.S. Defense Department requires a “designated Authority” to sign a document stating that it accepts the residual risk in IT (Information Technology) systems under its jurisdiction. In effect, this recommendation is part of all U.S. government agencies’ IT System Accreditation process.
The five ways of responding carefully to risk and Risk Mitigation Strategies are an excellent exercise and can help (protection) professionals and management consider multiple asset-protection approaches without consideration.
The Four “D’S”
The “Four D’s” are deterrence, denial, detection, and delay. The first goal of asset protection, according to this concept, is to deter any type of attack or attempt by a potential adversary.
The second goal is to prevent the potential adversary from accessing the target (or asset). This is usually accomplished through traditional access controls as well as other physical, personnel, or technical security measures.
If deterrence and denial fail in whole or in part, the next goal is to detect the attack or situation. This can be accomplished in a variety of ways, including the traditional use of surveillance and intrusion detection systems, human observation, or even the management system that will immediately identify or flag shortages or inconsistencies (for example, an inventory tracking system that reports out-of-tolerance conditions).
Finally, once an attack or attempt is underway, the goal should be to deter the perpetrators long enough to either give up/end the attempt or allow an appropriate security/law enforcement response to the scene. The “Four D’s,” like the other foundational concepts, can be applied in a traditional security environment or in a logical security sense concerning IT systems. In the world of cybersecurity, tools like access control, authentication, encryption, intrusion detection systems, anomaly reporting, firewalls, port management, and content filtering all work together to support the concept of the “Four D’s.”