Guide to Security Risk Assessment

Introduction
Risk is a product of threats and vulnerability (risk = threat x vulnerability). A
structured security risk assessment will help to identify the likely threats, the
degree of vulnerability to them and will assist in making decisions about
whether the risks are acceptable and manageable. It is a thorough
examination of what could cause intentional loss or harm, in order to reduce
and manage the risks.

In many cases, risk can be effectively reduced and managed through having
and practising appropriate security strategies and guidelines. However,
effective risk reduction requires continual monitoring, reassessment and
revision.

A security risk assessment includes the following components: understanding

and identifying threats, the degree of XXX’s vulnerability to threats,
consideration of probability and impact and agreement about what is an
acceptable level of risk.

Understanding and Identifying Threats

Threats are generally of two main types: inherent (non-targeted) or targeted.
Inherent threats are part of the working environment and could affect anyone
e.g. travel, wrong place wrong time, indiscriminate weapons. They are often
predictable and can be managed effectively. Targeted threats may target all
agencies, or just XXX or an individual staff member e.g. acts of violence,
detention or harassment. Targeted threats may be more difficult to anticipate,
and therefore harder to plan and adopt appropriate security measures for.

Threats tend to come from five main sources

• Military and terrorists actions
• Politically motivated actions
• Criminal actions
• Actions by disgruntled populations (either beneficiary or host)
• Actions by disgruntled staff.

The first step is to identify the different types of threats in the working
environment, to understand them and how they may affect staff and
programme. This information may be gathered from discussion with staff,
agency colleagues and local sources; brainstorming with staff is a simple way
to develop an initial list. Key areas are:

Types of threats: identify inherent and targeted threats in the environment

such as: armed robbery, landmines, car jacking or harassment.

Frequency: which of the threats identified occur most often (bearing in mind
that some threats, such as rape, are under-reported).

Geography: where do the threats occur? Armed robbery might take place on
specific roads, harassment at specific checkpoints.
Is there a Pattern? are threats random or predictable e.g. is armed robbery
more likely after cash movements? Who tends to be the victims, did they have
specific vulnerabilities? Who are the perpetrators? Incidents viewed in
isolation may mean little, but if grouped with others, patterns may be
determined.

Future Trends: anticipating what may happen in the future requires a good
knowledge of the context and of current events. Key questions include:
• Are identified threats likely to increase or decrease over the next few
months?
• Are things changing over time, particular incidents occurring more
frequently, specific areas becoming more dangerous? Is the probability or
the severity of the threat increasing or decreasing?
• Given the context analysis, what currently unidentified threats may emerge
as a source of security incidents?
• Could XXX become a target for these new threats?

Vulnerability Analysis
Not all NGOs and staff are equally vulnerable to the threats identified.
Vulnerability analysis aims to establish why XXX, and specific team members,
might be at more or less risk. Vulnerability may be different depending on
issues such as:

The individual
• Who - gender, nationality, ethnicity.
• Where - specific job location, travel routes, location of residence.
• Role - responsibilities, representation, profile.

The organisation
• Image and behaviour of staff in the community, XXX’s reputation.
• Impact of the programme, who is XXX helping, who are XXX’s partners.
• XXX identity as a [Western] organisation, or association with [International]
affiliates.
• Communications, advocacy or lobbying – public messages.
• Location of office, residences, warehouse or programme sites, value of
assets.

XXX’s vulnerability is directly affected by the adoption of, and compliance

with, appropriate security measures taken to reduce the risk. Security
measures need to be appropriate to the types of threat and specific
vulnerabilities identified. Staff must be competent and disciplined about
complying with security measures.

Probability and Impact

Risk reduction measures should focus on the threats that are the greatest
risk, decided by how probable it is that the threat may occur to XXX, and the
likely impact to the individual and to the organisation. The greatest threats are
those that are of high probability and high impact. For example: although bag
snatching may be frequent, the impact is quite low; alternatively the impact of
a member of staff being shot in cross fire would be serious, but in your
analysis it may be unlikely to happen to XXX as we don’t work in the area
where it regularly occurs. Though both need security measures in place to
deal with them, understanding the risks in detail will enable you to focus on
the most significant threats, to adopt appropriate security measures and to
avoid unnecessary measures.

What is an Acceptable Risk?

The threshold of acceptable risk is the level beyond which XXX will not
tolerate risk. It may vary between locations dependent on a number of factors,
such as type of programme and the competence of staff to manage insecure
situations. It may also vary between different tasks e.g. although it may be
acceptable to take risks to get medical assistance, the same risks might not
be taken to attend a meeting.

Other agencies may accept a different level of risk from XXX; they may have
a different interpretation of the security situation, their vulnerabilities may be
different, or they may have a different mandate.

What is an acceptable risk for XXX, in any given situation, should be

discussed and defined before incidents occur. Setting the level of acceptable
risk, through indicators or benchmarks, will help Managers judge whether
risks are manageable and have been reduced to an acceptable level. It
involves looking at the probability of threats occurring and their impact if they
do.

In thinking about what is an acceptable level of risk, consider the following:

• What is the probability of particular threats happening to XXX?
• How serious might the impact be on individuals and on the organisation?
• What measures can be taken to reduce the probability and the impact?
• At what level can the impact not be reduced sufficiently to allow work to
continue.

Conclusion
Hopefully, you now have a good understanding of the threats in the
environment, of XXX’s particular vulnerability to those threats, the overall level
of risk and the specific level of risk XXX will tolerate. Having completed the
risk assessment, the analysis must be translated into practical and relevant
risk reduction measures, through the design of an effective security
management system, including appropriate strategies and security
procedures.

References and Further Reading

RedR Security Management Workshop Training module
Operational Security Management In Violent Environments, by Koenraad Van
Brabant, ODI, HPN, GPR.