Businesses across the globe face all kinds of risks on a daily basis, and these risks are constantly evolving. That’s why we’re always seeking to improve the solutions we offer and challenge our clients to look at things differently.
At G4S we have a security risk management model that helps businesses to build, customize and develop security programs that are ideally suited to their individual needs and environments, whether it’s critical energy infrastructure, a bank, retail space or an office.
Building a program from the ground up.
While there are countless risk management models on the market, after a lot of research we found they tend to use inconsistent language, and there’s a lack of specific methodology or structure, making the user experience more difficult. So we decided to go beyond the security industry and work with an academic partner, the Georgia State University Center for Process Innovation, who could look at the issue from a completely outside perspective.
It’s a really similar concept to the Effects Based Security Design planning method, but we’re using it to build a comprehensive, consistent and easy-to-use software solution that takes it to a whole new level.
Before a business can determine what security solutions are right for them – be it the number of security officers posted at a site, the amount of cameras surrounding a perimeter, or the level of identity and visitor management required – they need to ask themselves some fundamental questions:
What am I looking to protect?
What do I want to protect it from?
How do I prevent an incident or risk from happening?
If something does happen, how can it be contained?
How do I recover from it?
With this in mind, our model takes you through the entire risk management process, which includes three key components: resources, risks and resolutions.
The first step involves sitting down with the client and identifying all of the resources they want to protect. These could be physical resources, such as buildings, critical infrastructure or valuable equipment, knowledge-based resources, such as intellectual property, or organizational resources, such as people or governance structure. Once we’ve created a list, we’ll assign a value to that resource.
This can be quite simple; for example, if somebody were to steal a vehicle from a site there would be an insured value against it. On the flip side, say for something like intellectual property that has no insured value, we’ll work out what we think this resource is worth to the business.
Then, we sit back and look at the likelihood of these resources being exposed to particular risks. These could be contextual risks, such as workplace safety or natural disasters, criminal risks, such as theft or cybercrime, or business risks, such as compliance or legal issues.
We’ll take into account how frequently incidents like these have occurred in the past, using a client’s historical data and – where there are gaps – industry-wide resources, such as the FBI’s Uniform Crime Report, to build a clear and well-informed picture.
Finally, we’ll identify the most appropriate resolutions that will enable the client to manage and tackle these risks. These span three main categories: prevention, containment and recovery.
Firstly, preventative resolutions, such as carrying out background checks on all visitors to a site or having perimeter protection in place, aim to stop an incident from happening in the first place. Secondary, containment resolutions, such as having intrusion detection or fire safety systems installed, help to mitigate risks during an incident in order to minimise the impact it has on a site, a business or its people. Lastly, recovery resolutions, like investigations or security forensics, are designed to alleviate risks after an incident has occurred, ensuring that business operations recover quickly and that damage is as minimal as possible.
A Constantly Evolving Security Program
As a whole, this model allows us to work with businesses to monitor their resources, understand the risks they face, and, together, we can come up with the most appropriate and effective resolutions. We can also use this information to work out the total cost of ownership – based on the client’s exposure to certain risks – as well as the cost of the various resolutions that we’re going to put in place.
Once we’ve got this framework together, we’ll continue to work with them to monitor the progress of the security program, using real time intelligence and data analytics to create reports. This way, we can make sure the program is consistently working at its best, and is in line with the business’ requirements, which can change over time. We call this the risk management lifecycle.
We believe this type of model can change the way we think about security, for the better. That’s why we’re asking our entire business, our clients and the wider industry to look at security programs with a truly risk-based, data driven approach – this is the future.
Joe Young is the Sr. Director of Cloud & Enterprise Solutions for G4S, overseeing technology, strategy and innovation for the G4S Secure Integration managed services division.