Security Risk Management - Literature review Example

Name : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Tutor :xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Title : Security Risk Management Institution : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Date :xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx @ 2010 Security Risk Management Introduction The study will elaborate mainly focus on the issues related to security and risk management but first, the research will define the meaning of the terms risk and how the issues of risks can be managed in any given organization or society. The scope of the study will also include several strategies that any organization can put in place to make sure the organization maintain a proper risk management strategy. “A risk is defined as a threat or probability of a loss, injury, damage, liability or any other negative occurrence resulting from vulnerabilities originating for within or without, and this can be avoided through pre-mediated action (Blakely 1997).” Risk management may also refer process through which an organization analyzes and either accepts or seeks to reduce or avoid an uncertainty in making decisions for investments. It is done any time that an investor foresees the potential for a risk to occur and takes the necessary action to avert the risk. Lack of proper management of risks results in losses to people or organizations. Risk management is an approach that aims at cushioning a company from risks; (Blakely 1997). Some costly risks can occur in a company that can cause a huge loss that may adversely affect the company’s activities. Risk management strategies are use to prevent such losses from occurring. Risks are caused by hazards within the organization that have not been attended to in the right time. A hazard is the potential that something can have to cause harm while a risk is the possibility of harm taking place. According to (Williams et al 1989), Risk management involves identification, analysis, evaluation, addressing and monitoring of the risk. Identification of risk is makes the specific risks whose occurrence is a reality to be known. It is important because measures to manage or control the risk cannot be effective if the exact threat is not known. Analysis and evaluation of a risk helps in the knowledge of how much effort or resources should be invested into its management. It gives a rough idea of the magnitude of the risk. Addressing the risk involves putting in place the appropriate measures to try and deal with the possibility of occurrence of the risk. Risk management systems aim at reducing the vulnerabilities that come with lawsuits, accidents, and deaths among other losses. Risk management strategies normally make use of policies, practices and procedures to prevent risks from occurring. Such strategies include reduction of risks, transferring or avoiding them; (Griffith 2000). In risk management the risks facing a company are identified and assessed and actions taken to shield the company from the potential of incurring losses as a result of those risks. Risks normally cause harm in the future but they also come with opportunities. Companies can gain substantially through taking of risks. Risk management is important in a company so that possible risks can be analyzed and potential gains balanced with potential losses so that mistakes that can be costly to the company are avoided. Risk management is applied as a measure for prevention instead of being a reactive measure. Risks are considered when companies are doing well with expanding markets so as to maintain growth and high profit margins. White (2004) observes that the risk manager has a responsibility of predicting and enforcing measures to prevent or curb losses in the organization. The process of risk management entails the identification of exposure to possible losses, subjecting these exposures to measurement and making decisions on how to cushion the organization from danger considering the company’s objectives and resources. Some risks are more important to an organization as opposed to others; (White 2004). The risk management field started in the 1970s rising from the already existing insurance management field at that time. The phrase risk management was favored since the field of risk management has a wider scope compared to insurance management. Risk management encompasses other aspects not covered by insurance. However insurance is a critical part of risk management and some risk managers are actually insurance agents. Insurance aimed at giving protection to companies for natural disasters and ordinary risks like fire, employee injuries, and theft. Risk management has a wider scope since on top of these it carters for heavy losses that are caused by employment practices, product liability, currency fluctuations, environmental degradation, accounting compliance, electronic commerce and offshore outsourcing. In the years of the 1980s and 1990s the field of risk management evolved to become an integral part of company strategy and planning; (Hernandez 2000). The process of risk management comprises of 6 steps. The first step is the determination of the company’s objectives. The objectives of the company provide the direction that the risk management process will take. For example if the major objective of a company is growth then the risk management system will aim at averting losses that can possibly reduce the growth of the company in whichever sector. The objectives also help to get the company policies tied together with risk management programs for the sake of harmony and cohesion; (Tongson 2000). Next is the identification of the possibility of loss occurrence. Identification helps to put into perspective what type of risk can occur and what is the probability that is is going to occur. The surety that a certain risk will occur can give the organization the confidence to start planning for it by determining the company’s level of exposure to the risk and so forth. This also helps the company to have an estimation of the timing of the risk since relevant information can easily be sought on the same issue beforehand; (Tongson 2000). The third step involves the measurement of these exposures to loss. Hernandez (2000) argues that this step should display the level of exposure of the organization to losses. The level of exposure of the organization to risks is the one that will determine if risk management is necessary and to what extent. Where the exposure is high, appropriate actions are taken to reduce the severity of the risk. If the level of exposure is low then the alternative of risk retention can be taken since the probability of the risk to occur is also low. Risk retention requires the organization to suffer the consequences and in this case because the exposure is small the loss if any might not be so big; Hernandez (2000).The fourth thing is to select alternatives, then to implement solutions and finally to monitor the results. An organization must have a primary objective; (Griffith 2000). This is the objective that dictates the strategy of the company in risk management. Organizations can employ a number of alternatives in risk the management such as assuming, avoiding, reduction or risk transfer. Accompany can also use the risk retention method or ‘self insurance’ where by it creates a fund for use in the event of losses; (Blakely 1997). In such a case the fund is used to rectify the situation in case a risk occurs and a loss is incurred. In most cases such a risk should not have a high probability of occurring. It should be rare and a gain if it has to occur, its magnitude should not be too to the extent that it can badly affect the company’s financial stability or operations. These alternatives for risk management can also be combined in the implementation process. Monitoring is the last step in which review of the risk management tools of the organization is carried out regularly. This review seeks to reveal if the tools need to be modified or have attained the intended out come; (Griffith 2000). In the creation and assessment of my loss prevention program for risk management in my work environment, four alternatives or strategies can be employed. I could use the risk reduction method, risk transfer method, risk avoidance or assuming the risk. The organization involved is one that provides security services to various clients. In the risk reduction strategy I will create and assess a program that totally seeks to reduce risks and their consequences in the company; (Telegro et al 1998). Loss prevention (avoidance) program Loss prevention or avoidance is the adoption of appropriate measures to prevent the occurrence of a risk. Methods such as training for the safety of workers are used. A loss prevention program is meant to create safe working conditions which are healthful for all workers. It should be backed by clear objectives that aim at lifting performance. In the process of creating a program to avert losses a safety statement together with the objectives should be stated. The reason for the objectives and statement is to make formal the commitment of the management to protect the health and safety of workers; (Simons 1999). The safety goals of the organization should be stated together with its tactics and objectives. Annual goals should be set to guide the program. The goals in my work environment may include reduction in loss of property; (Blakely 1997). Since this is an organization dealing with security matters I could have objectives that seek to deal with breaches in security such as attacks from intruders, thefts and general safety. In its objectives and safety statement I need to state clearly that all workers have the opportunity of making their suggestions to the management through their supervisors on how best we can conduct affairs around the camp. To achieve the objectives of the program I would then make clear steps of action to show the way in the implementation of the loss prevention program. In security matters an action like ‘provide more training for all employees’ would be appropriate. This action would guide the organization in the provision of training to the guards so that they can be well equipped on how to deal with security threats; (Quinn et al 2005). When employees are trained then they are made to understand the requirements of the safety program as well. I would then identify the duties and responsibilities plus the mandate of the management, safety committee, employees and supervisors in the implementation of the loss reduction program. In the duties description in my company for example I can lay out the responsibilities of my president as; provision of leadership to those under him in accepting, enforcing and maintaining the program of loss reduction, provision of the required resources, carrying out a review of safety records together with reporting functions, supporting and attending safety functions, enhancing communication within the company, and overseeing the following up of recommendations done to lift performance; (Lam 2003). I would also provide the responsibilities of the safety coordinator in my company as follows; reviewing the forms used in job safety inspections and planning for review tasks, complying with the right procedure for investigating and reporting of accidents, enforcing right procedure for recruitment of employees, ensuring that the safety laws of the land we operate in are followed, inspecting the compound to uncover any safety hazard available and taking appropriate action to rectify the problem, implementing employee training in safety among other assigned duties; (Braunstein 2005). My own responsibilities as the manager would also be outlined thus; inspecting the compound for hazards and putting corrective measures in place, fostering compliance with laws made by the company and the state or any other concerned authority, helping in the establishment of employee recruitment and orientation procedure, carrying out orientation of new workers to the company working environment, training workers engaged in accidents, and emphasizing the use protective gear while on duty; (Head 1991). The duties of the supervisors would be explained in the loss reduction program as; to orient incoming employees, report hazardous equipment on the camp, reporting incidents and accidents and helping in finding solutions, reviewing everyday employee activity, maintaining proper house keeping, encouraging the wearing of protective equipment, investigating accidents, instructing employees engaged in accidents, inspecting the whole camp area and carrying out safety inspections for the security job; (Flakes 1993). I also have the responsibility of letting the employees know all their responsibilities in the program. Security employees would be expected to; understand and obey safety policies and rules, uphold mental as well as physical standards at work, inspect assigned work areas on daily basis, forward reports of accidents or situations that threaten to turn into accidents, appear in safety meetings, lengthen equipment life through proper use and have knowledge of how to maintain protective equipment they use; (Dowd 1988). After that, an explanation of the enforcement of the program must be given alongside the method of gauging the level of participation and its maintenance. In the explanation I would make it clear that every concerned member needs to know his responsibility and strive to play his role for the program to succeed. In this loss prevention program I would make an outline of the responsibilities of all the people concerned in its implementation for example employees, supervisor, risk manager, safety committee, manager and so forth; (Williams 1989). The actions of employees will be guided by the operating rules, standards and procedures at work. The rules explain the management’s expectations in terms of actions and standards of performance. Written rules differ from one company to another and every company has its specific rules governing its affairs. Some rules may describe the past problems encountered in security lapses such as description of losses that have been witnessed. Warnings against such losses may also be included as well as hints on how to avoid them; (Griffith 2000). A regular annual review will then be carried out on the rules and procedures of work bearing in mind the losses that were incurred in the past twelve months. Enforcement comes in at this level whereby employees are encouraged to keep safety rules. Training is crucial since it enables the employees to know and observe all safety rules.In the loss reduction program of my security organization. I will then explain what happens if any employee does not observe the safety rules. Definitely such an employee will be made to know that he will be penalized. I will then elaborate the procedure that is to be taken to discipline an employee such as written warning preceding a verbal warning or otherwise; (Blakely 1997). I would also give an elaboration of all the disciplinary measures that would be taken in case of disobedience to the rules. Suspension and termination of employment are some of the things I would seek to elaborate on. Training of employees is one of the activities taken in loss prevention programs to ensure proper management of risks. Both continuing and new workers should undergo training. In the security organization work environment I could design the training of employees in the organization to teach them how to work in safety by mastering the safety skills outlined in the program; (Williams 1989). In the same regard they also need to be taught about hazards in the work place and the methods of preventing them. I would also recommend training for the guards in the area of investigating, searching and recognizing criminals visiting the camp. Further training could be given to the guards on how to man the towers and the exits within the perimeter fence around the camp. Employees will also be made to understand the rule that govern the working environment. In the program I will also create a partnership between the management and the employees whose aim is to foster the safety of every worker; (Head 1991). The program will also have a review of safety in the security organization and process of inspection. This will help in the identification of operational hazards and observance of the working methods of the guards. Regular inspections and reviews are necessary in order to measure the level of effectiveness of the program of loss prevention. In my safety review I would look out for environmental hazards in the work place, the set up of the work place, modified tasks of work, work activity, the level of awareness among the employees for conditions. In the same review I would work out a plan for the elimination of all physical hazards listed; (Blakely 1997). Hazards are potential risks and if not dealt with they can result into huge losses. For example in my security company there could be hazards like power failure at certain times of the night. Since darkness doe not promote security, plans to get alternative sources of energy have to be done. This may help to keep the camp well lit even when electricity is gone. The next thing is to do the modification of the work stations or the standard procedures of operation. The inspections done are supposed to be documented and all procedures for follow ups. Another important thing is to gauge if all recommendations made previously have been acted upon appropriately; (Williams 1989). I would be doing no work if the past suggestions and recommendations are just filed and nothing more heard of them. As a manager for the security firm, I will follow every proposition and recommendation to ensure that they are implemented. Neglected recommendations may become a problem in the future when risks occur when something had been said about them but not followed up. I would also elaborate on the procedures and methods for reviewing the work site. Its importance is also necessary in the program. I would explain the review of the work site seeks to reveal all potential hazards that may be in the place of work. On this stage I need to lay out the steps for the review. They include selection of the work for review, splitting the job in sequential steps and an observation done on the procedures, identification of hazards or possible accidents and the development of solutions for those accidents; (Conley 1999). The next thing will the accident investigation and reporting process because accidents still occur even where precautions have been put in place. In case of any unfortunate event a proper investigation needs to be carried out. In the investigation the circumstances surrounding the event will be determined. Problem areas and trends will be identified with the aid of a standardized investigation form. The follow up will involve the taking of necessary actions to avert any future accidents from taking place. The follow up should ensure that the appropriate corrective measures are put in place as soon as possible. More training in safety and safer methods of work are necessary at this point. I would then lay out the required procedure acceptable in my security company for investigating accidents. Another procedure to be outlined is that of how to prepare a report in writing. In the procedure I would outline that information is required on; personnel and past information, description of the accident or any relevant information, an analysis of the causes of the accident, the steps to prevent future accidents and finally miscellaneous information. A procedure for reporting accident occurrences would then be provided in detail as well; (Lam 2003). Risk reduction Reducing a risk involves applying measures to lower the severity of losses. The risk might occur and the organization might face the consequences but their effects would have been cut down by measures put in place to control it. The important thing is to minimize the risk effects via response systems which can neutralize any consequence resulting from a mishap or any unfortunate event that may occur. In the end the company does not suffer much loss resulting from the occurrence of the risk; (Flakes 1993). In my work environment which is the security camp, this strategy can be applied too. I could mobilize the guards to implement appropriate intervention measures to make sure that any risk that occurs does not do much harm to the company. For example the posting of more guards at vulnerable sights to boost security could be done to reduce the risk of property loss or attacks from outsiders. The guards can also be equipped with modern security equipment to ensure that they are very effective in case of an attack. This will reduce the risk of a successful invasion that might end in their death or stealing of valuable property; (Braunstein 2005). Risk Transfer According to Mills (1998), a risk can be transferred from one party to another. This is called risk transfer whereby a contract is used as the responsibility for loss is loaded on the other party for example in insurance agreements. The insurance option is chosen in cases where the other alternatives fail to give adequate protection from risks. Some times when the magnitude of the risk is high or the company’s exposure level is high. In my working environment risks such as huge losses of property or death of employees and serious injuries on duty can be insured. The reason is that such risks will require huge amounts of money in order to replace property or settle cases of compensation. In my program I would then make a list of the risks that cannot be handled by the company so that they can be transferred; (Flakes 1993). I would also provide in the program the kind of insurance and terms of insurance and propose on the most suitable ones. I can best implement the risk transference strategy by sharing the risk with another party most likely an insurance firm. Through this I would seek to obtain insurance policies which cover different types of risks that are likely to occur in the camp; (Conley 1999). Insurance could be the most effective method of transferring these risks for my security company. Some of the risks that I may seek insurance for include; fire, theft, employee compensation and workers’ liability. However I may choose to acquire insurance only for part of the risks or all of them. In securing insurance cover I could go for post loss or pre loss risk financing. In pre loss financing I can acquire finances for losses with a reasonable potential of occurrence. An example is the use of insurance policies for which I would decide to pay premiums before the loss comes. In post loss risk financing option, my aim would be to obtain finances after the loss has occurred; (D'Arcangelo 2004). Risk assumption or risk financing Blakely (1997) denotes that to assume a risk is to accept that a risk can possibly come and to be ready to suffer the loss. In such a case the right preparation is done and the necessary measures put in place in advance to wait for the risk. When the risk occurs the organization accommodates it and works at ways of recovery from the possible consequences of the risk. In my security organization some risks that look ‘not very serious’ can be assumed. For example is we were faced with the risk of losing our property as a result of an earth quake or say a flood. Our level of exposure to these risks is very low because we rarely experience disastrous earthquakes or floods in our area; (Conley 1999). The probability of our company suffering a loss resulting from such things is almost not there. It would therefore be a waste of effort for us to try any other strategy of managing such a risk. For example if we had to transfer the risk an insurance company would benefit from us and give us nothing in return. Putting measures in place to avoid or reduce the risk would also be a waste of resources because an earth quake or flood may never occur in the life of our organization. However for the sake of the stability of the security company I would do well not to leave anything to chance. I would try to budget for any kind of risk even if its chances of occurrence are very slim. The best way for this would be to have a fund from which I can finance the activities of company recovery in case of a risk; (Braunstein 2005). Conclusion Risk management involves a number of strategies used to help a company to deal with the possibility of the occurrence of risks. There are several risk management strategies that can be employed in this practice. Among them is risk reduction, risk transfer, risk avoidance and risk assumption or risk financing. All of these operate differently to protect an organization from exposure to potential risks. A loss prevention program created for my security company can help the company to avert the occurrence of risks. It makes use of the above mentioned strategies in the process of dealing with an organization’s exposure to risks. References Altemeyer, L (2004). An Assessment of Texas State Government: Implementation of Enterprise Risk Management, Applied Research Project.Texas State University. Anastasio, S ( 2006). Small Business Insurance and Risk Management Guide U.S. Small Business Administration, n.d. Cambridge University. Borodzicz, E (2005).Risk, Crisis and Security Management. New York: Wiley; 2005. Braunstein, A (2005) "Strategies for Risk Management; Amazon Publishers. New York: Wiley: Blakely, Stephen, (1997)"Finding Coverage for Small Offices Nation's Business; Institute of America, Encyclopedia of Business, 2nd ed. New York. Conley, J (1999). "Waves of the Future Risk Management. Institute of America, Encyclopedia of Business, 2nd ed. Cambridge. D'Arcangelo, James R (2004) "Beyond Sarbanes-Oxley: Section 404 Exercises Can Provide the Starting Point for a Comprehensive ERM Program."Internal Auditor. Dowd, Kevin (1998). Beyond Value at Risk. New York: Wiley: Texas State University. Flakes E (1993); The Essentials of Security Risk Management; Amazon Publishers. Insurance Institute of America McGraw- Hill. Griffith, G (2000). "Net Increases Need for Risk Management." Dallas Business Journal; September. Amazon Publishers. New York. Hernandez, Luis Ramiro. (2000) "Integrated Risk Management in the Internet Age" Risk Management. Hopkin, Paul (2010) "Fundamentals of Risk Management" Insurance Institute of America.New York Hovey, Juan.(2000). "Risky Business" Industry Week. May 15, 2000.Institute of Risk Management/AIRMIC/ALARM; A Risk Management Standard London: Lam, J (2003). Enterprise Risk Management: From Incentives to Controls. Hoboken. Institute of Risk Management; 2002. Mills, E (1998). "The Coming Storm: Global Warming and Risk Management." Risk Management. Quinn, Lawrence Richter (2005) "ERM: Embracing a Total Risk Model." Financial Executive; Telegro, D ( 1998). "A Growing Role: Environmental Risk Management." Risk Management Tongson, Tim.(2000) "Turning Risk into Reward" Best's Review. Texas State University. Williams, C. Arthur, Jr., and Richard M. Heins( 2004); Risk Management and Insurance McGraw-Hill, White, L(2004). "Management Accountants and Enterprise Risk Management Strategic Finance; 2nd Edition. Oxford. Read More