In a recent post, we welcomed the launch of the commissioner’s “CCTV Buyers Toolkit” and its useful guidelines for end users when looking to procure CCTV. The toolkit highlights the creation of a Risk Management plan as a key factor for successful investment (see pages 13-16). But how is this done?
First, risk assessment occurs through the concepts of “Likelihood” and “Impact”. The Buyers Toolkit introduces simple likelihood and impact scales ranging from 1 (very low) to 5 (very high). But how can you estimate the likelihood of something happening? What does a “high” impact on your business look like? Do you just make a guess or is your business’ risk management more thorough?
The Buyers Toolkit aligns very well with the NW Security Group ethos; the Toolkit implicitly encourages you to team up with experts in the field, who can assist your business in implementing the SCC’s recommended approach. At NW Security Group, we work with our customers to develop appropriate, user-friendly Likelihood and Impact scales – and these can vary considerably from business to business. For example:
Likelihood: Those in a project environment often find it useful to employ qualitative terminology e.g. “Almost certain to occur during the life of the project”. By contrast, a manufacturing facility may find a quantitative definition more usable e.g. for a production line: “Rate of occurrence – 1 in 1,000 products.” Other examples include percentages (“<10% chance of occurrence during life of asset”) and descriptive terms (“frequent”, “rare” etc). Separate departments in one business may utilise different scales, dovetailing into a common score matrix..
Impact: We offer a range of impact scales for customers, as there are so many areas in which impact may be felt by a business – operational performance, revenue loss, project delay, staff injury, operational disruption, quality control, reputational damage and so forth. Furthermore, businesses (or even parts of the same business) feel impact in very different ways: a one-off financial loss of £9,000 might rank “very low” in impact for a large multinational, but “very high” for an SME. A four-hour power cut might be a tolerable risk for one part of the business, but could constitute a critical service outage for another department.
Seeking expert advice from an independent provider and adopting the right solutions through a risk management approach is, in the long run, the best return on investment for your business
People generally find it easier to estimate impact than likelihood. It can often be straightforward to work out the impact of an event, if it were to occur, but it can be very challenging to estimate the likelihood of that event happening.
If your likelihood scale is generic or poorly-designed, this could render your “likelihood” estimate almost meaningless. In one real-life example, an organisation’s likelihood scale consisted of: “1 in 100; 1 in 1,000; 1 in 10,000; 1 in 100,000; 1 in 1,000,000.” How useful are these options in articulating the likelihood of, for instance, a burglary or a data breach? Is the distinction between “1 in 1,000” and “1 in 10,000” clear, or meaningful? In practical terms, for these scenarios, that scale is unhelpful. Risk evaluations are often subjective, so it is important to define scales which assist users in making realistic assessments. For the above examples of burglary and data breach, users may find it easier to select a value from: “Likely to occur every month; every few months; every year; every few years; rarely, if ever.”
From a senior management perspective, a poorly-defined likelihood scale leaves the risk management process open to abuse. A manager wishing to secure more funding for physical security measures may deliberately exaggerate the likelihood of a risk. Alternatively, a manager wanting a quiet life may present a rosy picture in which all departmental risks are green, deliberately under-estimating the likelihood of a risk occurring. Both examples have been encountered in the past, and always involved manipulating the likelihood score; it is easier to “fudge” a likelihood estimate than an impact assessment.
We strongly endorse the SCC’s recommended approach to risk management. Too often, we encounter businesses who are regretting having spent significant sums on a solution that wasn’t the right one for them; in this and many other cases, seeking expert advice from an independent provider and adopting the right solutions through a risk management approach is, in the long run, the best return on investment for your business.