The Risk Management Process explained
Managing the risks arising from terrorism is a step-by-step process. The following version is a five-step process adapted from the Health & Safety Executive’s process and specifically focuses on the management of terrorist risk. You can do all the work yourself or choose a competent person to help you with some or all of the steps.
Note: The overall responsibility for controlling the risks will always be yours.
The five-step process:
Identify threats to your organisation
Assess the risks to your organisation
Control the risks - assess what you are already doing which can minimise or reduce the risk, and determine what else needs to be done to reduce or eliminate the risk
Record your decisions and actions
Review the controls
These steps can also be linked to the Risk Management Model.
1. Identify threats to your organisation
This step requires you to gather information from a range of sources to help identify how vulnerable your organisation might be to a terrorist attack. Sources include information, advice and guidance from:
• security organisations
• the police and other emergency services
• local authorities
• neighbouring organisations and other partners
• members of your support networks
Your own analysis of your organisation, site and location should also be taken into account.
Using these sources, you need to consider:
• What sorts of attack you might be exposed to?
• Who might carry out these attacks?
• What sort of harm your staff, customers or other visitors may suffer in an attack?
• What work practices exist in your organisation which may protect you from or expose you to terrorist attacks?
• Whether your premises are designed to help you withstand or respond to an attack?
You also need to think about the possibility that although you may not be a target for an attack, other businesses or organisations close to you might be.
Look back at previous terrorist attack records as these can help you identify less obvious threats. Take account of differences in location, sector and the size of your organisation. Think about threats to life and different attack types, how do these apply to your situation and how employees, contractors, visitors or members of the public might be harmed both in the short term and the long term?
2. Assess the risks to your organisation
Once you have identified the threats, the next step is to estimate the risks you face. The answer to this question will determine the decisions and actions you need to take to minimise the risks. To do that, you need to decide what type of attack may occur, how likely it is that people will be harmed and how serious this harm could be. You need to take all three into account in determining the level of risk.
In making these decisions, there is a range of factors to consider:
• What is the existing threat of a terrorist attack, what is the threat level?
• How possible is it you will be caught up in an attack on someone else?
• What attack methods may be used and how likely are they to succeed?
• Who might be harmed by an attack and how?
• What other longer-term consequences might the attack have for you?
Talk to workers and other stakeholders and those most likely to be affected by an attack to fully understand the risks you face. Involve your employees in both your risk assessment and decisions about control measures. They will usually know what it is like to work on the frontline within the organisation, what types of threats they may be exposed to and will have good ideas about how best to protect the organisation from these threats.
Also, discussing the probable consequences of an attack with other stakeholders who may be affected by an attack can be very beneficial. They may have views on what is an acceptable level of risk and give advice on what resources can be committed to control measures.
3. Control the risks
There are two parts to this step. You need to assess both what you are already doing to control risk and what further actions you might take. In addition, the Risk Management Model requires you to think about both how you can protect yourself from an attack and how you can respond to and recover from an attack.
Protective measures can include:
physical defences such as fences, security doors and bollards
active measures such as guarding, observing and hindering attacks
Response and recovery control measures are actions you can take after an attack has taken place such as emergency responses, recovery plans and business continuity activities.
Choosing the best options
As you carry out your assessment of your security risks and identify the control measures you are taking or might take, you are likely to be faced by many options.
General advice on risk assessment often recommends the use of a risk matrix based on estimates of the likelihood and impact of an attack. These are useful for prioritising actions and measures particularly in larger and more complex organisations when faced with a large range of threats. However, these approaches are not always helpful for small businesses where a simpler approach may be more appropriate. It may be more useful to accept that the consequences of an attack will almost always be high since they involve death or serious injury to individuals, as well as damage and disruption to your organisation.
Therefore, for small businesses, it may be better to work backwards from the range of attack types by asking the following questions:
Is it possible to carry out the attack type at your site? If not, remove it from consideration
For each remaining attack type:
Do you already have protective control measures in place which give as much protection as it is reasonable to expect? If yes, it is not necessary to consider further any additional measures but remember that the risk will not have disappeared and you must continue to consider whether it is being dealt with effectively
Do your existing control measures give partial protection? If yes, can these control measures be enhanced or extended to give sufficient protection?
If your existing control measures cannot give sufficient protection, do you know that other parts of your organisation or your community neighbours or partners have introduced measures which you should adopt or collaborate on?
If there are still risks for which you have no adequate protection, which of the control options that you have identified will give the most effective protection balancing the level of risk against the money, time and trouble needed to control the real risk sufficiently
Assess what you are already doing which can minimise or reduce the risks
You first need to look at what you are already doing about risks you face, and the control measures you already have in place. These might be for other security purposes, such as guarding against theft, fire protection, health and safety purposes or other sorts of protective arrangements. Ask yourself whether these control measures are likely to be effective for controlling terrorist risks or whether they could be re-purposed to provide suitable control measures.
You need to consider both what sorts of preventive measures (i.e. physical and active measures) and what sort of response and recovery measures you have in place. In both cases consider how these measures might help to detect, deter or delay the various types of possible attack. For the response and recovery measures, consider how the measures may reduce the consequences of an attack, speed up the response to and recovery from an attack, and contribute to the continuation of business after an attack.
Determine what else needs to be done to reduce or eliminate the risk
Once you have decided which of these control measures you already have in place and how they might help you deal with a terrorist attack, you need to decide how effective they are likely to be in the event of an attack and what you could do to protect yourself more effectively. When making these decisions, consider the following:
Have the preventive measures removed any of the risks altogether or significantly reduced them? This is an ideal situation, but it is rarely possible in practice. Indeed, small to medium size organisations are unlikely to be able to put in place many of the protective measures that large organisations can to achieve this, either because they don’t have the finances or resources to do it or because they don’t have much control over their organisation’s site. In either case they are more likely to focus on response and recovery measures
If risks have not been removed or significantly reduced, how effective are the existing control measures likely to be at reducing the harm from an attack? In practice, a multi-layered approach to defence is usually best
Consider the following:
Would the existing control measures seriously hinder an attack?
Would the existing control measures give you more time to defend your site against an attack?
Would the existing control measures reduce the likelihood of an attack being launched?
Would the existing control measures improve your chances of protecting people from harm?
Would the existing control measures give you a good chance of reducing the consequences of an attack?
Further action might then involve some or all of the following:
Identifying changes that can be made to your organisation to reduce your risk – for example, choosing security measures which are more appropriate for your organisation, changing the way jobs are designed or work organised, and creating a more security minded workforce. Security awareness training, such as theACT (Action Counter Terrorism Awareness e-learning programme) for staff would support this
Identifying ways that you can collaborate with, for example, other organisations nearby, the owners or managers of the site you occupy, the local authority, the emergency services etc.
Deciding where best to put your control measures if they are not optimally sited
4. Record your decisions and actions
Keep a record of how you reached your decisions about the current level of risk you face and the actions you need to take to control the risk as much as possible. The record should contain your assessment of the effectiveness of your existing control measures, identify which additional control measures you want to introduce, and describe how you plan to implement them. You are not expected to eliminate or significantly reduce all risks but you should show you are taking reasonable steps to protect people from harm.
As part of your implementation plan, you should make sure that someone is given explicit responsibility for any improvements identified and putting any additional control measures in place. This person should have sufficient authority to make sure that the necessary resources and money are made available. They should also be given a manageable timescale in which to undertake the task. If several control measures are being implemented, it is usually best to stagger their introduction. The order should also balance the expected security benefit with the complexity of the control measure’s introduction. Remember that consultation with your workers and other stakeholders is encouraged at this stage, as well as at the risk assessment stage.
For both your own benefit and that of any others who continue with the work afterwards you should record at least the following:
What are the threats you face (how harm might be caused)?
Who might be harmed and how?
What you have done and are doing to reduce the risks and your reasons for the approach taken
Who has responsibility for putting control measures in place?
When will you review the progress made both in putting control measures in place and their likely effectiveness?
To help you do this, we have developed a Risk Management record template and examples. Do not rely purely on producing paperwork. Your main priority should be to control the risks in practice. Your record, therefore, does not need to include everything you have thought about or considered. It should just describe the key findings that have led to your decisions and actions.
For further advice on how to choose the best options and record your decisions, refer to the 10 principles of security management developed by the College of Policing.
5. Review your controls
The threat picture and your readiness to protect yourself will change over time and, therefore, will need to be reviewed from time to time.
You should review the control measures you have put in place to make sure they are following current guidelines.
You should also review them if:
they may no longer be effective
there are changes in the workplace that could lead to new or increased risks such as changes to staff, processes, UK threat level and information released concerning methods of attack
Also consider a review if your workers have spotted any problems or there have been any terrorist incidents in the UK or abroad which have implications for your own security arrangements.
Update your Risk Management record with any changes you make.
6. Identify a competent person
It is important that the risk management process is supported by sufficiently competent people. As an employer, you should identify a competent person or persons to help you meet your duties regarding the safety of your employees, customers, volunteers or other visitors to your sites throughout your organisation. You may already have done this for other purposes but you should also identify someone to help with the management of terrorist security risks.
When identifying a competent person or persons, it is important to consider the following:
What will you require the competent person to do?
What qualifications or training your competent person needs to do the role effectively?
Who can you designate as a competent person?
When and how to use an external competent person
Sources of competent persons
What you require the competent person to do?
There are two possible roles for a competent person:
The first is to help your organisation put in place sensible measures which will protect workers, customers, volunteers and others from harm. To do this they should have the skills, knowledge and experience to be able to recognise the threats which your organisation may face and to identify and help implement the control measures best suited to protecting you from and helping you recover from the associated risks
The second is to sense check or validate the control measures that are being considered
Note: Although the same person could undertake both roles, in most organisations it is likely that the roles will be undertaken by different people. Also note that the role of a competent person may, in some cases, involve recognising the need for and bringing in others (either internal or external) with the necessary expertise to cover gaps in their own knowledge and skills.
You should distinguish between a competent person and a responsible person. Although the same person can occupy both positions, what they do is different. The role of the responsible person is to ensure that decisions about risk are implemented, and the necessary actions taken. To do this, they need to be able to take decisions, commit resources and provide budgets to support the required actions.
What qualifications or training a competent person needs to do the role effectively?
Currently, there is no legal requirement for a competent person to have formal security qualifications or to have had formal training. This may change in the future but, in any case, a competent person with relevant qualifications or appropriate training or experience is more likely to possess the skills and knowledge necessary to fulfil the role.
In many organisations, staff with health and safety responsibilities are also responsible for the organisation’s security arrangements. In other, usually larger, organisations there may be individuals in a dedicated security team. Such individuals may have the skills and knowledge required to undertake the first of the competent person roles and, sometimes, to undertake the second role. They are likely to have some formally recognised qualifications from places such as the Institution of Occupational Safety and Health (IOSH) or the National Examination Board in Occupational Safety and Health (NEBOSH) if they are health and safety professionals, and the Security Institute, International Security Management Institute (ISMI) or Certified Security Management Professional (CSMP) if they have undergone security training, and to have undertaken some familiarisation training such as theACT Awareness e-learning programme offered by NaCTSO or the SCaN training offered by NPSA (formerly CPNI). However, many organisations will prefer to employ an independent security professional for a short time to undertake the second role while large, complex or high-risk organisations may require more specialist help from advisors with a higher level of security expertise.
Who can you designate as a competent person?
You could assign one or a combination of:
one or more of your workers
someone from outside your organisation
The person(s) chosen should be security minded, have knowledge of previous terrorist attacks and the different attack types, and knowledge of the control measures which can be used to protect against or respond to the different attack types. If there is one or more competent persons within your organisation, it makes sense to use them rather than a competent person from outside the organisation because they will have a better understanding of the organisation’s needs. However, you may not think that your internal staff have the level of competence required to completely fulfil the two roles or you may simply prefer to have an independent evaluation of your arrangements.
When and how to use a competent person from outside your organisation
Although it is acceptable to appoint an internal competent person, there are various circumstances where appointing an external competent person is desirable. For example, there may be no suitably competent person available internally or some aspect of the organisation’s premises or operations may require some specialised security expertise.
When appointing a competent person from outside your organisation, research suppliers carefully. Make sure that the skills, experience and knowledge they offer match your requirements, are up-to-date, and that you are clear about the extent and limitations of their expertise.
Where to find competent persons and specialist advice
You may already know such individuals or how to find them but, if not, there are a number of sources to which you can refer:
The Register of Security Engineers and Specialists (RSES) which NPSA (formerly CPNI) sponsors and which encompasses Generalist Security Advisors (GSA) and Specialist Security Advisors (SSA)
The Register of Chartered Security Professionals which is managed by The Security Institute
The UK Register of Independent Security Consultants managed by the Association of Security Consultants (ASC)
The National Cyber Security Centre (NCSC) has its own certification of industry expertise for cyber security
Other sources may become available once the Protect Duty legislation is in place and other registration schemes are developed.
7. Community and support networks, partners and other stakeholders
You are not alone. There will be many other organisations or businesses that are as concerned as you are about securing the sites in your neighbourhood against terrorist attack. It is ineffective to think about protecting your own site in isolation, as working with your neighbouring organisations and businesses not only makes things easier for you, but you will learn from each other and can plan a co-ordinated response.
Also, you do not need to do everything yourself – not even if you have appointed a competent person. Make the best use of the knowledge, experience and expertise around you. Consider which other organisations or stakeholders are involved in managing terrorist threats both locally and nationally with whom it would be beneficial to liaise, network or collaborate:
Local resilience forums
Other Emergency Services (Fire Service, NHS, etc.)
Civil contingency units
Neighbouring businesses and organisations
Landlords and site owners
Parent organisations and other stakeholders
Business Improvement Districts
Recommended general guidance
Recommended specific guidance
Controlling the risk
Recording your decisions and actions
Reviewing your controls
Identifying a competent person
Community and support networks, partners and other stakeholder