An Introduction to the NSG Approach to Risk Assessment 

The protection of company and organisational assets from loss, howsoever caused, is critical to maintaining and increasing business capability and profitability. The key to the successful protection of an organisation’s assets lies in a radical, pragmatic and balanced approach to company security. It is also the case that what works for one organisation may not necessarily work for another, even if those organisations operate in the same sector.

NSG Security Consultants apply a lateral problem solving approach, involving understanding the organisation’s business model to ensure the effective introduction of measures not only to improve security and reduce loss, but also to enhance and support business operations. This process is applicable to all organisations including those in retail, finance, manufacturing, service, leisure, Government (including local government) and construction sectors, and takes place in four phases.

What we do

Phase One – The Identification of Areas at Risk

It seems obvious to state that the first stage in the process is the identification of areas at risk. But the risks to an organisation’s operations can be diverse and include for example, reputation, product contamination, and supply chain disruption, as well as the more obvious, IT equipment, buildings and people.

Working at both strategic and operational level throughout the organisation, NSG Security Consultants will identify all areas of an organisation’s operations that may be at ‘risk’.

Phase Two – Risk Assessment

Quantitative and qualitative assessment of risk is complex and as a result most risk assessments are threat assessments and not an assessment of actual risk. Threat assessments apply a mathematical formula taking into account the probability of loss or an event occurring and the magnitude of the potential loss. The problem with this approach is that even if the magnitude of loss is potentially catastrophic but the probability of loss or the event occurring is remote the ‘risk’ will be rated as low.

NSG Security Consultants take a different approach and assess ‘pure risk’ and rate the risk according to the potential impact on the organisation, irrespective of the likelihood. In broad terms, the risk assessment process can be broken down into three areas:

Loss Event Profile - this analyses all the ‘pure risk’ events, which are likely to happen. The analysis looks at all factors which could produce an incident, utilises statistics and previous experience and eventually determines the complete range of threats and risks

Loss Event Probability - this stage in the process analyses the likelihood of threats and risks identified in the Loss Event Profile becoming a reality. The physical environment, social environment, past data, criminal trends, etc. are all taken into account in determining the probability of the risks actually taking place. Risks can then be rated under a variety of headings. For example, virtually certain, down to probability unknown

Loss Event Criticality - This stage looks at the financial costs be they direct or indirect, which would result from an incident taking place. Direct costs are easy to estimate, but account must be taken of the indirect and consequential costs – e.g. reputation, goodwill, community relations, employee morale, etc. Criticality may be rated as fatal to the organisation, down to seriousness unknown, with a number of divisions between. The final step in the process is to arrange the entire body of rated risks into a sequence of priority for counter-measures attention – The Risk Management Plan

Phase Three – Security Survey 

The security survey is essentially a physical examination of the client’s premises and the immediate environs, including a thorough inspection of all operational systems and procedures. Following completion of the first two phases, consultants produce bespoke security survey checklists to be used during the security survey.

The security survey has as its overall objective, the analysis of the client’s facility to determine the existing state of its security, to locate weaknesses in its defences, to determine the degree of protection required, and to lead to recommendations for establishing the Risk Management Plan.

Phase Four – Risk Management 

Risk management is the application of the same broad principles that apply to solving all management problems. The primary objective is to save money by minimising in a cost-effective way, the drain on resources brought about as the result of loss.

In this phase the results of the previous three phases are reported and form the basis of the Risk Management Plan.

It is widely accepted that the techniques to manage the risks identified fall into one or more of the following categories:

Avoidance (eliminating the risk altogether)
Reduction (reducing the severity of the loss or the likelihood of the loss occurring)
Sharing (transferring the risk for example through outsourcing)
Retention (accepting the risk)

The Risk Management Plan will propose applicable, proportionate and effective controls or countermeasures for managing the risks identified, taking into account the technique categories. And importantly the NSG Security Consultants prepared Risk Management Plan will include an Action Plan for client ‘sign-off’ and implementation. The Action Plan will out outline the sequence in which the consultant recommendations (countermeasures) should be introduced taking into account:

the cost of implementation;
ease of implementation;
any risk associated with the countermeasure; and
the benefit of the outcome from implementation and whether the benefits are realised in the short, medium or longer terms

The Risk Management Plan includes a cost benefit analysis to justify the introduction of the countermeasures proposed by consultants. Where recommendations indicate a range of countermeasure options, the comparative advantages and disadvantages of each option are assessed to enable the client to decide which option to implement.