This page contains a Flash digital edition of a book.
A Strategic approach to Resi l ience, Risk and Security


How the Australian Commonwealth Protective Security Policy Framework defines the definitions and actions required to manage security risk.


T


he globalised world of today, with its range and complexity of risk, requires a


sophisticated approach to developing a strategic security management system, to give enterprise leaders the confidence that their business is as resilient as it can be to these risks.


Resilience is a much abused and maligned term. It is most coherent when used in a biological sense, but it has come to mean anything from an enterprise’s rapid adaptability to change, through to having business continuity and emergency management plans in place. For the purposes of this article, the ISO definition of Resilience provides the parameters for the discussion of the role of security in building resilience:


Organisational Resilience: the adaptive capacity of an organisation in a complex and changing environment. Simply put, Resilience is the ability of an organisation to manage disruptive related risk (ISO/WD 22323 Societal security – Organisational resilience management systems)


Cockram and Heuval provide an expansion of this definition, in the business continuity context, “the capacity of an organisation to plan for and adapt to change or disruption, through anticipation, protection, responsive capacity and recoverability”. (Cockram and Heuval, 2012)


It is in this context, of protection and response, that security makes its contribution.


The definition and nature of security


ISO defines security in a broad sense: security – the condition of being protected against hazards, threats, risks, or loss. In the general sense, security is a concept similar to safety. The distinction between the two is an added emphasis on being protected from dangers that originate from outside. The term "security" means that something not only is secure but that it has been secured.


However, for the purposes of this article, the focus is on security as an activity conducted to ensure protection exists. It begins with an appreciation of Risk Management at the strategic level.


Security activities are represented by those measures


24 © CI TY S ECURI TY MAGAZ INE – AUTUMN 2014 www. c i t y s e cur i t yma ga z ine . com


that reduce the risk to an enterprise’s objectives arising from risks associated with Physical, Personnel, Information Management and Technology domains. Mitigating the security risks in these domains is necessary for the conduct of the business of the Enterprise, be it nation, community or institution. The Australian Commonwealth Protective Security Policy Framework effectively defines the definitions and actions required to manage security risk arising in these domains and is adopted as the model underpinning this article.


The role of policy and risk


Risk is the potential that something will occur that will impede the achievement of objectives. Strategic Risk Policy refers to the framework in which organisations consider their goals and objectives and consequently develop and implement their policies to reduce the extent and kinds of risks that an organisation faces in achieving its objectives.


What is strategic risk policy?


Strategic risk policy is an integral part of good governance and provides clarity and certainty in policy formulation and implementation and supporting organisational resilience. Organisations should consider developing and implementing a comprehensive risk management framework, in which they develop their policies and procedures.


The governance element consists of two components. The first is the development and implementation of a risk policy framework that ensures that strategic risks are considered both in the policy development phase and then again in implementation so that emergent and unanticipated risks are mitigated.


Risk Policy Framework


The second is a high-level policy commitment – the Organisational Risk Policy (Directive) that mandates the application or e-risk


Identification of organisational objectives and risks that the policy seeks to address


Policy Development Policy


Identification and mitigation of emergent and unexpected risks arising from policy implementation


Implementation Policy


Re-assess policy


management and effective and accountable risk management practices at all levels of decision making.


The risk equation needs to be considered at each of the two stages of risk policy and can be summarised by the following equation:


Risk is a consequence of the conjunction of Vulnerability and Threat/Hazard. Because risk is only the chance of something happening, identifying vulnerabilities enables potential risks to be identified earlier and to be evaluated in a clear purpose-driven manner. Decisions can be made about how the risk can be addressed, e.g. by deflecting it, by hedging against it, or by mitigating its effects. Reducing or negating the impact of the conjunction of a threat/hazard with a vulnerability.


Vulnerability is the intrinsic properties of something resulting in susceptibility to a risk source that can lead to an event with a consequence. (ISO/IEC Guide. 73:200)9]


q


[ [


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36