Security Risk Assessments must be reviewed and updated on an ongoing basis. This is in part because the threats change and evolve constantly. It is equally necessary because the actions and decisions that you make as a part of the SRA process will, in themselves, have an impact on the threat environment. They may decrease your vulnerability to a threat and reduce its likelihood or impact, but they also expose you to new, unforeseen or previously negligible risks. For these reasons, the process of reviewing effects of decisions, updating analyses and making modifications as needed, are integral parts of the overall SRA process. It should be noted that this process can require considerable effort and time; office managers must ensure that adequate attention is given to this task so that security assessments do not simply gather dust on the shelf as the security situation evolves.
Security Risk Assessment is a systematic approach to analysing information in order to better understand risks and make better decisions regarding how to respond to them. A complete assessment of risk should include all of the steps listed below:
Threat assessment provides an understanding of the potential dangers in your environment. Threats in this assessment are usually presented as events such as kidnapping, road ambush, sniper shooting, etc.
Vulnerability assessment is an internal analysis of an organization’s own weaknesses. Typical aspects of an organization or office’s vulnerability include:
Program assessment is related to threat and vulnerability assessment but looks specifically at the results of the activities or programs of the organization in the field and the ways that these programs influence the risk to staff, either positively or negatively.
Risk analysis combines the results of threat analysis and vulnerability analysis and then examines the threats in terms of both their likelihood and possible impact to determine the actual risk for the organization.
Criticality assessment weighs risks of carrying out program activities to staff against possible benefits of program activities to the beneficiaries of the programs.
Decision and implementation entails selecting appropriate measures to reduce risk. These may be preventive measures, aimed at reducing the likelihood of a harmful event occurring, or mitigating measures, designed to lower the impact of the event if it happens.
Review and modification of assessment is necessary because security situations are fluid and constantly changing. Moreover, your actions may change the environment you face; therefore, you will need to review and revise your SRA continually as long as your staff are in the field.