If you have made the decision that the importance of your project outweighs the dangers, additional measures are likely needed to bring risk to within tolerable levels. How will you do this? What measures and options are at your disposal?
When we think of ways to protect ourselves from possible harm in the field, we may immediately think of high walls, gates, barricades, armoured cars and jackets like the ones shown in the photo at the beginning of this module. The SRM approach however, is designed to match appropriate risk reduction measures to the actual threats and vulnerabilities that you have analysed as part of this overall process. The now-familiar diagram of the SRM cycle below shows the dependence of deciding on, and implementing risk reduction measures on the previously accomplished assessments and analysis.
As discussed in the module, there are two components involved in the determination of risk: impact and likelihood. The risk matrix tool graphically shows the relationship of these two components for all threats considered in your threat assessment. Threats with higher risk are shown in the upper-right corner of the matrix, i.e., where the descriptors for the highest impact and the highest likelihood intersect. The security risk manager’s job is to find effective and achievable ways to move threats with unacceptable levels of risk to a point on the matrix where the risk level is tolerable.
How urgent is the project?
What are the consequences of project suspension?
How great is the risk to staff?
What are the consequences of an incident occurring?
Are there other ways of meeting the needs that entail less risk?
This can be done in three ways as described below.
1) Reduce the likelihood that a particular threat will occur, pushing the threat to the left on the matrix. Measures to accomplish this are generally called prevention measures.
While they generally do not absolutely prevent all possibility of a particular threat occurring (except, for example, in the case of total evacuation from the field), they are designed to significantly reduce the likelihood that they will occur, making the risk lower and therefore more acceptable. A good example of this is clearly marking (in most situations) vehicles i.e. as being humanitarian in nature if you are working alongside the UN. In situations where there is general acceptance of your organization, for example, flags and large decals make it clear who you are, thereby reducing the likelihood that a combatant will mistake you for an enemy and fire at you.
The flags and decals do nothing to reduce the impact if shooting starts; they only serve to reduce the chance that someone will shoot at you.
2) Reduce the impact or harm that is done if the threat actually occurs, thereby pushing the threat lower on the matrix. Measures that are designed to reduce the impact of a threat are generally called mitigation measures. A good example of this is the use of seatbelts in vehicles. While seatbelts do not reduce the likelihood of an accident, they are designed to keep you safer should an accident occur.
3) Reduce both the likelihood and the impact of potential threats. In reality, many measures that can be taken have both mitigating and prevention aspects. A high strong wall around the office is a good example. The wall will reduce harm to those inside if shooting occurs outside, and the fact that there is a wall may well dissuade potential attackers from shooting at the office at all. Such measures have both mitigation and prevention components and are effective at reducing risk since they will move the threat both down and to the left on the matrix.