Our core business is security risk management – helping companies to pursue commercial opportunities in places where the threats demand a deliberate risk management response. So, what happens when your company’s commercial strategy involves countries better known for their security challenges than their commercial opportunities?
We recommend a structured approach to security risk management, otherwise such opportunities might be rejected without due consideration of the potential rewards. Thankfully it is possible to assess and manage these risks.
In this article I explain the five key steps in addressing security risk in a high threat environment. Follow them, and as the Global Marine Group case study shows, new business opportunities become feasible.
Step 1 – Gather Information
There is a great deal of reliable information available on the internet free of charge, as long as you know where to look. The objective at this stage is simply to inform yourself about the region and the country where the business opportunity has arisen.
Governments invest a lot of money in intelligence and some of this information is made available to the public in the form of advisory services. Consequently, the Foreign & Commonwealth’s Travel Advice Serviceis a great place to start.
Many think-tanks produce indices measuring security and supporting reports that are frequently very informative. The Fund for Peace’s Fragile State Index and the Institute for Economics & Peace’s Global Peace Index are two noteworthy examples.
A downside of these indices and reports is they are only produced annually, yet security threats are more dynamic than that. The Council for Foreign Relations partially addresses this shortfall with its Global Conflict Tracker that is regularly updated.
Stay on top of the latest developments from regions and countries of interest by setting up Google alerts to monitor the web for relevant reports. Finally, you could commission a report from a security risk consultancy, but at this stage that probably isn’t necessary.
Step 2 – Frame the Problem
This is a critical stage, the importance of which is frequently underestimated. Yet if the wrong question is asked, how can we hope to arrive at the right solution? Take the time to clearly identify what the problem is that needs to be solved.
At its simplest, hazards are the threat to things that we value. So, when framing the problem this is a good place to start. Identify the most valuable resources and capabilities of your business in the context of the commercial opportunity that has arisen.
Engaging with experts across your business will allow you to fully understand how you will operate in the region where this potential opportunity exists. While doing so, resist the temptation to jump to conclusions about what resource or capability is the most valuable.
The problem has been correctly framed when you are able to state it in a sentence or two that encompasses related sub-problems. There should be broad agreement among stakeholders that the statement does indeed encapsulate the problem.
An example of a such a statement would be: “How do we maintain continuity of operations, including the supply of essential materials, without stockpiling too many assets in the high threat area?”
Step 3 – Analyse the Risks
With the knowledge of how you intend to operate and which resources and capabilities are most valuable, you have the basis for understanding and analysing the security risks. You can do this yourself or you can engage a consultancy to do this for you.
This is where the effort expended in gathering information pays off, as the more detail you have available, the better the quality of your analysis. Local agents can be particularly helpful in answering specific questions that arise during your analysis.
A rational and analytical method is the best approach to take. Intuitively you may know that assets need to be protected but it is only by applying a structured methodology that you achieve the detail necessary for the next stage.
Counter-intuitively, the analysis of risk can actually soften the perception of it. This is why this stage should be conducted with representation from across the company as the process and conclusions can reduce anxiety and increase support.
Also, consider risk from ‘the other side of the hill’. Sometimes an asset has a value to others that is different to the value you place on that asset yourself – a spool of copper cable can be stolen but the £500,000 precision tool left behind.
Step 4 – Develop Solutions
At the end of the previous stage you should have identified three or four security risks that you need to manage. The seriousness of these risks is determined by the extent they can be mitigated and this depends on the solutions that are developed and implemented.
Orthodox risk management strategies like those taught on AXELOS’ Management of Risk course are a perfectly suitable point of departure for developing solutions, however, a limited understanding of what is possible to achieve can limit the utility of this process.
To illustrate, a road may pass through a dangerous area but that doesn’t mean movement through it is impossible or unwise. It is also often it is better to use alternatives like light aircraft or fast offshore vessels to move people and materiel in relative safety.
On other occasions solutions can be extremely simple. Renting and securing a villa or complex in a suburban or rural location is frequently much more cost effective than the alternative of paying for hotel rooms in a nominally more ‘secure’ city centre location.
This is where a security risk consultancy can add a great deal of value. There is no substitute for expert knowledge and a professional consultancy will join your planning/bid team to develop solutions that are appropriate for the problem and your company.
Step 5 – Implement and Evaluate
A security risk mitigation plan will only be as effective as the diligence with which it is implemented. This responsibility cannot be outsourced. Security risk management must become part of the company’s culture when operating in a high threat environment.
Perhaps the key task during implementation is assurance. Ensuring that assets are being protected as planned, resources are held at readiness as stated, and security officers are briefed, exercised and competent are all assurance activities.
No matter how much information we gather, how skilfully we frame the problem, how much time we spend analysing threats, how comprehensively we plan to mitigate risks, we can never be fully informed and therefore we can never fully eliminate risk.
Consequently, we must continuously evaluate both the assumptions made in formulating the security risk management plan and the current situation in which it is being implemented. This ensures that the response to security risks remains appropriate.
One final recommendation is to conduct contingency planning and to periodically test the readiness to execute the plans that result. Going through this process develops a culture of preparedness and greatly increases the resilience of the business.
Case Study – Global Marine Group in Somalia
“By following a comprehensive risk management strategy in assessing the risks and complexities of working in a hostile environment, Global Marine Group was able to successfully carry out a subsea cable project both on and offshore in Somalia.
This involved the CS Sovereign transiting the High Risk Area to Bosaso Port and then working a few miles offshore, as well as engineers working onshore for several weeks.
The security partners we had led us through these risk management steps enabling us to not only be comfortable with the post mitigation risk, but also to bid competitively and win a project that we may otherwise not have bid on.
They then went on to complete the security plan that was successfully implemented in country. This complex plan involved the chartering of private planes, liaison with local governors, national coast guard and police, as well as continual monitoring of the security situation and adapting the plan accordingly.
The project went so smoothly that it finished ahead of the schedule with no security incidents.”
Robert Twell, Marine Manager, Global Marine Group
There are lots of commercial opportunities in countries with security challenges, but security risks can be analysed, understood and mitigated. My advice is not to reject these opportunities without first going through the five steps outlined above.
Harry Thomsett is a consultant at the security and risk management company SSI RM (http://ssi-ltd.com/). SSI RM provides security and risk management services to organisations operating in high threat areas around the world.