The importance of place in understanding physical security risk According to Chris Kumeroa, Managing Director of Global Risk Consulting, the security world is coming to a greater awareness of the importance of data-driven approaches to assessing risk. But there’s some way to go.
Chris Kumeroa is Managing Director of Global Risk Consulting Group. He is a former New Zealand Special Forces soldier specialising in counter terrorism, human tracking, mountaineering and reconnaissance.
16
NZSM
Data and physical security risk When it comes to data-driven approaches to the assessment and management of physical security and safety related risk, the public and private sectors are a patchwork of ‘haves’ and ‘have nots’, and the distinction between these appears to be drawn along sectoral lines. The relatively recent establishment of the Evidence Based Policing Centre by the NZ Police and the New Zealand Institute for Security and Crime Science by the University of Waikato are indicative of an acknowledgement that data can enhance public security outcomes. Their appearance is part of a global trend, and they mirror the establishment of similar institutions in other countries. In the private sector, the insurance, healthcare and health & safety sectors tend to evidence their assessment of security, health and safety risks with data than, say, private security consultants and security providers. That certain sectors are more advanced in this way than others, however, has probably less to do with any technological edge and more to do with the fact that they’re simply more accustomed to taking quantitative approaches to risk. From our work in the private security consulting space, we know that any respectable consultant
bases their work on an appropriate standard, such as ISO31000 Risk Management, HB167 Security Risk Management, and ASIS International’s Enterprise Security Risk Management (ESRM) Guideline. A consultant may also have regard for the government’s Protective Security Requirements (PSR) guidance, which itself advocates a risk-based approach based on ISO 31000. Either way, ISO31000, HB167 and ESRM are all quite aligned. But even with the right standards and frameworks in place, there is still the challenge of producing security risk assessments built upon a strong evidence base. When some security consultants talk about quantitative versus qualitative approaches to security risk management and quantitative versus qualitative security assessments, what they are often referring to is – specifically – approaches to scoring risk; a quantitative score referring to a risk rating expressed as a numerical value (e.g. 1 to 10), and a qualitative score referring to a risk rating expressed adjectively (e.g. ‘low’, ‘medium’, ‘high’). That’s great, but it’s certainly not a quantitative approach to identifying risk, and it’s definitely not data-driven. What us security consultants tend to talk less about is the use of quantitative approaches to the identification and assessment of risk
October/November 2021
