Frank Cannon, Senior Consultant at Optimal Risk Group, explains the importance of recognising the difference between a safety and a security risk.

This is what Cannon is currently explaining to clients of Optimal Risk Group after they have called him in to consult on their Health, Safety, Security, Environment, Quality & Sustainability portfolio of business enabling services.

Whilst validating his thinking during our weekly in-house peer review session with his fellow Chartered Security Professionals, Cannon explains his thinking.

Science and research

The science and research around mitigating a safety risk is comprehensive and is robustly challenged across industry experts.

It is predominantly focused on the hazard involved in preforming a known activity, and therefore, if you are not performing the activity there is an absence of risk.

Working at height or in confined spaces, performing hot works, operating dangerous equipment, lifting large objects, interfacing with energised systems, or using corrosive chemicals are all potentially dangerous activities that require risk reduction methods to enable the work to be performed safely.

The construction, liquid energy, industrial manufacturing, nuclear and the travel sectors all consider ‘safety’ as a primary concern when developing their work processes.

They educate and train their people to avoid and react to risk, they design-in safety measures, they prepare their response and they provide appropriate equipment to keep their people safe and enable them to regain control after an incident occurs.

They even implement and advocate a STOP WORK authority if things start to go wrong. They almost always include numerous safety statistics in their business performance metrics (KPIs).

They do all of this because they are expected to do so.

It’s a cultural norm.

It’s an obligation to keep their people safe.

It’s the law!

So why do they not approach security, or adversarial risk, in the same way?

Especially when considering that the nature of the risk always favours the bad guys.

Method of attack

The adversary chooses when the event occurs and thus there is no time to deliver an immediate pre-activity risk assessment or safety brief.

They choose the place, so there is a lack of ability to barrier off the hazardous area.

They also define what they are trying to achieve, ranging from a theft, malicious damage, or a violent act intending to cause injury.

Finally, it is the adversary who selects the method of attack, which could range from exploiting a cyber vulnerability, a fire, or a physical attack using a vehicle, knife, gun, or toxic substance.

Another factor is that the adversarial risk requires an assessment of multiple elements that very few leaders think (or want to think) about.

It’s a combination of the intent and capability of the bad person, the vulnerabilities in the organisation’s defences and the likelihood (probability) and consequence (impact) of the attack itself.

The complexity of these variables to manage ‘security’ risk, tends to reduce the senior risk owner’s interest, the resources they allocate, or their understanding of the impact to the business plan.

They tend to adopt the ostrich-approach to risk mitigation.

The risk owner for the safety and security risk is often the same person, but the approach is so different. Why is this?

Is it ignorance, complacency, or a willingness to cross the fingers and hope for the best.

Just like it was in the 1970s for safety.

Through engaging the right people and advocating behaviours that deliver a safe & secure work place, Frank explains how he can educate, explain and thus influence how the senior leaders view risk in a holistic way.

Safety and security control measures

He advocates the need to demonstrate the benefits of investing in both safety and security control measures that increase the certainty of the business model.

His experience tells him that this is better achieved when measuring the negative impact of all risk against the business values, ability to meet the stakeholders’ expectations, and how it affects the bottom line – financial performance.

Joining a broad-church of like-minded partners is the pathway to success.

This embedded HSSEQ & Sustainability role within a billion-dollar trans-national company has reconfirmed two beliefs across the security professionals within the Optimal Risk Group, 1) seek out synergies with other disciplines within the organisation to promote collaboration and partnering at the strategic level, and 2) when working within a permissive environment, safety will always have a louder voice around the leadership table than Security.

ORG believe it is incumbent on all protective security professionals to take every opportunity to educate the ostrich – especially if they are part of the C-Suite.

More Security News