4. Adopt a Risk Management Approach
A risk management approach will provide a framework to help you specify how you will manage the identified threats or risks to your most critical assets. The details of your approach will depend on your organisation and what best suits its business activity.
Whichever approach you adopt it should contain an outline of the processes, techniques and tools your organisation will use to protect its valuable assets and how your protective security will be structured and performed.
The value of using a risk management process comes from the opportunity it provides for a systematic evaluation of threats. It also enables you to consider what you can do to counteract these threats. As a security manager you should start your approach by addressing the following questions:
- Is there an existing risk management framework for your organisation? Who owns it and where it is located/ stored?
- How often is your risk management approach or framework updated and how it is communicated to key staff, including senior executives, Board members and security managers?
- Does your approach or framework provide a step-by-step approach to maintaining critical activities and protecting critical assets in the event of a threat alert or incident?
- Does your approach or framework provide clarity on risk roles and responsibilities? Does it include information on the likelihood of risk occurring?
- Does your approach target threats to your organisation specifically? Does it include how much risk you are willing to accept?
CPNI guidance and information on developing a risk management approach or framework is available via the links below.
- Personnel security risk assessment – guidance on assessing the risk posed by personnel
- Security in the Supply Chain – examines the vulnerabilities in the supply chain and how these can be addressed.
- Level 1 Operational Requirements - process outlining the actions and investments required to protect critical assets against security threats.