Security risk management refers to the totality of all processes involved in identifying, assessing, and prioritizing risks accompanied by the coordination and mobilization of resources that help to reduce, oversee, and control the likelihood or consequence of the threat. The aspect of risk management is applicable in all fields, including organizations that need to guard their valuable assets. For the sake of this discussion, the paper will focus on security and risk management control in the context of retail businesses.
The security risk manager refers to the person tasked with managing threats that may comprise the safety of an organization. Therefore, the role of a security manager is, but not limited to the identification, assessment, prioritization, and mitigation of the probable risks facing the retail organization. However, the extent to which a security risk manager can control and mitigate risks in the retail business may be limited by various factors, including the type of risk, whether the risks are controllable or uncontrollable, and/or the strengths and weaknesses of the measures put in place to control different risks.
The Risk Concept
In the context of physical hazards, Hopkin (2012) defines risk as the probability of occurrence of an event that could lead to the compromise of a business’ assets such as loss, damage, modification, or unauthorized use of such capital for selfish illegitimate interests by individuals or a group. This class of risks constitutes physical harm to people. In a similar context, Newsome (2013) defines risk as the absence of security. Risk is also associated with three key aspects, namely, vulnerability, threat, impact, and probability.
Vulnerability refers to an existing weakness or error in the operation, design, or implementation of a system. A threat is an agent, an adversary, or an actor that can cause harm and whose ability to damage an organization is not breached or contained. The term can be interchangeably used to mean hazard. An impact may be defined as the prospect that the vulnerability to cause harm could be exploited. Finally, probability denotes the likelihood that an unprecedented risk will occur. These four concepts can be used to form a relationship termed as the risk equation, which is essential in calculating the level of risk the organization may be exposed to.
However, from a critical viewpoint, the argument by Newsome (2013) that security is the absence of risk is inaccurate because increasing the security of a retail business does not absolutely eliminate the chance of the perilous event happening. Hence, risk management is not outright. Therefore, the security manager cannot eliminate risk. Instead, he or she can only mitigate and control the threat to the extent that it occurs less frequently. For instance, no matter how many CCTV security cameras the retail business puts up, shoplifting will occur occasionally. Hopkin (2012, p. 34) emphasizes this point by stating, “Some customers may be put off, but equally the shop suffers negligible rates of shoplifting”.
- Risk = (Vulnerability ×Threat ×Impact)/Probability
In a retail business, risks can be grouped into two main categories, namely, internal and external threats. Internal risks arise following events that take place within the organization while external hazards arise because of events that occur outside the institution. The two categories can be further divided into strategic risks, operational risks, reputational risks, financial risks, and locational hazards.
The security risk manager may be partially or fully involved in controlling aspects relating to these four types of risks. In the context of this paper, the aspects of each of the four classes that are relevant or controllable by the security risk manager will be highlighted. According to Busuioc and Lodge (2016), strategic risks refer to risks that pose a substantial danger to the attainment of the set approach. Examples of the risks that are controllable by the security risk manager include customer security and employee protection. In addition, according to Busuioc and Lodge (2016), retail organizations may face reputational risks that may damage or injure their reputation.
In most cases, reputational risks result from failure to effectively manage other hazards affecting the organization. For example, failure to control customer security and safety may harm the standing of the retail business. In addition, Hopkin (2012) denotes that retail organizations face considerable financial risks, which include events that lead to the loss of organizational finances, for instance, the loss of business petty cash due to internal or external theft.
Operational risks relate to organizational hazards such as financial, reputational, and strategic resulting from day-to-day operations of the business. A case in point is the risk of shoplifting by some customers. Locational risks as Nemati, Kolb, and Metz (2013) observe relate to threats associated with particular locations or areas. Location can be in reference to the country, state, county, estate, and street. Therefore, the security manager in a retail organization should assess the risk that may be encountered following the setting up of operations in certain areas.
Measures to Control the Various Risks
Two types of strategic risks, namely, customer and employee safety and the welfare of organizational assets, are controllable by the retail security manager. To minimize these risks, the security manager should provide safe means of access by customers or employees to the premises through proper and effective frisking procedures at the entrance. Similarly, the risk manager should provide effective emergency response procedures in case the security of the premises is breached. The manager is also responsible for leading a thorough investigation into the weaknesses of the safety procedures after a breach has occurred with respect to the vulnerability, impact, and probability of the risk.
To control reputational risks, the security risk manager needs to ensure that appropriate measures are in place to control all other potential risks that may threaten the reputation of the business. Busuioc and Lodge (2016, p. 247) assert, “A “reputation-informed” theoretical approach to public accountability suggests that accountability is not about reducing informational asymmetries, containing “drift,” or ensuring that agents stay committed to the terms of their mandate, but…managing and cultivating one’s reputation vis-à-vis different audiences”.
From a critical perspective, the authors emphasize the need for the control of the reputational damage risk that threatens retail businesses. These measures can include settling security concerns, insurance policies that cover any claims of harm or damage to employees and customers in the case of an uneventful occurrence of a risk and reporting to authorities when a security risk occurs for further investigation. Implementing these measures will ensure that the reputation of the retail organization is always protected from damage.
To guard the retail organization’s financial assets against loss, damage, or access by unauthorized persons, the security manager should first assess the effectiveness of the measures that have been developed to control financial risks before their implementation.
According to Hopkin (2012), the strategy will guarantee maximum efficiency through the allocation of the most effective resources that can minimize the occurrence of financial risks. The suggested measures of controlling financial risks include the installation of CCTV cameras within the premises, the employment of security personnel, installing digital locks that only allow authorized personnel in sensitive locations such as warehouses, proper frisking procedures at the entrance, emergency response measures, and a proper design of the premises.
Since different locations are associated with different levels and types of risks, Nemati, Kolb, and Metz (2013) propose the need for the risk manager to measure the risk-benefit ratio of setting operations in certain locations. The results of his or her assessment should then be used to advise the senior management accordingly. Moreover, the level of security should be measured depending on the extent of risk associated with a certain location. For instance, the manager should provide stringent measures when dealing with high-risk locations through the commission of more resources that reduce the risk to acceptable levels. Nonetheless, where it is impossible to control the risk, the manager should advise the senior management accordingly against setting operations in high-risk locations.
Uncontrollable risks are events that arise because of factors that are unknown or are not under the direct control of the security risk manager. The control measures of such risks are yet to be determined. In other words, uncontrollable risks are very difficult to measure regarding their impact, probability, and the vulnerability of the business. The risks can also be internal or external. Furthermore, each type of risk is associated with aspects that cannot be directly controlled by the security manager.
In such cases, the manager can only face them when they occur. For instance, the manager cannot control natural disasters such as floods, tornados, and hurricanes, despite their potential to attract considerable losses for the business. Therefore, the risk manager should be provided with an emergency rescue fund to counter such risks in the event they transpire. The risk manager can also ensure that measures are in place to deal with the management of the risks.
For example, the risk manager can advise the management on the type of insurance covers that the retail business can take to cover itself from huge losses following unexpected natural disasters. Political instabilities such as terrorism, violent political protests, and wars may pose a threat to the security of a retail business. In fact, as Boutilier, Black, and Thomson (2012, p. 3) reveal, “In terms of avoiding negative financial impacts, very little advice is available to companies about what they can do to reproduce the undesirable kind of political instability”. From a critical point of view, the authors strategically reveal how the security manager can do very little to control risks emanating from political instabilities directly or indirectly due to their uncertainty and their dependence on external security control measures, for instance, the police.
Technological advancements pose new unexpected risks to the organization. For instance, hackers may exploit the technological vulnerability of the business to hack into the security systems, for instance, CCTV cameras and digital lock systems. Consequently, they can gain unauthorized access into sensitive areas. In addition, robbers can exploit advancements in armory to steal from the premises, thus posing or causing harm to employees and customers. According to Morin (2015), the security risk manager may not control certain aspects of human error since they are inevitable to every organization or business, no matter how much stringent the security organizational policies are. Unfortunately, opportunistic malicious persons can use some of the human errors to breach the security of the business, thus posing an operational or financial risk.
Extent to which a Security Risk Manager Can Control Risk
Customers and employees’ safety can pose a considerable challenge regarding the assessment and control of the vulnerability, probability, and impact of any threat. Proper premise management is critical in mitigating such risks. Moreover, poor control of such risks can damage the reputation of the retail business. The security risk manager can minimize such events through providing proper security procedures, ensuring that fire safety processes have been met, ensuring that the design of the premises accommodates emergency control measures, and installing security alarm systems.
The manager should also inspect the premises to ensure that safety procedures put in place are implemented. In addition, the manager should ensure that appropriate communication is disseminated to employees regarding security and safety procedures. Besides, the manager should reevaluate the likelihood, susceptibility, and impact of risks from time to time while making proper adjustments.
Since business operations are faced with challenges of different forms and magnitudes, it is the security risk manager’s role to ensure that control measures are put in place based on the results obtained during risk assessment. Girling (2013) recommends that the security manager should perform five critical tasks to apply in his or her risk management duties. These tasks include naming, evaluation, monitoring and control, alleviation, and resource approximation.
Therefore, these five components should form the bedrock of the operations risk management framework. To identify the risk, the manager should involve those concerned with day-to-day operations of the types of risks they face. This process should be done for each type of operation. After the identification step, the risk manager should then assess the vulnerability, probability, and the possible impact if the risk occurred before calculating or estimating the hazard using the risk equation. This step is then followed by providing procedures for monitoring and controlling the risks. Successful mitigation of the hazard requires proper and effective delegation by the risk manager to the subordinate security staff members. Finally, the security manager should provide an estimate of the cost of the necessary resources that would be required during the implementation of monitoring and control procedures, for instance, the cost of installing and maintaining CCTV surveillance.
Different physical locations pose diverse risk challenges. Hopkin (2012) emphasizes the proper assessment of the safety of institutions as a major determinant of the success of risk mitigation. For instance, an area that experiences frequent robbery should have proper CCTV surveillance that may help to deter robbers from stealing from the premises. On this account, it is crucial to acknowledge that the role of the CCTV cameras is not to eliminate the risk of shoplifting or robbery.
Rather, such gadgets are meant to deter or discourage persons from performing the risky acts. To reduce such hazards, the manager should assess and/or measure the vulnerability and probability of the threat occurring. He or she should provide measures that can reduce the risk to acceptable levels. From a critical view, despite the uncontrollable nature of natural, political, economic, and technological risks, the security risk manager should strive to manage and/or lessen the extent of harm to the business following any unpredictable events. The security risk manager should also be involved in the design of the premises to recommend on the location of sensitive departments. For instance, high-risk areas should locate the cashier’s division in a secure location away from the entrance to reduce the vulnerability and probability of theft.
Based on observations made by Hopkin (2012), the manager can also control risks through influencing organizational culture, for instance, by organizing occasional safety seminars to educate employees on measures that they can take to minimize occupational and operational risks. This strategy will create an organizational safety culture among all employees, thus ensuring that they are more vigilant in minimizing risks.
Strengths and Weaknesses of the Risk Control Measures
Competency of security risk manager plays a pivotal role in the successful mitigation of risks affecting the retail organizations. An important aspect that needs to be considered during the recruitment of security risk managers is technical skills. Nonetheless, the managers under scrutiny should also possess other soft skills such as evaluation, developmental, architectural design, assessment, and reporting expertise to help them in performing their duties accordingly.
According to Hopkin (2012, p. 126), “the risk practitioner needs more than technical competence to successfully assist the organization with the design and implementation of risk management framework”. In other words, from a critical viewpoint, an incompetent security manager is a weakness to successful risk management and control in a retail business. For instance, an unqualified risk manager would have no idea on how to conduct effective risk assessment analysis and measures that he or she can take to mitigate the threats. Securing cooperation is a critical aspect of risk management.
Contrastingly, the lack of cooperation from employees can be a weakness that affects the successful implementation of risk control measures. In other words, it is paramount for the manager to involve all employees and customers to some extent to instill a level of responsibility and commitment in them. The availability or lack of resources can also be regarded as a point of strength or weakness in a risk management strategy. The availability of financial, physical and human resources is highly dependent on capital. Therefore, the level of financing in the risk management department can greatly influence its ability to carry out tasks that aid in controlling various risks that affect the retail business.
Measures That are More Effective in Controlling Risks
Measures that address the internal risks of an organization are more effective in terms of their implementation and success compared to those that address external risks. Examples of measures that address internal risks include premise risk management, operations risk measures, the recruitment of competent staff members, and resource allocation. In contrast, examples of measures that address external risks include controlling locational and reputational risks. Internal risks are more effective to control since they are easier to identify, assess, and monitor whereas the success of measures to control external risks depends largely on the external mitigation measures. Therefore, the risk manager should prioritize and commit more resources to the measures that control internal risks.
The Role of a Security Risk Management Budget
It is the responsibility of the security risk manager to estimate the budgetary requirements for security mitigation activities in a retail business. However, setting up a security risk management budget is not a straightforward process. It can prove to be quite problematic. In fact, as Fennelly (2013, p. 112) suggests, “Reaching an appropriate balance between adequate levels of protection and the cost of physical protection” is a serious challenge.
Critically, too little security risk management is commensurate to the increased risk. On the other hand, excessive security considerably mitigates and/or reduces threats and vulnerabilities. It also causes the business to incur high unnecessary expenditure. Moreover, excessive expenditure on a particular risk control measure at the expense of other risk reduction strategies implies poor resource allocation and hence an inefficient risk management strategy. In other words, excessive spending of scarce resources on one risk control step results in the unavailability of resources for additional risk control operations.
This argument underscores the importance of setting a risk management budget that is based on the needs of the retail business. For example, a common applied security principle is that the more openings and doors a building has, the more difficult it is to control its access. However, this situation may pose a great challenge to a retail business since its goal is to increase the accessibility of premises to its customers rather than limiting their access. In this regard, the security risk manager should weigh the cost of security against the convenience of customers and employees.
The decision to increase or decrease the number of openings and doors for the retail business should be based on what the manager considers an acceptable level of risk for the retail business. A suggested approach involves setting up a post-risk strategy and a supplementary budget. The strategy will cushion the retail business from further loss if the unexpected event continues for a longer period than expected. Regarding budgetary concerns, the manager should allocate more resources towards addressing the internal risks of the retail business while setting aside fewer or no resources towards controlling external risks. Measures that are aimed at reducing external risks have a higher probability of failure since they are dependent on other uncontrollable factors.
Risk refers to the probability of the occurrence of an event that results in the loss of an asset or damage to property. It may also lead to the accessibility of a protected asset by an unauthorized person. Therefore, risk management refers to all measures that are involved in the identification, assessment, monitoring, mitigation, and allocation of resources towards controlling risks. Various types of risks that affect an organization are controllable by the security risk manager.
The specificity of the risk depends on the type of business. With reference to a retail business, potential risks faced include strategic, reputational, operational, locational, and financial risks. The manager also faces risks whose cause is unknown and/or which he lacks direct control of. Such risks are regarded as uncontrollable. They include natural disasters, risks due to technological advances or weaknesses, risks due to political instabilities, and risks that arise due to human error.
A risk manager is also faced with various challenges in implementing various measures to mitigate the threats. The challenges include security staff competency issues, resource availability, managerial capabilities, and the lack of cooperation from employees and clients when it comes to adhering to security procedures. Overall, having an appropriate budget is pivotal to the success of any risk management strategy. Thus, the risk manager should provide an estimate of the costs of risk mitigation activities. However, the cost of resource allocation should be balanced to attain an efficient risk management strategy.
Boutilier, R, Black, L & Thomson, I 2012, From metaphor to management tool: how the social license to operate can stabilize the socio-political environment for business, Australian Institute of Mining and Metallurgy, Melbourne, Australia.
Busuioc, E & Lodge, M 2016, ‘The reputational basis of public accountability’, International Journal of Policy, Administration, and Institutions, vol. 29, no. 2, pp. 247-263.
Fennelly, L 2013, Effective physical security, 4th edn, Butterworth-Heinemann, Oxford, UK.
Girling, P 2013, Operational risk management: a complete guide to a successful operational risk framework, John Wiley & Sons, Hoboken, NJ.
Hopkin, P 2012, Fundamentals of risk management, 2nd edn, Kogan Page, London, England.
Morin, J 2015, The role of human error in successful security attacks. Web.
Nemati, F, Kolb, B & Metz, G 2013, ‘Stress and risk avoidance by exploring rats: implications for stress management in fear-related behaviors’, Behavioral Processes, vol. 94, no. 1, pp. 89-98.
Newsome, B 2013, A practical introduction to security and risk management, Sage Publications, London, England.