Phillip Banks PE, CPP The Banks Group Inc. Berndt Rif MSc. MBA DeNederlandscheBank

Transcription

1 Phillip Banks PE, CPP The Banks Group Inc. Berndt Rif MSc. MBA DeNederlandscheBank

2 Criminal Threat

3 Terrorist Threat

4 Terrorist Threat Belgium Netherlands France United Kingdom

5 Security Challenges in a New Threat Environment The new mission is PREVENTION not response We can not afford failure Limited resources (time, personnel, capabilities) Impossible to maintain constant 100% performance Need for an Alerting Trigger, an element that will focus the system s attention and will bring it to 100% performance when necessary. 5

6 The criminal and terrorist planning cycle 1. Marking 2. Intelligence Gathering 3. Surveillance 4. Planning 5. Tooling up 6. Rehearsal 7. Execution 8. Getaway 1. Marking 2. Intelligence Gathering 3. Surveillance 4. Planning 5. Tooling up 6. Rehearsal 7. Execution 8. Getaway

7 Past Events - Analysis Different Motives Different Places Different Timing Different Targets Different Scope Different Weapons and Means two common elements intent & capability

8 The Basic Process Create the good guy profile: Typical Legitimate Instance = The Norm Examine each instance and look for: Red Flags (suspicious signs) Deviations from the norm YES NO Possible Threat No Threat

9 Understanding the threat Looking for the intent = Looking for the person involved (can be the initiator or the platform ) Threat Categories: 1. Criminal 2. Terrorist 3. Intelligence Officer AMO s: 1. Physical Gate 2. Logical Gate 3. Human Gate

10 Risk assessment is a systematic response to uncertainty. 1 1 CSE/RCMP Harmonized Threat and Risk Assessment Methodology, October 23 rd, 2007

11 References and ties to the AS NZS ISO 31000:2009 Risk Management Principles and Guidelines Standard. 138 pages in length Includes: Introduction References Definitions Principles Risk program management and performance Risk assessment method & data collection

12 Threats are never static The business environment often drives threat levels Business moves faster than security Business is being transacted in new and evolving areas What process does business use to identify threats?

13 Practice risk management or become very good at crisis management. Your choice.. Risk Management? Crisis Management

14 Insufficient understanding of known and potential: Threat environment Risk environment Inconsistency in identification of risk and its potential impact to assets Inability to move quickly in escalating threat environments Potential serious liabilities

15 Creates Value Integral part of organization Part of decision making Systematic, structured and timely Based on best available information Tailored to specific assets Takes human and cultural factors into account Transparent and inclusive Dynamic, iterative and responsive to change Facilitates continual improvement Establish the context Risk Identification 1 AS/NZS ISO 31000:2009 Risk Analysis Risk Evaluation Risk Treatment

16 What to do? Is there management support/buy-in Do you have sufficient resources? Are they adequately trained? Developed risk management process? How do you establish priority? Squeaky wheel concept? How do you ensure compliance? And if not, what then?

17 How to do it? Assessment format: Qualitative terms, words & images Quantitative probability, statistics & mathematics Hybrid -? Plan, Do, Check & Act Model (PDCA) Assessment format/template: Big, small, automated? Resources, training, management & performance

18 Act Plan Check Do Plan Define/analyze the issue Do Devise a solution, develop action plan and implement systematically. Check Confirm outcomes against action plan and identify any deviations or issues. Act Standardize the solution, review and define next issues 1 Risk Assessment Standard, ASIS International, ANSI/ASIS/RIMS RA

19 Definitions & Assumptions Establish a framework Establish performance expectations (monitoring) Managing the process Establish critical information and its sources Define information collection and analysis protocols Understand what we know Identify what we don t know

20 Threat Adversary (ies) Capability Determination Preparedness Likelihood Past Events & Future Events Consequence Damage, Injury, Liability BIA Vulnerability People, process or technology Criticality

21 Identify the most controllable elements: Assets Threats Likelihood Consequence Vulnerability Resilience Establish the protocols you will use to address those elements Formalize the process Measure performance

22 Decision making protocols Management expectations Management reporting (bias free) Forecasts versus outcomes Program overview and audit

23 Phillip Banks PE, CPP The Banks Group Inc. Berndt Rif MSc. MBA DeNederlandscheBank th Ave Suite #387 Delta, British Columbia Canada V4K 5B The Banks Group Inc

24 Risk Assessment Standard, ASIS International, ANSI/ASIS/RIMS RA Risk Management Principles and Guidelines, Joint Australian and New Zealand International Standard, AS/NZS ISO 31000:2009