The following contribution was penned by John Schembri, CEO and co-founder of SHIELD Security Consultants Ltd

Risk professionals know that any risk derives from an event giving rise to consequences, a cause manifesting into effect.

While it is imperative that risk causation is accurately understood by risk professionals and their direct stakeholders, one can reasonably argue that, in the final analysis, risk can only be induced through two means or sources: (i) Nature and/or (ii) Humans. Such an approach streamlines the risk assessment process, adding value by saving on time and resources spent on unnecessary analysis.

Bearing in mind the systematic nature of risk management, it is essential to operate from and maintain a common standard, a framework upon which the process is built. In this regard ISO 31000:2018, Risk management – Guidelines and ISO 31010:2010 Risk management – Risk assessment techniques provide a sound basis. It is of course, important to remember that any interpretation of the above should be made against a backdrop of complex systems and critical infrastructures.

The binary nature of risk

Risk-based approaches, whether mandated by EU legislation or deriving from international standards as statutory requirements, imply that the causes of risk need to be accurately identified.

Risk-based legislation and regulatory frameworks are common within the EU. The identification and designation of European critical infrastructures, and the assessment of the need to improve their protection is crucial requirement for both safety and security. This range of risk assessment covers multiple security interests from enhancing ship and port facility security, to the control of major-accident hazards involving dangerous substances. Others areas take a more humanitarian and environmental stance from the aim to enhance global food security, civil protection, and humanitarian aid to the European Green Deal.

As straightforward as this requirement may seem, it demands discipline on the part of assessors to ensure that identified risks are plausible, realistic and fall within the context of the specific exercise being undertaken. The concept of plausibility in evaluating risk is central to the application of the precautionary principle. The argument is treated in considerable depth and rigorous analysis in R2P2: Reducing risks, protecting people. HSE’s decision-making process.

To clarify, ISO 31000:2018, Risk management – Guidelines; Article 5, Framework provides a sound basis for a systematic, process-based approach to risk management. Interestingly, understanding organisations and the specific contexts within which they operate is a core requisite for a successful risk management process. Similar emphasis was given in BS ISO 31010:2010 – Risk management – Risk assessment techniques.

It is very safe to assert, therefore, that organisational factors relating to leadership, integration, context, and resources must be considered throughout the risk management lifecycle. Crucially, it is important to remember that risk assessment as a standalone activity is of little value; devoid of context and realistic risk causation scenarios and relevant criteria, it becomes worthless. Herein reside intrinsic dangers that all too frequently compromise the integrity of the assessment process.

Risk is therefore binary in nature, in that it can only result in two possible outcomes – it can simply remain a mere possibility or it can actually materialise, with subsequent repercussions.

The dangers of an over-active imagination

Excessive or unfettered imagination on the part of assessors not paying due regard for context leads to unrealistic causes being cited and unnecessarily evaluated. Subjective bias in applying risk criteria creates implausible scenarios, as does the compunction to create scenarios to “fit” into legal provisions. The risk (sic) of misapplying risk theory during the assessment process is real across various sectors of operational risk management and harms the overall integrity of the profession by perpetuating bad practices.

Hence the need to understand the fundamentals of risk within the overall context and objectives of the present argument; namely its nature, causation and defining criteria, or factors. It is legitimate to articulate risk as a causal relationship between a source (of the risk) and its consequences once the risk materialises through an event (risk reification is the technical term). Such is the binary nature of risk – it either happens, or it does not, and when it does, the risk manifests as consequences.

John Schembri, CEO and co-founder of SHIELD Security Consultants Ltd, is an ex-Serviceman with eighteen years’ experience in operations and command. He specialises in conducting in-depth security risk assessments and designing security risk management systems. Since 2001 John has held a Master of Science degree in security risk management from the world-renowned Scarman Centre, University of Leicester, UK and a PG Cert. in OHS. In addition to this, John is a Specialist Member of the Institute of Risk Management, UK [SIRM] and is also a certified member of the Business Continuity Institute, UK [CBCI].  He therefore has extensive experience in risk management of critical infrastructure, specialising in resilience, digitalisation of risk management and constructing emergency preparedness and response frameworks for challenging environments.