If you ask two security consultants to provide a security risk assessment of your premises, then most likely you will receive two different results. A main cause of this is that it is common for security risk assessors to take the approach of identifying risks as being simply extreme, high, medium or low. This is done by assessing the likelihood of a risk as rare through to certain and rating the consequences as insignificant through to catastrophic. This approach provides a quick result but the results will vary between individuals.
A significant problem with this approach is that any risk with a catastrophic potential consequence is invariably rated as being an extreme or high risk no matter how unlikely the risk is. An example of this is the risk of terrorism. This risk is often rated as the highest risk to a site, even if it is inconceivable that this risk would occur. The other obvious problem is that different risk assessors will view the likelihood of risks occurring differently, so the level of risk the assessment says that you are exposed to will depend on who carried out the assessment. This is a particular problem if the client has a number of properties that they need assessed.
Another approach, and one that we use in our consultancy practice, is to quantify the risks as far as possible. Instead of rating the risk of burglary, for example, as being medium or high, this approach looks at the local crime statistics and identifies the number of times per annum that the client can expect a burglary attempt. The method then looks at the security measures, either that are in place or proposed, and through a standard spreadsheet, identifies the likelihood of an attempted burglary succeeding. This then provides the number of expected successful burglaries per annum. All the potential consequences of burglary are then applied to this risk, e.g. value of losses, property damage, interruption to operations etc. to determine a consequence value. From all this data, a relative risk score is provided through a spreadsheet. As consequences will vary between clients and the attractiveness to a burglar vary also, spreadsheets need to be developed for each type of client. In this approach, using standardised spreadsheets, different risk assessors will provide identical results.