Why Security Risk and Frontline Risk Management Is Everyone’s Business

Dr. Gav Schneider

The world is more complex than ever before. The issue of uncertainty based on disruption and change, happening at a rate that we have never experienced before, adds to the challenges of the way we manage risk as individuals, departments, and even at the organisational level. Dealing with threats (such as security risks) on the frontline of operations is now more crucial than ever. This is especially relevant based on the reality that reputational damage can reach epidemic proportions, via social media, from the manifestation of even the smallest or ‘insignificant’ frontline occurrence. The role of the security, safety, health, emergency response (SSHE) professional is becoming ever more difficult – with a shift to professionals needing to become more rounded and adopt multifaceted roles. Part of the challenge is that we tend to be reactive in the way we manage risk and respond to threats.

In a Volatile, Uncertain, Complex and Ambiguous (VUCA) world, where our work places have morphed and changed so quickly that policy frameworks and procedural guidance struggles to keep up, it is more important than ever that we think holistically. This is even more important in larger organisations where historical and structural silos have become the norm. The challenges of defining the differences, boundaries, and consequences, between issues, threats, and hazards such as cyber security, Workplace, Health & Safety (WHS), emergency response, fraud prevention, countering violent extremism (CVE), and security is very difficult, if not impossible in many cases. To put this in some context, in many cases this has evolved as per the below table:

Risk, Threat or Hazard Example of Responsible line structure
Fire risk WHS or Facility Management
Emergency evacuation Implemented via building and floor wardens
Cyber threat IT Department
Staff wellbeing and enhancing decision making skills HR Department
Physical security threat / Asset Protection Either facilities or security departments
Risk Management Governance risk and compliance structures

When one looks at the above examples, it’s easy to see how the gaps evolve. When one department has responsibility for one aspect of treating a risk and another department has responsibility for the same aspect but from a different angle there is either going to be duplication or gaps.

Grenfell Tower fire. 4:43 a.m. 14 June 2017

Even when it comes to the response itself, we are often so tied to historical approaches that we wait for something bad to happen before we improve future response. Outdated processes that were designed around singular response to a singular event such as a conventional fire based emergency evacuation are now, in many cases ineffective. In fact, when assessing recent incidents such as the Grenfell Tower fire in London, one could question whether the way these approaches were designed and applied actually works at all in the modern era. (See Editor Note below)

Building on this example, we need to examine integrated response and prevention, it’s easy to see how conventional evacuation processes and their application has its challenges.

Leading approaches in the field of emergency management refer to the concept of an ‘all hazards’ approach sometimes described as the ‘comprehensive approach’ as a critical success factor to effectively managing emergencies. When we have silo’s, we face many challenges. Simply implementing the Federal Government recommended ‘All Hazards’ – Prevent, Prepare, Respond, Recover (PPRR) model by trying to divide up the way we, prevent, prepare for, respond to, and recover from different events can be duplicative, costly, and will inevitably lead to gaps in our approaches. This is simply because in a VUCA world the ‘Unknown, Unknown’ factor is always present and there is simply no way we can plan for every event and expect  first responders to apply these complex plans and actions under the pressure of an intense adrenal dump.

Dave Grossman, well-known author and researcher, presents a conceptual view of people today where he subdivides society into three main roles, namely sheep, wolves, and sheepdogs.

The sheep is the person going about their everyday life, not wanting to be hassled or inconvenienced by security and safety concerns. Their safety and the safety and wellbeing of those around them is generally not a primary concern of the sheep.

The second role is that of wolves, who prey on the sheep due to opportunities or their own sociopathic or psychopathic tendencies. Although there is no doubt that there are some really evil people in this world, in many cases these wolves may not have direct nefarious intent. Some are preying on the sheep based on their circumstances, such as criminals who justify their actions based on need and risk (i.e. stealing to eat). It should be noted, however, that no matter how ‘noble’ their reasons for preying on sheep are, they may still cause significant harm to the sheep. Some examples of clearly defined wolves, are terrorists or career criminals. In many cases, criminologists have found that in their own heads, wolves may have justified that what they’re doing is right from a psychological, ideological, or religious perspective – even if it means blowing up a school bus full of children.  No matter how these wolves rationalize their actions, from our perspectives their justifications can never validate them harming other people in pursuit of their ideology.

Lastly there are the sheepdogs. Sheepdogs protect the sheep from the wolves. Generally speaking, sheep don’t like sheepdogs because they look like wolves. However, when the wolf comes knocking, the sheepdog is often valued above all else. The goal of the modern-day sheepdog has morphed – it is not possible to simply be a protector or oversee protective functions, we simply don’t have the resources or budgets to do this with the myriad of issues we face.

The goal now needs to include ensuring the sheep are educated, and empowered to develop and apply their own sheepdog capabilities. The premise of empowered personal risk management is for everyone to be able to find that little sheepdog inside themselves and be able to apply this when it counts. The sheepdogs who have made a career out of protecting the sheep, such as those in the military, law-enforcement, security, and related vocations, cannot be everywhere at the same time.

Because wolves are cunning, we need to further expand this capability and teach all of our people to look for the ‘wolf in sheep’s clothing’. Whilst the everyday person might tend to think of releasing their “inner sheepdog” only in violent situations, such as an armed robbery, assault with the intent of doing grievous bodily harm, etc. These are not necessarily the only situations that might require the release of the inner sheepdog. Think of situations like a fire breaking out in someone’s home, being involved in a motor vehicle accident, or a child drowning in a swimming pool. All of these situations will require sheep to dig deep, and find the inner resolve to help those in need, under immense pressure.

Another example may be basic cyber security. You might invest in the very best virus protection, firewalls and various other tools for your devices, but if your people click on suspicious email links sent from an unknown source, even if it is from their mysterious wealthy uncle living abroad, who would like to give them a million-dollar inheritance, they may land up infecting and disabling your entire network. In other words, spending money on protection is not beneficial if we do not apply an integrated approach, and simply believe that because we have taken basic measures we are no longer at risk at all.

A fundamental shift is required to help our people firstly to identify and acknowledge the sheepdog inside themselves (even if they are diametrically opposed to violence or truly don’t think something bad will ever happen to them), and secondly to develop the confidence and realization of the need to release it as and when needed. This is the foundational outcome we need to achieve in our organizations if we are to enhance the way we manage risk. It’s imperative that your people make the shift from relying on others to protect them, to accepting that responsibility for themselves.

It is important to ensure that as our people become more aware of the fact that there is a crucial aspect of balance.  It is noteworthy that, as people are more aware of their surroundings and what could go wrong, if unchecked, can lean towards them becoming paranoid. Being paranoid is just as ineffective as not being aware at all. The goal is to enjoy life to the full whilst at the same time being more aware of what’s going on around you. I believe that the one cannot exist without the other, i.e. you can’t truly squeeze the most out of life if you are paranoid or unaware. It is important that we teach our people to continually adjust the balance for themselves.

We call this balancing act Dynamic Risk Equilibrium (DRE). Living in fear of what “the wolves” might do and allowing that fear to dominate your life, actually translates to the wolves winning. It’s crucial that our people find a healthy balance between being prepared and enjoying life. The following simplistic diagram of the Dynamic Risk Equilibrium (DRE) may help you find this balance. We can interpret the diagram as follows:

The more security aware you are; the more comfort you sacrifice. Or alternatively, the more you cling to your comforts (e.g. taking a shortcut home, even though the shortcut leads through a dodgy part of town), the more you sacrifice on security. Both have a direct effect on you living a full life.

The more security awareness and balance you establish in the way your people behave, in and out of the workplace, the more buy in you will achieve to real risk management and resilience in your organization. The converse is also true. The more your people cling to your creature comforts and live in denial at the expense of safety and security, the more they compromise the ability to live a life marked by relative safety. It is important to remember too that as the name highlights DRE is dynamic and needs to be monitored and adjusted all the time.

In summary, some of the frontline risk management approaches that are working have unique attributes. These approaches tend to link policy and guidance with humanistic response and are firmly anchored in the world of reality, integrating key aspects of the psychology of risk seamlessly. As such, these approaches are more likely to work when we need them. Most of all they focus on building our own skills and those of our staff to be able to manage biases, be vigilant, act proactively, and be able to determine effective response based on strategic and tactical decision-making capabilities.

Lastly, there is the process of building real resilience into our people in case something does actually happen. This is important as research into accident causation shows that no matter how effectively we apply preventative practice, there is always a chance something bad can still happen.

 

Dr. Gavriel (Gav) Schneider FGIA, CPP, FIS (SA), FIML, FARPI, MAIPIO is an acknowledged leader in the field of human based risk management and the psychology of risk. He is a highly experienced, security, safety, emergency and risk specialist with decades of experience. He has conducted business in over 17 countries and provided a wide range of services for a very diverse client base ranging from heads of state to school teachers. He is a leading academic in his field and heads up the Post Graduate Psychology of Risk program at the Australian Catholic University (ACU). He is a much sought after international speaker and author. Dr Gav is the CEO of the Risk 2 Solution group of companies,  a group of 4 companies that focus on delivering innovative and cutting-edge solutions in the Risk, Intelligence, Safety, Security, Medical and Emergency response sectors – see www.risk2solution.com  for more information. Dr Gav is also the author of the highly acclaimed Can I See your Hands: A Guide to Situational Awareness, Personal Risk Management, Resilience and Security available for purchase from http://www.universal-publishers.com/book.php?book=1627341846

Editor’s Note

Grenfell Tower was a 24-storey residential tower block in North Kensington, London, England completed in 1974.

A major renovation completed in 2016 included new aluminum composite cladding to improve heating and energy efficiency, and external appearance.

A fire seriously damaged the building on 14 June 2017, causing 72 deaths and 70 injuries to the 293 people thought to be in the 129-flat (apartment) tower that night.

Determined to be accidental, the fire started behind a refrigerator in a fourth floor apartment.

Emergency services received the first report of a fire at 00:54 and burned for more than 60 hours.

Fire brigade crews arrived six minutes after the alarm and seven minutes later began to fight the fire.

Building fire policy instructed residents to remain in their apartments, the standard policy for high-rise buildings on the assumption that an apartment fire could be contained in the apartment. Due to this policy, the building did not have a central fire alarm system or sprinklers.

Fire breached the apartment, reached the exterior cladding via a kitchen window, and spread up the side of the building at a “terrifying rate.” By 01:29, fire reached the roof and was out of control.

The stay in place advice to residents was rescinded at 02:47.

Emergency response assets included 70 engines and 250 firefighters, 20 ambulances and 100 crew, a Hazardous Area Response Team, airborne units, and substantial police support.

The building was insured for £20 million. It is estimated the total cost will reach £1 billion due to a combination of litigation, compensation for deaths and injuries, rehousing and rehabilitation, the cost of demolition and rebuilding, and the possibility that other tower blocks may have to be improved or evacuated.

A formal government inquiry is ongoing at this time.

Summary of Failures

Construction

  • The building had only one stairway.
  • The cladding used in the renovation was flammable, and installation above four floors was not recommended.
  • The entire Grenfell Tower was clad.
  • Window glazing was not fire-resistant.
  • Building fire suppression equipment was outdated or expired.

Emergency Response

  • The initial fire commander testified that he was not qualified to command the fire suppression operation and that he suffered from “sensory overload.”
  • High-rise building firefighting training was online only, and incomplete.
  • Equipment available was insufficient. Firefighters depleted oxygen supplies. Ground equipment could not reach upper floors.
  • Emergency radio communication failed. Command communication was one-way using hand-written notes.
  • Prior inspection of fire protection systems and equipment was cursory or incomplete, and remedial recommendations were ignored.

Policy

  • The “stay in place” policy was based on fire inside the building. Fire engulfed the exterior of the building. All deaths and injuries were due to smoke inhalation.

 

Photo Credits
Cover: imagerymajestic at FreeDigitalPhotos.net
Grenfell Tower fire:.  Natalie Oxford, Wikimedia Commons

Print Friendly, PDF & Email

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.