Security Risk Registers

Tony Security

I was sitting down with a coffee on a Sunday morning a couple of weeks back watching the preliminary results of the Irish general election roll in. Early reports of a vote for change were on the news and I thought to myself how that change might look. The thought in my head was around how many security companies in Ireland would be reviewing their risk registers on Monday morning. Then I got to thinking how many security companies actually had a risk register. For many of my clients in the corporate world a risk register is a given. In the security industry (an industry built on managing risk) they are far less so. That’s what I want to talk about here. Firstly what a risk register comprises, why recent events should influence a security company’s register and why all security companies (no matter the size) should have one.

What is a risk register?

There’s a clue in the name. A risk register is quite simply a register (or list) of all of the risks effecting a business and the control measures (sometimes called risk treatments ) for these. We are all probably familiar with the health and safety based risk assessments we see in safety statements and assignment instructions. Company or corporate risk registers usually go beyond this and look at all types of risk which are prevalent in the business environment. These might include external risk (political and economic), environmental risks (weather ), operational risk (safety and security), strategic risk, financial risk and employee risk. These are just examples of the areas of risk to consider and each risk area would have its own list of risks.
The risks should be evaluated, prioritised and controlled like any other risk assessment.

Why was I thinking about it?


Like I said earlier it came into my head after the election in Ireland. I started to consider how the political change might influence economic change and how that might affect clients and in turn their providers. You can be sure that many of the large corporations operating in Ireland were studying the election promises of all sides and how it would impact positively or negatively. The post election reaction saw share price impacts across a number of sectors. Financial and future development decisions will be made based on this change. How many security providers are doing the same as their clients?


That’s just politics however. What about globally. How many security providers have looked at the recent Coronavirus (Covid 19) outbreaks and reviewed (or designed) plans for its potential impact here? That has the potential to impact across a number of risk areas such as operational risk (sickness outbreak on site) or employee risk (unable to staff sites). Aside from the very large providers I would assume that many smaller companies are waiting and hoping, or even are oblivious to these risks.

Benefits for smaller providers


Like I said above, I think that all security providers should consider having a risk register. This doesn’t have to be a overly formal or technical document. Just a realistic assessment of things that might happen. Many security providers in Ireland are small to medium owner operated business with less than 100 employees. The owners are often in the weeds delivering operations. There isn’t often time to sit down and think strategically. It’s definitely worth the time to sit down alone, or with trusted friends, or colleagues and think honestly about the future. What’s the plan in the event of a serous incident at a client site, a change in taxation laws, increase in mandatory wages or another recession? What about the death of an employee or the even higher impact of the death of the owner? This final one is something that’s difficult but vital for all small providers to consider. What happens to the company and all of its employees if the founder and owner dies? Who can access the bank to pay wages and who knows where all of the paperwork etc is stored?
This isn’t meant to be morbid or scaremongering it’s about sensibly planning for things that might happen. Analysing potential risks and putting in place plans at this stage can save time, stress and money when those risks happen. This might just be a conversation and some actions taken or you may choose to formalise it and design a company risk register. That decision will depend on the company, the size and the culture.

Summary


We want to be seen as a professional service so we have to start talking and behaving like one. Things like developing risk registers are common practice for businesses. Many of our clients have them and when something happens there is an expectation from them that their suppliers are just as prepared. Larger providers have the time and resources to develop these systems but it’s not impossible for smaller providers to be just as good. It takes some time, some strategic thought and some planning. Long term it provides structure, reassurance and a mark if quality.