Lee Sweeney, Security Team Leader at City Hospital Birmingham, writes about the various forms of risk; and suggests parallels forming within security management, and risk management.
The term ‘risk’ has many inconsistent and ambiguous meanings, which variably mean different things to different people. The debate by many researchers such as Merkhafer and Harmus cannot seem to agree on one specific definition. Although there is considerable consensus that ‘a risk’ can be the probability (chance) of a particular hazard (negative-outcome) realising itself. However, a risk can and does also result in positive outcomes.
The term communication is defined as: ‘’ the activity of conveying information; to be successful the information must be shared and understood’ (Oxford:2011).
A study by psychologist Lola-Lopes has evidenced that’’ people perceive and calculate risk and the associated consequences from an identical scenario very differently’’. This is due to the psychological and cultural-issues experienced by the individual assessing the risk that is presented.(Lopes:Between-hope-and-fear-1987)
Psychological experiences are based on an individual’s life experiences and how they perceive the risk. For example, if an individual has been a victim of crime then they are likely to have been affected psychologically by the experience and are more likely to take precautionary steps to prevent the event from re-occurring.
Cultural experiences impact on the value and perception of risk through associated cultural-attitudes and beliefs. These vary between different cultural biases and socio-demographic groups. ‘Wildavsky and Drake’ have researched the cultural bias of risk takers and have split them into four main groups; fatalists, individualists, hierarchists and egalitarians. All of the cultural groups receive, absorb and transform the risk message very differently.
In terms of risk management the different perceptions of the risk message pose a difficult obstacle in the process of evaluating and quantifying risk; as what is a risk to one may not be a risk to another. This also applies during the assessment phase as the risk assessor may hold different views to the target audience.
There is a danger that all the hazards may not be identified through the process of risk assessment, or that the ‘risk’ associated with the hazard may not be communicated or understood by the audience. It is possible that the audience may have a greater awareness of risk exposure than the assessor themselves.
In order to mitigate this risk, a concept known as ‘’Risk Communication’’ has been devised. This is a mechanism that can be used to communicate the risk to the target audience ensuring it’s more likely to be understood. Risk communication is strategically linked to both psychological and cultural aspects of risk management.
‘’Risk Communication is an interactive process of exchanging information and opinion among individuals, groups and institutions.’’ (Society-for-Risk-Analysis)
Effective communication strategies take into account the human factors of the audience i.e. social, communal, emotional, professional and cultural experiences.
The perception of risk is largely attributed to the human emotion of fear. This is the one factor that ultimately increases or decreases an individual’s perception of risk and the level of fear can vary significantly between corporations and individuals and can change over time. Perception can be a reactive cognitive implication post-event, as well as the fear of an undesired event occurring. For example, a particular event may occur on a daily basis and result in no harm or damage but may then become an issue after an adverse event has occurred.
The risk acceptance profiles of individuals and corporate entities are different. What may be a high risk to an individual may be a low risk to an organisation or vice-versa. A number of risk management tools have been developed to measure or quantify risk. A successful risk communication strategy would deliver the desired message to the audience in an effective way ensuring the message is understood. To develop an appropriate communication strategy, the communicator must demonstrate an understanding of human communication in its simplest forms;
• Verbal: spoken-communication, relying on words and descriptive audio.
• Non-Verbal: body-language, interpretation of gestures and human behaviour.
• Visual: creation of visual representations
• Written: descriptive text in language.
Communication is only successful if the activity of conveying information is delivered and understood by both sender and receiver respectively. The sender or receiver need not be in direct communication in order to share the information thus communication can occur across vast distances and be ignorant to the concept of time. Communication can also be interpreted dependant on the physical environment and the recognised importance of the message by other individuals within the audience. Communication must also adapt a top-to-bottom and bottom-to-top transparent thoroughfare to be respected.
Security management is an integral element of risk and security managers have to rely upon the mechanism of risk communication in their everyday work as much as they have to rely upon the process of risk management.
A security manager must be capable of and confident in identifying the perceived risks and threats presented to an organisation by assessing; internal practises and procedures, physical risks to premises and the external risks to the organisation.
Once the level of risk is identified a security manager must be able to formulate and instigate a strategy to reduce the risks identified; to protect that organisation from quantifiable loss or potential harm. In order to communicate such risks to the organisation and attract ‘buy-in’ from the organisational board and stakeholders the security manager must be able to tailor the risk message to suit the target audience. By ensuring the message is transferred effectively and understood, the security manager will be able to seek investment in capital and revenue to deliver the security strategy long term.
The security manager must be versatile in communicating the risk message dependant on the scenario. The security manager must be confident in assessing the risk and be effective at communicating the identified risks and solutions to stakeholders. This process requires a political tact, an understanding of the organisational culture and human behaviour.
One example of a security manager using risk communication in a given circumstance is; the risk identified of windows being left open permitting access to an intruder. A security manager may suggest a variety of strategic solutions including:
• Window bars
• Physical security patrols
• Integrated alarm systems
These options may be costly and detract from organisational profits.
An organisation’s board may take the view that agreeing to these controls is disproportionate to the risk of a window being left open. However, it is only when the security manager communicates the risk in terms of consequence that the organisation may re-evaluate their initial view of the risk from insignificant to severe or moderate. i.e by communicating the likelihood and consequence of:
• Loss of assets through theft
• Staff members being placed in danger when lone working,
• Total loss of premises through arson and associated increase in operating costs and loss of productivity or,
• Data loss and the associated negative media impact contributing to mistrust of customer base and the potential financial devaluation of the organisation.
The change in opinion and understanding in this example would be attributed to the security manager’s ability to effectively communicate the risk message to the audience, ensuring the security manager secures funds and resources to achieve their primary role; to protect the organisation from loss or negative impact.
Once the message has been delivered and received by this target audience the security manager must then communicate the required messages to the other audiences. Local staff must understand what is expected of them in accordance with mitigating the risk in this example i.e. through locking doors and closing windows at the end of business and improved security awareness. There must also be a consideration in this example to communicate to the potential intruders, i.e. lighting, visible alarms, uniformed-patrols and cctv etc to help reduce the likelihood of the consequence occurring.
In summary, risk is inconsistent by nature given that psychological, cultural and cognitive issues separate the human emotion of fear to specifically identified risks. No single organisation or individual perceives or reacts to risk in the same context. It is vitally important that the security manager assessing the risk be confident in risk assessment and is aware of the information transfer difficulties in relaying the risk message to the target audience. To avoid communication failure the security manager must ensure appropriate examples are communicated and the appropriate form of communication utilised and ensure the message is not overly complicated or condescending.
Risk communication is a mechanism used for the process of communicating the risk message to the intended audience effectively; this is achieved by understanding and selecting the appropriate communication medium to allow for the information presented to be shared and comprehended by the target audience. The process is a key element in the security managers risk management strategy to assist in the delivery of the security strategy to an organisation.
In order to effectively deliver the risk message the security manager must understand the target audience in terms of psychological and cultural issues, internal and external attributes, corporate culture and cognitive reasoning to ensure the message is transferred, and understood within specific and tailored contextual boundaries. To achieve this, the security manager must be aware of the corporate culture and organisation behaviour and adapt a diplomatic and holistic approach.
Successful delivery of the risk message through an effective risk communication strategy will tailor for and evaluate the audiences interest and understanding of the risk message to ensure communication failure is avoided; allowing for stakeholder ‘buy in’ to support the security manager in the current and future delivery of the organisations security strategy.
About the author
Lee Sweeney works in security for Sandwell and West Birmingham Hospitals NHS Trust; one of the largest NHS teaching trusts in the UK.
Reference list:
Richard Pettinger: (fourth edition) Introduction to management
Martin Gill (2006):The Handbook of Security THOS
Standards: HB167:2006 Security Risk Management
http://en.wikipedia.org/wiki/Risk
http://en.wikipedia.org/wiki/Communication
Security Institute:Bulletins: 9,10,11
SWBH NHS Trust:(2011) June Risk focus article.
ASIS International: (Volume 1) Protection of assets.
Oxford Dictionary 2011: ‘Communication’
Lola Lopes: (1987) L L Between hope and fear
The Royal Society, London (1992) Risk Analysis, perception and management
Wildavsky, A and Drake, K. (1990) theories od risk perception; who fears what and why.
Lee Merkhafer: http://www.prioritysystem.com/bio.html
