Independent Security and Risk Advisors
Security BlogRead our latest security insights.

Should ‘gut feeling’ play a role in security risk assessments?


Do we need to prove that a risk exists before moving to minimise it?

The tragic events in Melbourne’s Bourke Street last month highlighted the difficult choices we face when an extremely rare but high-impact event has devastating consequences.

In our industry, evidence based reporting is a key component of security risk management. This means that unless we can find evidence of a threat and can link that threat to a vulnerability, there is no risk. That is the theory anyway.

We are expected to demonstrate that a threat exists, or could exist, under certain circumstances. Then we link that threat to a vulnerability of the property we are reviewing.

For example, a client who operates a high security facility recently asked if they needed to worry about intruders dropping into their property by helicopter. Evaluating the threat, we identified that:

  • The property is relatively remote.
  • There is no recorded activity of any helicopter flights in the immediate area.
  • There is no history of helicopter incidents or any other serious episode associated with the property.
  • There is no evidence of similar attacks anywhere else in the world on facilities like this using helicopters.
  • Local crime rates and pedestrian and vehicle movements around the property are low.

In essence there are no indicators of a helicopter attack threat.

Our final report touched briefly on the threat from helicopters and then moved on. When the client quizzed us further we said there was no evidence of such a threat, so how could we recommend an improvement? And what would the improvement be? How do you secure the airspace?

In this article we wrote last October, we spoke about the need for security measures to perform a given function. To be of any real value, they must either deter, detect, delay, deny or aid response. Otherwise what is the point?

Security risk management is not an exact science because we can only plan for what we can see or foresee. There are so many variables outside our control – the big one being people. Some people just do things that, even with the best of intentions, we simply cannot do anything about.

Most of the properties we advise on are privately owned. We typically work in the commercial and industrial property market. To put this into context, many properties we assess will be comparable in size to the average office tower or manufacturing plant. They do not extend to the streets and footpaths that people use to access them.

The January 20 Bourke Street tragedy is a classic example of an event that occurred despite police being present and highlighted the difficulty of predicting an extremely unlikely event.

In last month’s article, we spoke about the risks associated with motor vehicles, which are readily available and easy to operate. As shown here and overseas, they can inflict significant damage when we are not prepared for them.

Hindsight is a wonderful thing. I can’t help but imagine how we would have assessed the potential threat in a case like Bourke Street. If we had qualified the threat, what countermeasures would we have recommended? And more importantly, would the client have been happy to accept them?

Melbourne is teeming with motor vehicles of various types and sizes. Many travel fast near people and we’ve had numerous examples of vehicles ending up on footpaths, hitting people and property.

Overseas, the use of vehicles as weapons is widespread. Anybody who has studied terrorist incidents will know that anything from small cars to trucks and buses has been used with devastating effect.

In the Bourke Street Mall episode, there are few countermeasures in place to prevent vehicle/pedestrian impacts. How should we treat this threat, if at all?

Using the industry standard method for determining risk, I suspect we would have concluded that the likelihood of what happened was “rare” and the consequences “major” or “severe”. This would have resulted in either a medium or high risk rating that would suggest improvements are needed.

Because the consequences are so high, it can create an imbalance in the risk rating. We often see this in counter-terrorism risk assessments that find even a mildly successful attack would cause potentially catastrophic damage to the business. This can lead to an inflated risk profile for an event that will probably never happen.

We then have the challenge of explaining the risk to the client. More often than not, we will recommend would be classed as reasonable improvements relative to the likelihood of the event occurring. Rather than large-scale capital expenditure, they will mostly be operational improvements.

Sometimes the formal risk management processes do not tell us the whole story. This is partly due to the process methodology but also because we simply cannot pre-empt some events, regardless of how thorough the review process. That is because evidence of event X occurring on Y premises does not exist. Few people could reasonably foresee that it will occur anywhere, let alone at a specific location.

Moving forward, and not just due to what happened in Bourke Street, we will include a “sleep” consideration in our reviews. These recommendations may be based on little more than a “gut feeling” and the need for both us and our clients to sleep comfortably each night. We may not be able to substantiate them using evidence based reporting, but sometimes instinct or even a “vibe” tells you something real.

The rule in risk management is this: Threat plus vulnerability equals risk. If there is any hint of vulnerability that could even remotely contribute to a catastrophic incident, regardless of whether a threat is present, we will document it.

The rule in risk management is this: Threat plus vulnerability equals risk.

Peace of mind is an enormous part of good security risk management and something we have touched on before. I believe security is actually a state of mind.

Sometimes the formal processes we use don’t always support the decisions we want to make. If that’s the case, we may need to complement them with a gut feeling or even a vibe. If nothing else, it will help everyone involve get a good night’s sleep.

Matryx is proud to acknowledge the Aboriginal and Torres Strait Islander Peoples as the Traditional Custodians of the lands, and we pay our respects to Elders past, present and emerging.

© 2024 Matryx Security Consultants | All Rights Reserved