Why deterrence should not be part of your risk management strategy
Deterrent is a key element of security and risk management. But it’s a term that’s far too vague to base sound decisions on. Yet as a security consultant, I see this term used loosely by the industry. I’ve seen well respected people in positions of trust caught doing things that would surprise everyone, including their families. But the people involved still went ahead and did it, regardless of the consequences. What actually is a deterrent and who does it apply to?
In this article, I talk about my approach to managing risk and how it conflicts with common practice. The goal is that deterrent is an outcome of me doing my job. It’s never the starting point.
Please, let’s not talk deterrence
As a security consultant group, the last thing a client wants to hear is “I don’t know”.
I’ve been in the industry for 24 years and personally undertaken more than 400 risk security assessments on commercial property, all across Australia.
On three occasions last week I had to sheepishly say I don’t know.
It was embarrassing.
And the question I was asked was: If I implement X, will it deter people from breaking in again?
I can’t answer that question.
What is or is not a deterrent is highly subjective and can’t be qualified.
It’s like asking people about the weather. A 25-degree day in Melbourne is considered a nice day but someone from the UAE or Singapore will consider it cool or perhaps even cold. There isn’t a yes or no answer that can be applied to all people under all circumstances.
A well-regarded industry colleague summed it up perfectly for me. He said,
We don’t get to decide what a deterrent is – the bad guys do.
Yet, deterrent is a key element of security and risk management. In fact, it’s the first of the five fundamental principles – deter, detect, delay, deny and respond.
What does deterrence mean in security management?
According to Google, a deterrent is something that discourages or is intended to discourage someone from doing something. And from my perspective, that would be accurate. That is what we hope a deterrent is and does.
My problem is that the term is far too vague to base sound decisions on in respect to security.
Loss occurs when opportunity, means and motivation all come together. Let’s look at each of these.
As security consultants, we can definitely address ‘opportunity’. We can influence ‘means’ to a reasonable level. But we have no real influence over ‘motivation’. The aim is that by addressing opportunity and means, motivation is also addressed – that is, something becomes too difficult to attempt or the risk of detection is too high.
My approach to security is a very analytical one and I tend not to talk about things that I can’t influence or qualify. I really want to be in a position where I can say yes or no to almost anything a client asks me.
So my approach to managing risk is a little different and conflicts somewhat with what I’ve been taught over the years.
I consider everything we do to minimise risk as a treatment, not a deterrent. From leaving a light on at home when we go out, to putting a fence across the front of our property, we’re treating a risk, either real or perceived. When I start advising a client on security, I skip over deterrent. The goal is that deterrence is an outcome of me doing my job.
It’s never the starting point.
I consider everything we do to minimise risk as a treatment, not a deterrent.
And if I can classify a treatment into one of the four other categories (detect, delay, deny or respond), it means I can measure it. And If I can measure it, I can see if it’s effective or not.
It then becomes a yes or no answer.
Deterrence is a key aspect of Crime Prevention Through Environmental Design (CPTED). It’s believed that by ensuring our cities are built and illuminated and laid out in a certain way, that the risk of crime can be reduced. And I have no doubt that is the case – I’ve seen evidence of it many times.
However, as with all things, it will not be effective for all people at all times.
In November last year, there was a very serious assault on the St Kilda foreshore. One of the two young lads assaulted I have known since birth. I’ve watched him grow into a fine young man that avoids trouble rather seeking it.
The location where this assault occurred is almost perfect from a CPTED perspective – well illuminated, high levels of vehicle and pedestrian traffic and sight lines that extend for hundreds of metres. It’s also well covered by CCTV yet, the environment did not deter the youth who elected to knock this young man unconscious and then steal his shoes, mobile phone and wallet.
Nobody understands the motivation for this attack except for the youths who instigated it. And this is my problem with deterrence.
We simply can’t understand what will motivate some people to commit crimes.
Yet the security industry, have adopted deterrence as one of its fundamental principles.
At times, rational people will think irrationally. And other people won’t think rationally at all because of personal circumstances. They could be under the influence of stress, drugs, alcohol or financial pressures.
People will also act out when they have no fear of the consequences. One of the youths charged with the assault has previous convictions and has been jailed before. If jail was not a deterrent to his alleged offending, then what is?
I appreciate that there are outliers and exceptions to any rule. But when we talk deterrence, under what circumstances will deterrence work? 80% of the time? 90% of the time? Does it apply to individuals as well as groups? Does it work for people who are homeless as well as for those that have perfect home environments?
One thing I have learned over the years is that rational people do irrational things all the time. I know of bank staff who have covered CCTV cameras so that the pilfering of a safe would go undetected.
I’ve seen well respected people in positions of trust caught doing things that would surprise everyone, including their families. But the people involved still did what they did, regardless of the consequences.
The risk of embarrassment, being fired from work and placing themselves at risk of significant fines and penalties and even jail didn’t deter any of these people.
So what actually is a deterrent and who does it apply to? The fact is, we don’t know. Yet our industry continues to use the term loosely.
Deterrent is routinely used in all manner of circumstances. In New South Wales, they have double-demerit weekends where road users are subjected to heavier penalties for breaking road rules. Yet drivers are still penalised at comparable rates as non-double demerit weekends.
Music festivals are heavily targeted by Police with sniffer dogs as a deterrent to drug use. Yet our youth still overdose at alarming rates that sadly results in fatalities.
So if we ignore deterrence, what process do we follow?
We follow the ISO31000 process diligently to determine likelihood and consequences and then select treatments that will be appropriate for the client and their property. It’s not at all different, just deterrence is never considered in our risk management strategy because it can’t be.
And we make sure that every single treatment we recommend from simple solutions such as locks on doors to the more complex such as CPTED, can be implemented in a way that allows us to measure its effectiveness.
Deterrence, if it comes, is achieved once this process has been followed and only when the treatments have proven to be effective. It then becomes a process of good risk management that can be factually proven.
So instead, let’s view every action to reduce risk as a treatment, irrespective of what it is. That way, we don’t have to talk about deterrents, just outcomes.