What Does Good Security Risk Analysis Look Like?
When faced with security decisions, managers of complain that they lack the analysis they need to make decisions. Or, they say that the analysis they have received isn’t good enough to inform their decision. They’re aware that security analysis should provide the foundation for their decision and will enable them to confidently lead in risk management. In hostile, or challenging, environments the quality of the accuracy and quality of the analysis which informs decisions could be the difference between life and death. But what is security risk analysis and what makes it ‘good’, or ‘good enough’?
But what is security risk analysis and
what makes it ‘good’, or ‘good enough’?
Security risk analysis means different things to different people so it’s important that everyone in the organisation is clear on what it is…and what it isn’t. The most rudimentary understanding of the phrase “analysis” means the “resolution of anything complex into simple elements”. The word is derived from the ancient Greek phrase “análusis”, which means to investigate or to “loosen up”. Thus, analysis is both a product and a process. It’s interrogating a situation, or an issue, looking at all its components so that it can be better understood. Analysis should be supportive of the decision-making process in security risk management but is separate from it. Good analysis fully informs the decision maker in a way that is clear and constructive. Ideally, analysis should take a decision maker from a point of saying, “I don’t understand this issue or what we should do about it” to “I understand what is happening and have evidence for the decision I’m about to take.”
In security risk analysis the first step will be deciding what the problem or situation is that needs to be analysed. Security managers are often tasked with the vague tasks of ‘analysing the security environment in x country’ or ‘analyse the threats to our organisation’s staff globally’. These types of requests are unhelpfully broad and should be narrowed for the best result. Ideally, this will be around the specific problem on which the decision maker is looking to take action. For example, “next month we will be having elections in Liberia. We need to analyse the security risks to know what mitigation and contingency plans we should put in place.” Or, “there seem to be an increase in cross-border attacks in area X where we are planning to visit to do a needs assessment. Please analyse the situation so we know whether to make the trip.” Framing the question well helps those involved in analysis to provide what the decision maker is looking for.
Once the problem has been identified, the aim and scope of the analysis is established so the analyst can get to work. The next step is the collection of data, evidence or information. Good analysts will ensure that they have multiple sources of information so that data can be triangulated. Formulating a collection plan is a good means of understanding what sources are available and the questions that need to be asked. In humanitarian security, these sources are usually:
Open-source. Information that is openly available to the public. This includes media content, academic journals, articles from thinktanks or posts on social media.
Closed-source. Information acquired through private agreement, such as professional security providers, a forum or network of security professionals where information is shared – such as NGO coordination bodies - or simply personal contacts.
Information needs to be processed. This is where untrained analysts often fall short. They are good at collecting data but they simply present that to the decision maker as a list of events or information...
Following collection, the information needs to be processed. This is where untrained analysts often fall short. They are good at collecting data but then they simply present that to the decision maker as a list of events or information and the decision maker begins complaining that they haven’t received enough analysis. During processing the information collected is interrogated. The analyst will ask questions like:
What is the bias of the sources who gave the information – could the situation be being downplayed or inflated because of this?
Is this information credible?
Is this information first hand or third hand?
Are significant pieces of information confirmed by other sources?
One way to do this is to use the Admiralty Code which evaluates information based on the credibility of the data and reliability of the source.
After processing the information is ready for the final bit of analysis which is evaluation. During this the analyst will look for trends or patterns. The analyst will consider the type of work the organisation does, when, where, and the type of people involved. They will consider the intelligence which they’ve produced through their analysis and present that to the decision maker. It is only have data and information have gone through these steps can it be truly said to be ‘analysis.’
Good analysis does not predict the future nor does it make decisions. Decision makers have to do that. And, in complex environments with incomplete information, bias, and constantly changing security threats this can prove incredibly difficult. However, good analysis will provide decision makers with a good idea of the potential scenarios they are facing when they approach security risk management.