| RISK MANAGEMENT collaboration with security professionals provides a valuable, if not essential, pathway to a holistic risk assessment, management and mitigation process. Security in the built environment should be a structured and transparent process, with solutions tailored to the specific risks and needs of each project, and it is unlikely to be satisfied with generalised solutions. It must be planned and designed collaboratively with other disciplines such as architecture, civil and structural engineering, and landscape architecture. While traditional threat assessments focus on motive and capacity (intent and capability), a comprehensive understanding demands broader examination. Group dynamics, past activities, ideological motivations, preferred attack methods, and the wider security landscape all play crucial roles. Different threats and tactics necessitate a tiered system for categorising their severity, ensuring clarity and precision. Table 1 provides an example of this gradation. Vulnerability assessments quantify the likelihood of assets succumbing to an attack. They evaluate the effectiveness of potential measures (deter, detect, delay/deny, respond, recover (DDDRR)) and ensure no weak links compromise the entire system. Similarly to the graded threat levels, a vulnerability rating system can be established defining categories from very low to very high vulnerability. The effective risk assessment process goes beyond just the who and how of potential threats; it delves into the likelihood of a threat materialising and the resulting consequences. By understanding these two factors, risks may be effectively prioritised and appropriate resources allocated. Traditionally, some consider likelihood solely as a function of threat and vulnerability levels. While this may work in certain scenarios, it may overlook crucial factors such as asset criticality and target attractiveness. A highly desirable target under high threat with significant vulnerabilities will naturally have a higher chance of attack. Consequence is the overall impact of a security event, encompassing areas such as human harm, financial loss, reputational damage and business continuity disruption. While these are common areas of analysis, other specific impacts may be relevant, depending on the project. The combination of likelihood and consequence determines the overall rating of a risk event, which is often visualised through a risk assessment matrix, such as the example in Figure 2, providing a clear basis for stakeholders to evaluate and prioritise risks. While attempts exist to quantify risk Very high High Medium Low Very low Capability and intent of antagonist are confirmed and demonstrated through numerous successful incidents against similar targets. Environment is openly permissive (ie, fully accepting of interference by others). Capability and intent of antagonist are confirmed and demonstrated through past incidents against similar targets, but with varying levels of success. Environment is permissive (ie, not hostile), but not openly accepting of interference by others. Capability and intent of antagonist are confirmed with few demonstrated past incidents against similar targets and with lower levels of success. Environment is not permissive or accepting of interference by others. Capability and intent are possible but unconfirmed, and no demonstrated successful incidents against similar targets. Environment is hostile to interference by others. Capability and intent remain uncommunicated and speculative, with no successful incidents against similar targets. Environment is openly hostile to interference by others. Table 1: Example of threat ratings and definitions (Source: Based on draft AM4.1 Table 2) through numerical values, these should be approached with caution. Security risk assessments are inherently qualitative, and assigning arbitrary numbers can be misleading. Once assessed, risks must be prioritised for management or mitigation. This crucial step aims to identify which risks require active intervention and which can be accepted or tolerated. For example, very high and high risks may be prioritised for management to reduce both likelihood and consequence. Conversely, low-impact, low-likelihood risks can be accepted with minimal monitoring. However, other scenarios require more nuanced decisionmaking, such as risks with low likelihood but catastrophic consequences, or high likelihood but lower consequences. Ultimately, very high and high risks should inform the development of most-credible, worst-case scenarios (MCWCS), which guide risk management actions. The prioritisation of risks and MCWCS should be formally documented in a project security brief to ensure awareness across stakeholders. Typical key outputs that built environment security risk management professionals deliver as part of the development of a security brief are shown in Table 2. The risk assessment process would typically require the input provided by security consultants and security engineers. Security risk consultants focus on the big picture assessing risks, developing comprehensive security strategies, and integrating physical, technical, and operational measures. They are the architects of the overall security approach, playing a leading role early on in planning and design, establishing the foundation and overall security strategy while ensuring harmony with other project goals. They may also offer input on new technologies. During construction, the consultant takes a light, oversight role to ensure the designed security strategy stays on track; post-construction, they become more involved, participating in security reviews, audits, and oversight activities to guarantee ongoing risk management. Security engineers focus on the specifics designing, implementing, and maintaining the technical and physical security solutions defined in the strategy. They are the builders and implementers of the security plan, and are primarily involved later in the detailed design and technical stages. They focus on designing, installing, and commissioning security equipment. Almost certain Highly likely Likelihood CPD PROGRAMME Credible Unlikely Rare Low Medium High Very high Consequence Figure 2: Example risk assessment matrix green indicates low risk, through to red being a very high risk 42 February 2024 www.cibsejournal.com CIBSE Feb 24 pp41-44 CPD Module 229.indd 42 26/01/2024 15:01