printer friendly version

Questions about risk assessments

Risk assessments are a touchy subject in almost every industry. In the cybersecurity world they may be called vulnerability assessments, but the concept is the same. A risk assessment is meant to show where a customer, in our case a residential estate, is vulnerable to attack, and to suggest and collaborate with them on a plan to deal with these areas of risk.

The ‘resolving’ part is the first touchy part of the process. Some say you need an independent risk assessor (or consultant) that is not connected to a company that sells products or installs solutions, since this will give an impartial overview of your risks. Using a system integrator or guarding company to do the assessment, some would say, is bad as they are biased and will often do the assessment (or audit or site survey) for free in order to get business from the estate.

It comes down to the ethics of the companies and people involved, but with the economy only starting to show signs of life, it is quite believable that some would tailor their assessment to what they can provide. Of course, there are also those who say that the salespeople do the assessment for free, having an idea of what the estate can spend on security, and the result they suggest is remarkably close to that budget – in other words, they make decisions on behalf of the client without consulting them.

Of course, that assumes all security companies and service providers are unethical, which is definitely not true. Some want to do their best to protect their clients, but sometimes the budget and stipulations from the home owners’ association (HOA) or body corporate ensure that a shoddy job is the best one can do, and the service providers do their best they can.

Nonetheless, independent risk assessors are still in demand in many estates because of their impartiality and because of the overview they deliver of all the risks the estate faces – even if some of them are marked as less important and left for a year or two before budget is available.

Hi-Tech Security Solutions spoke to two independent risk assessors to find out what their experience is in the estate market, and how successful they are in getting HOAs to accept risk reports and address them in some fashion. The two assessors are Andre Mundell from Alwinco, and Lesley-Anne Kleyn from Kleyn Consulting.

Putting numbers to security

When it comes to security risk assessments, Kleyn says the objective analysis – turning subjective concepts into numbers – done by an assessor is critical to a successful security strategy for an estate, as it provides a measured approach to help the HOA channel its budget into the areas where it is most needed.

Lesley-Anne Kleyn.

Kleyn says this is the one method by which the HOA can meet with the relevant people and make informed, objective decisions based on numbers and not on the flavour of the day in terms of technology or the installer’s most profitable field of operation. Unfortunately, in her experience many estates (or even most) don’t take that independent approach.

Mundell agrees, saying many decision-makers do not take their jobs seriously enough until there is pressure on them from residents after a crime. He says there are three types of estates in his experience:

1. The Sticker Estate: These estates are focused on getting a sign on the wall saying they are protected by ABC Security and that’s it. They also like taking a ‘patch approach’ to security instead of looking at it holistically. These are the estates that don’t take security seriously until a terrible crime has taken place and people have to cover their rears.

2. The Unbalanced Estate: These comprise the vast majority of estates out there and have different levels of security in different areas. These estates don’t really know what’s going on in terms of security because they don’t have a security manager – some may have someone with that title, but the person is just a resident who got ‘volunteered’ into the position. The key question in Sticker and Unbalanced estates is who takes responsibility when something goes wrong (which is where the security manager, or often the security service providers, suddenly become important).

3. The Balanced Estate: These are the minority of estates which, as the name suggests, take a balanced approach to their security posture as a whole.

Those uncomfortable questions

The way Kleyn and Mundell recognise the type of estate they are dealing with is by asking questions related to security. A balanced estate will have the answers quickly from the HOA and estate manager (or security manager) because they know what is going on. The other estates take a long time to answer, requiring meetings and more often than not calling their service provider to get answers about the estate security. They don’t have set processes which are implemented and managed by the estate.

Naturally, an estate outsources certain aspects of security because the service provider is the expert in the field, but the HOA is made up of people who take responsibility for their estate’s security, and they need to know what the risks are, and oversee and approve the plan to deal with it. You cannot outsource responsibility or accountability. They should therefore be participating in the risk exercise, even though they may not have the knowledge to do the actual audit.

Without an efficient audit/assessment, the HOA will not know the current state of the estate’s security and can’t make good decisions – irrespective of budgetary concerns. As Kleyn says, first audit, then educate with the results obtained, and then one can proceed to make informed and relevant decisions.

The risk matrix is a common tool used in assessing risk in many industries, where the priority of a risk is plotted according to the probability or likelihood of it happening, and the expected impact or consequences. Mundell avoids this approach as he says if a risk has a probability of 1 out of 5 (a 20% chance of happening) it is considered a low risk. Even when the impact is extreme, the risk will only be rated as a ‘medium’ risk. When it comes to crime, he says you have to ask which crimes are in the ‘acceptable’ 20% and which fifth of your residents are the ones you are willing to expose to the risk. Another way he puts it is: “Which ten families are expendable?”

It’s all about informed decisions

Mundell admits he is always in trouble for his “direct speech” (he says asking your service provider to do a risk assessment is like asking your mom if you’re fat), but he says most HOA members are not qualified to make security decisions. They do more research into buying a car or their house than they do in securing their estate where their lives, and those of their families and other residents, depend on the security solutions they choose (never mind the assets they also protect).

Andre Mundell.

A little more tactfully, Kleyn adds that this is why an independent consultant/assessor is required. Since the HOA does not have the security knowledge required, an independent person is needed to present it with the facts of its risk posture, without sweetening the facts. Then they are in a better position to make informed decisions.

The reason independent assessments are not all that popular is because they take an holistic approach. In other words, it’s not about technology or manpower, it’s not about perimeter or visitor management, it’s about everything – including processes and procedures (the infamous standard operating procedures). They dig holes on the perimeter, open kiosks that haven’t been touched in years (except by bugs), check the network along the perimeter, check the power supplies, read through the procedure manuals and more. These days, they also look at additional digital issues such as POPIA, and more estates are asking about cybersecurity risks as well.

It is therefore understandable that the first time an estate has an independent audit there will be shock at how badly its risk is managed – because it is an all-encompassing ‘big bang’ approach. The HOA’s job is then to drill down into the report – which our assessors admit is more like a book than a 5-page report full of checkboxes – and use the information to decide on a strategy going forward.

The question of independence

We’ve all heard about independent consultants that have side deals or ‘favoured’ suppliers or integrators, and tend to tailor their advice in support of those companies. When it comes to risk assessments, both Kleyn and Mundell are adamant that it is critical for them to behave ethically when it comes to the advice they provide. They can have no ‘skin in the game’ when it comes to solutions or service providers.

The reason, apart from the ethical considerations, is that they are advising estates on how to protect assets, but most importantly the lives of their residents. Once the report is done, they work with their clients to find a solution that mitigates the risks in focus and need to guide them to find the best solution. Their reputation is on the line, as well as the lives of many people. The job must go to the company that is able to show it can deliver, whether it has a ‘connection’ on the HOA or not.

As Mundell puts it, you can’t be the referee and a player in the game. The risk assessor can’t get involved in the operational plan or rollout (apart from the advice provided). It is always worth remembering that independent consultants work for the client (the estate), not the vendor or the SI. The focus is on putting the best solution on the table and then working with estates to make decisions.

And while budgets are always a concern, this is not the assessor’s problem in the audit and assessment. The HOA is the decision-maker and budget collection agency once it has analysed the report and decided how to proceed.

A ‘secure’ estate or a secure estate

Security is a key issue for South Africans, and as a result, people who are able to buy homes in an estate or even a smaller complex always want to know about security. The problem is, the marketing people and builders always say it is a secure estate because it has 24-hour guard patrols, an electric fence and surveillance cameras – or some form of security. Very few people know to ask more about how the security is run, and what the processes and procedures will be in an emergency.

Kleyn ends by stating that there is a vast difference between estates – a secure estate and a gated estate, for example. A secure estate takes care of all the security issues from the perimeter inwards. A gated estate simply has security at the gate and the rest may be good or bad.

A last note from Mundell is: where is the control? Who is controlling your security? Is it the guarding supervisor who lives 20 km away or the onsite security manager? No organisation, whether an estate or a bank, can afford to give away the control of its security. Outsourcing services does not mean losing control; you may outsource the operational aspect, but the estate needs to remain in control and know what is happening on the ground.

Mundell says he has two types of customers from the estate market. The first is from an estate that is taking security seriously and doing its best to make its living environment as secure as possible; the second is from lawyers of victims of crime who want to know who was responsible for the security of the estate. Sadly, some estates only take security seriously when the second group starts making a noise.

This article has taken a direct look at some issues independent assessors face in their daily lives, but both Mundell and Kleyn note that it’s not all negative. There are vendors, integrators, installers and HOAs that focus on getting the best outcome and are always willing to sit around a table and discuss issues such as alternative technologies that can do the job at a lower cost. These are the people and companies that deliver results and do make a difference in the safety and security of residents, working to ensure they produce the optimal outcomes required.

Share this article:

Further reading: