Home
 / 
News
 / 
Formalizing Processes for Risk Acceptance

Latest News & Updates

Featured
August 14, 2024
 / 
Articles
 / 
PPP
Why Are Police Responding to Incidents That No One (Including Police) Wants Them To?
August 13, 2024
 / 
Updates
 / 
ROI
New Infographic Combats Business Myth that ‘Security is a Cost Center’
July 10, 2024
 / 
Updates
 / 
Regulation
Ligue Earns a Voice on ISO Standards Technical Committee
June 21, 2024
 / 
Articles
 / 
Market Insghts
Financial Activity in the Security Industry: What’s Happening? What’s Next?
June 4, 2024
 / 
Enhanced Good Practice
 / 
Staffing
Increasing Female Industry Participation
May 13, 2024
 / 
Case Study
 / 
Mgmt Strategy
Considering the Value of Time in Assessing a Security Project or Service
Enhanced Good Practice
Backgrounder
Case Study
Updates
Briefs
Articles
July 2, 2024
 / 
Enhanced Good Practice
 / 
Threat Analysis

Summary

A decision not to implement recommended security measures should be part of a thoughtful process, one that is equally robust as approving security projects or expenditures.

Issue

Large companies often issue security guidelines for individual business units, and not every security measure will make sense for every facility. Nonetheless, corporate leadership teams should receive clear documentation from individual facilities with detailed reasoning for why they’re living with risk as opposed to instituting a security recommendation or adhering to a company security standard.

Benefits

Vulnerability can arise if facilities are allowed to simply ignore recommendations or if no one is required to take responsibility for accepting security risk; and formal process for accepting risk helps to reconcile opposing recommendations from different factions (these may include a security committee, Human Resources, building designers, facility management, sales departments, and others).

Process or Approach

There are legitimate reasons why a company or facility may choose not to adopt a particular security measure, including funding priorities, competing requirements and standards, physical site or structural limitations, historical or architectural integrity, or a negative impact on adjacent structures. But if a facility is aware of a security risk, as well as a countermeasure that will reduce it, management personnel in consultation with legal counsel should clearly document a decision against implementation.

When a recommended security countermeasure is not implemented, an organization might clearly document answers to the following questions (as appropriate):

1.      Why can the necessary level of protection not be achieved?

2.      What is the rationale for accepting the risk?

3.      What alternate strategies are being considered or implemented?

4.      What opportunities are in the future to implement the necessary level of protection?

In all cases, project documentation must clearly reflect the reason why the necessary level of protection cannot be achieved. Corporate teams can formalize their process by requiring individual facilities to complete a document anytime they deviate from the organization’s standard security practices or when they do not implement a recommendation in a security audit. A “Risk Acceptance Justification Form” can help document the acceptance of risk might be documented. To see a sample form, refer to the .pdf version of this Enhanced Good Practice available in the download library.

Imperative

Risk acceptance is a perfectly permissible outcome of applying a risk management process, but it’s important for organizations to understand and document the rationale for accepting risk, and to not simply ignore security recommendations.

ROI
Cyber
Regulation
Critical Infrastructure
Threat Analysis
Crime Prevention
Supply Chain
Market Insghts
Staffing
Mgmt Strategy
PPP
Public Spaces
Contracting
Cash