1. Delivering Stronger Business
Security and Resilience in a Weak
Financial Climate
Chris Tomlinson
Arup Resilience, Security & Risk

2. My Agenda
The threat spectrum
The Risk-led Approach and the realities of Security
Risk Appetite
The boardroom view
Client Needs Detected
2
Client Needs Detected
Design-based Solutions
Operational-based Solutions
Standards in Commercial Preparedness
Key Takeaways.

3. The Spectrum of Threat
Terrorism
• Person-borne explosive attack
• Vehicle-borne explosive attack
• CBR attack
Terrorism/Extremism
• Person-borne explosive attack
• Vehicle-borne explosive attack
• Static
• Encroachment
• Penetrative
Crime & Antisocial Activity
• Violence Against the Person
• Acquisitive (theft /burglary etc)
• Personal
• Business – Insider Threat
• Penetrative
• Simplistic
• Mechanistic
• Criminal Damage
• Anti-social behaviour
• Vagrancy & Trespass
• Violent protest – not necessarily
unlawful
• Weapon attack
• Hand-carried
• Vehicle-borne

4. Threat Likelihood Impact Risk
Threat – adversary capability (history), intent and access to their
The Risk Calculus
Threat – adversary capability (history), intent and access to their
targets, do not forget the insider adversary
Likelihood – the tough calculation and absolutes are difficult to
come by – so relative likelihoods may be all that can be managed
Impact – this is the straightforward part – all about asset and
process vulnerability; and costs of denial/loss.

5. Serious Impact
Nuisance Terrorism
Theft/Insider Threat/Burglary
Workplace Intimidation/Violence
ArsonCriminal damage
Minor Impact
Civil Disorder
The Resulting Conundrum
More Likely Less Likely
Costs

6. Risk appetite, at the organisational level, is the amount of risk
exposure, or potential adverse impact from an event, that the
Threat Likelihood Impact Risk
There will be Risk Appetite
exposure, or potential adverse impact from an event, that the
organisation is willing to accept/retain. (Mark Carey - Deloitte
& Touche LLP)
An economically-conditioned balance between maintaining
profitability, while not facing reputational exposure through
culpable risk-mitigation failure. (Me)

7. Life Safety
Risk Appetite Illustrated in Counter Terrorism
Levels of Resilience to the Effects of Blast
Life Safety + Evacuation
Economic Reinstatement
Operational Continuity
All of which is a little
counterintuitive, given that
organisations normally say
that they are want to be
operationally viable after a
catastrophic event

8. Questions that might guide Risk Appetite
Identify headline risk impacts on life safety, economic
reinstatement or reputation
What adjacencies might increase or decrease risks?
What are the acceptable norms for protecting the
business – are there standards we can use as a
benchmark?
8
What risks can be treated, transferred, terminated and
what is left to tolerate – the latter lies at the core of risk
appetite?
Is there an Enterprise Risk Management process that
includes protective security?
Who reviews risk and how often?

9. Struggles to show real benefit, beyond the simplistic
e.g. effects on stock shrinkage – ROI badly
researched
Often ugly and oppressive, with a default setting of
heavy-duty, rather than subtle technologies
Adds operational friction – it slows people and stuff
down
Boardroom Views on Security
Adds operational friction – it slows people and stuff
down
Laced full of confusing standards and often do not
offer advice on sub-optimal ‘fixes’ – always the
Rolls Royce never the Honda Civic
Never linked to sustainability targets – e.g. ‘Carbon
Cost of Crime’.

10. Preparedness in the Private Sector
A survey of 263 senior executives from various companies
examined how they approach resilience and security
Five key areas were examined: physical security, IT security,
business continuity, crisis management, and pandemic planning
Approximately 50% said IT security, business continuity, and
crisis management at their company were "completely" or "very
coordinated" with enterprise risk management, while only 43 %
10
coordinated" with enterprise risk management, while only 43 %
said the same about physical security
21% of companies surveyed had a co-ordinator that oversees all
five preparedness areas.
The key concerns were: risk versus opportunity, due diligence
and duty of care (compliance and reputation protection)

11. Our Clients Want
Easy-to-understand risk analysis and deductions
Just enough – with an audit trail for what was agreed on and why
Scalability – things change and systems need to adapt
Early intervention – security as an afterthought is ugly and
expensive
A balance between security technology and operations – Capex
11
A balance between security technology and operations – Capex
versus Opex
Value-added in security solutions
To be convinced of a return on investment – not just financial
Functional and management convergence – traditional
stovepipes are challenged.

12. Design-Based Solutions
The trend is towards Internet Protocol solutions, but
buyer beware!
Convergence onto unified ICT networks, but….
Convergence of building management systems –
intelligent buildings
Smarter devices deployed – on-board processing
12
Smarter devices deployed – on-board processing
Adaptable plug and play (e.g. POE)
Biometrics and reliable recognition
Stand-off detection and automated tracking
Physical Security Information Management (PSIM).

13. Operations-based Solutions
Unified command and control – moving security to business
areas that are the ERM focus
Human Capital Risk – managing the insider threat
Boardroom education to value adds
‘Red-teaming’ – thinking adversary
Professionally develop your capable guardians
13
Professionally develop your capable guardians
Test and validate plans
Sharing best-practice – co-ordinate resilience planning with
other stakeholders (e.g. telecoms and lifeline utilities, local blue
light responders etc).
Professional organisation memberships – e.g. CSARN.

14. Standards, Best-practice and References
BS 25999-1:2006 & BS 25999-2:2007 - business
continuity management code of practice
ASIS International SPC.1-2009 – Organizational
Resilience: Security, Preparedness, and Continuity
Management Systems – Requirements with Guidance
for Use and other references
14
US National Fire Protection Association 1600 -
Standard on Disaster/Emergency Management and
Business Continuity Programs
The Conference Board report - ‘Preparedness in the
Private Sector – 2011’
Organisation specific e.g. BCO.

15. Key Takeaways
You cannot mitigate everything, so figure out what you can
handle as risk appetite – easier said than done
Doing nothing is not an option, but mitigation sufficiency is
linked to risk appetite
Get a risk assessment done and one that offers deductions for
best protective fit against form, function and budget
15
Scalability – things change (think about review programmes)
Have an audit trail for what was agreed on and why
Do it early because security as an afterthought is ugly and
expensive (and think sustainability)
Think about balances between security technology and
operations – ROI is important.

16. Questions
chris.tomlinson@arup.com
www.arup.com