practical skills and applied knowledge in Security, defense, and risk management


strategies for managing risk and security

A risk management strategy is any purposeful response to insecurity or risk; the strategy might be emergent or subconscious, but must aim to affect security or risk. The strategy is usefully distinguished from the controls—the particular actions used to change a particular risk, such as a guard acquired as part of a protective strategy. 

Many authorities on risk management have offered a set of recommended responses to risk or security that they usually term treatments, approaches, responses, or strategies. Unfortunately, many authorities use these terms interchangeably for strategy or control. Some risk management standards refer to approaches toward security or managed risks. Some private commentators use both terms (strategy and approach). The Humanitarian Practice Network talks about both risk management strategies and security strategies.

Confused prescriptions of strategies The ISO prescribes seven strategies but does not define strategy, although it seems to regard “risk treatment” (“a process to modify risk”) as inclusive of strategy. The Canadian government follows ISO, with some reservations. The British Standards Institution has largely followed the ISO, but the British government has not ordered departments to follow any common standard.
Strategy is well defined in military contexts. Nevertheless, military strategists traditionally have not mentioned risk directly, although they routinely refer to security. In the last two decades, many governments have introduced risk management as a supplement or alternative to traditional security and defense strategies. For instance, in 2001, the DOD published a Quadrennial Defense Review with a declaration that “managing risks is a central element of the defense strategy”. Nevertheless, the DOD has no definition of risk management strategy or security strategy, although the U.S. Defense Acquisition University prescribes strategies for managing acquisition projects and other departments routinely list strategies for managing security in certain domains, such as counter-terrorism. The Australian/New Zealand standard (since 1995) and ISO (International Organization for Standardization, since 2009) offer a set of seven strategies that has proved most appealing, but not perfect, partly because some of the seven strategies overlap. For instance, "retaining the risk" is written to include both negative and positive risks, which overlaps with "pursuing" a positive risk. Similarly, "changing the consequences" involves mostly controlling the consequences of a potential event, but, as written, includes also the retention of financial reserves, which would not directly control the consequences at all and is better placed as a substrategy of retaining the risk.   Trade associations tend to follow the ISO, otherwise prescriptions tend to be contradictory. For instance, the Humanitarian Practice Network has identified three risk management strategies, three overlapping security strategies, and two variations of the risk management strategies, for eight overlapping approaches that actually shake out as substrategies to three of the seven strategies offered by the ISO. Official authorities have tended to focus their risk management strategies on project risks, such as the US Defense Acquisition University’s four uncontentious strategies (avoid; control; accept; transfer). Other official authorities are focused on security strategies such as preparedness,  resilience,  continuity and any other of a total of nine synonyms that largely mean controlling the negative consequences of a potential event—which is only one of the seven strategies offered by the ISO. The Institute of Chartered Accountants of England and Wales suggested four effective strategies, which were most influential on British government. Subsequently, the Treasury prescribed (and most other departments adopted) five risk management strategies known as the “five Ts”. The British government’s project management standard (PRINCE2) follows similar strategies but knows them by other words. These five Ts also contain impractical overlaps and separations. For instance, treating and terminating risks involve essentially the same activities – terminating the risk would be the ultimate effect of perfectly treating the risk. The 6.5 “T” Strategies Clearly, the current offerings are dissatisfactory. The authoritative prescriptions do not agree on even the number of strategies. Some of their strategies align neatly, but some contain substrategies that are placed under different strategies by different authorities. Some strategies are separated but are really variations of each other. Some offerings are very narrow. Most surprising, no authority admits diversification, a routine strategy in many domains, especially finance. Similarly, no authority explicitly admits the possibility of turning a risk from negative to positive. Combining these observations, I have rationalized the competing prescriptions, with a more practical taxonomy and due emphasis on strategies that are usually conflated or forgotten, while reducing the redundancies and overlaps. I offer six primary “Ts” (tolerate, treat, turn, take, transfer, treat, and thin the risk), but acknowledge that treat sometimes extends to terminate, so we might know them as the 6.5 “Ts.”