Strange, the things that we remember. It must be near 20 years ago that I went to the University of Leicester one day when it and Loughborough were the only places that were doing security and risk management degrees (that you did through the post, still before online). A risk lecturer said to me: “In 15 years, we will all be risk managers.”
It stuck in my head because it expressed so many of my thoughts about security-risk: the tantalising prospect of quantifying the subject, as a way of making sense of a sometimes capricious and dangerous world, and to better express it to commerce and society, and political decision-makers.
However in an interview this week with a senior corporate security person, I found myself being given permission to give up my idea of risk. Namely, that you assess risk in terms of how likely something is going to happen (not only crime of interest to security managers, but flood, fire, risks to reputation and so on). And then what’s the consequence of that thing happening. You come up with a matrix, and rank the risks, whether in numbers one to five, say, or traffic lights (green, good; amber, keep and eye on; red, act on). And the idea of risk as a process, not a one-off check.
A couple of things (from memory) that the senior person said, that has shaken this 20-year assumption of mine about risk management. Say the corporate has a new building and on the 12th floor wants to make a gym, because while on the treadmill (literally, not just metaphorically all the time) you can enjoy the view. Fine, says the security person, but have you considered that if someone in that gym has a heart attack, the extra minutes it will take for a first responder to arrive, may be the difference between saving the victim and not? It may be that the corporate decides to keep the gym on the 12th floor anyway; the view is too nice; but at least a defibrillator may be sited on that floor instead of ground.
Another example; in the post-covid age of hybrid working, a CEO may work partly from home and in any case it’s the corporate’s business to secure the CEO’s home if he takes his work home. If the home is somewhere leafy, the risk of break-in is smaller than in the city. But what if that CEO wants some snazzy access control that he’s seen (because usually this is a male thing) in a Hollywood movie? No matter the expense and that it’s higher spec than the risk of burglary calls for. Likewise, the TV series Spooks and similar dramas that show exciting operations rooms, all glass and tech – tends to spark urges among corporates for the same. Style over content.
It was as if this corporate interviewee had given me permission to take an eye-patch off. Once I did, other things I heard fitted in, with how risk assessment alone is not how the real world works. A consultant remarked on how corporates when moving into a new office take incredible trouble over how the audio-visual sounds in the conference room, compared with how little consideration security gets.
And three senior and veteran security guys I was invited to sit down with this week, while they were yarning. Their conversation turned to stories of carrying valuables safely, and smuggling of prohibited items through Customs. One spoke of carrying a world-famous manuscript to its rightful home in a (torn) gym bag. A delightful image, fit for one of Flann O’Brien’s surreal novels (The Dalkey Archive, perhaps?). But the principle is general. Anyone who spends any time around Hatton Garden in London will hear of how the diamond traders carry their jewels around with them. Yet criminals know that also; hence Hatton Garden is a draw for thieves, and it cannot be a coincidence that one of the first Met Police experiments with CCTV in the mid-1960s was in Hatton Garden (read more on this link).
How does the community of diamond traders protect themselves? Risk management would assess a high risk of theft and the property is high value, so best have high security, hence the shutters and locks of the street’s many jewellery shops. But you have none of that security once you step out, to do business in Antwerp: all the more cause to have security? Instead, the traders have long used the idea of ‘hidden in plain sight’; that a golden fish is safest if painted grey like the rest, among the shoal. The trader carries a briefcase, maybe; but the diamonds are in little pockets on his person. If he should be stopped by Customs, he requests a private search, as he does not care to have his goods worth millions of pounds on show at some airport desk.
If ‘hidden in plain sight’ works, does it owe more to risk management, or the insights from sociology and psychology?
We can see risk assessment as part of the great ‘measure of reality’, to take the title of a book by the American historian Alfred Crosby, sub-titled ‘quantification and western society, 1250-1600’. He and other scholars have shown how in that era western Europeans began their measuring of time and space, which explains so much of our last few hundred years: voyages of exploration, maps and book-keeping, trade in precious goods (and slaves); empires, and wars with anyone in the way of conquest. Risk has a place there. Consider that merchants wanted certainty that their goods would arrive; certainty impossible to have, thanks to the weather. Hence insurance. For insurers to do their work, they need news (‘intelligence’), and hence the first newspapers, and the coffee shops to read them in. As that suggests, it’s hard to disentangle the connections between risk-taking, commerce, and culture.
The biggest UK private security issue last year, this year and next is the likely Protect Duty. It may be that it’ll be most important not for its stated purpose – the legal responsibility on the owner (legally and in risk terms) of a ‘publicly accessible location’ – but for the implied working out of who owns what piece of ground. The Home Office is not offering an exact number of PALs (its estimate; 650,000). A PAL is a beach, park, church, churchyard, bridge, plaza. The Protect Duty in this sense is of a piece with the videoing by Google and others of public space from the road; it can seem to amount to a mania to quantify things. To quote another book title, Shoshana Zuboff has argued that we are into ‘the age of surveillance capitalism’. Although it’s a long book, she has little to say about actual surveillance tech such as CCTV; she means the likes of Google using their products to analyse and monetise our everyday moves and doings; to her (to quote the sub-title), ‘the new frontier of power’.
We can read in culture the push-back by thinkers against surveillance, and for some privacy, notably in George Orwell’s 1984, still relevant (how did Orwell in the mid-1940s know such a thing as gait analysis would come to pass?); and the 1960s TV series The Prisoner, recently re-run on The Horror Channel, and impressively predicting cordless communications devices, and video surveillance (interestingly, each camera in The Village having an operator, like in a TV studio; when the actor Patrick McGoohan wrote the scripts in 1967, CCTV control rooms were still being invented).
I have gotten away from risk. Perhaps that is the point; that risk assessment and management is valid, as rational and material; but valid also is the emotional, and the irrational even. Again, writers have long expressed these two sides of humanity: the Enlightenment and Romanticism; the (to quote two phrases of Arthur Koestler) Yogi and the Commissar; the Lotus and the Robot. It’s a poor security manager – or one that may feel they’re forever banging their head against a corporate brick wall – that only takes account of the risk.