DTR009 Risk Management Strategies

Downloadable PDF Resources

  1. English
  2. English/Spanish
  3. English/Russian

This module will take you through Risk Management Strategies.

  1. Introduction
  2. Five Risk Management Strategies
  3. Avoid
  4. Reduce
  5. Share
  6. Transfer
  7. Retain
  8. Summary
  9. Main Points

The information in this document is part of the Deltar
‘Level 4 Management Award in Advanced Risk and Crisis Management’


Although the overriding objective of Security Management could be encapsulated in the slogan ‘Reduce Risk, Increase Safety’, deciding which is the most appropriate approach is dependent on a wide range of factors, including operating environment, organisational risk culture, resources, management support , potential loss and other (competing) strategic objectives. For example, it may be part of the company’s strategic objectives to develop operations in new markets in Eastern Europe or Africa. There would obviously be a risk associated with these moves that would not be applicable in working in a UK or a developed western European market. However, it may be that these additional risks may be considered as acceptable by the company’s management within the context of the business development project, and it would be the responsibility of the security manager to develop an appropriate strategy to manage those risks in line with the company’s wider strategic objectives.

Given that it is impossible to completely eliminate risk altogether, there comes a time when there must be an acceptance of a certain level of risk – or at least, uncertainty. In order to keep risk management relevant to situations in the real world, there is a recognised concept of ‘As Low As Reasonably Possible’ (ALARP). This means that whilst we have a responsibility to both identify and manage risk, we cannot be expected to try and eliminate every single conceivable risk, however low its possibility might be.

Five Risk Management Strategies

There are a number of ways that potential risk management strategies can be categorised, though most models generally consist of between four and six different approaches. Here are five of the most widely accepted options. As you work through the study course, you will recognise these as coming up time and again within different security management contexts.


This is done by acknowledging the risk, and changing your own activities in order to avoid the possibility of an incident occurring. Examples might include not moving into new markets in the example above, banning the use of personal computers in order to minimise the possibility of an electronic virus contaminating the company computer system, or keeping visitors to a production facility restricted to certain areas, whether to avoid industrial espionage or potential accidents.


This is done by introducing protocols to minimise the possibility of an unwanted event happening, and to minimise the impact of any unwanted event that does happen. For example, if a company had lone workers who were visiting outside sites, and had identified that as a potential risk, requiring them to log their movements ahead of time with the HR or security department, and then calling in both before and after the visit would reduce the likelihood of something happening during those visits, and would limit the potential harm if something did happen (by allowing the HR or security team to become aware of the situation at the earliest possible moment). Similarly, introducing a ‘Meet & Greet’ process at the front gate reduces the risk of potentially unwanted visitors gaining access to a building.


Many of the risk management strategies that have been accepted within the wider security management framework originally started in Supply Chain Management. It is a feature of SCM that each player is dependent on the link before them in the chain, so that the final ‘customer’ who is waiting delivery of the vital piece of stock is relatively powerless to control that process. The concept of sharing the risk is actually more concerned with sharing potential loss. Under this system, each person would face financial penalties if they did not deliver according to agreed terms. Within a wider security management context, sharing risk can be seen as a way of minimising potential liabilities.


By transferring risk, you are in effect outsourcing the responsibility for the management of the risk, and any possible consequences. The retention of a specialist crisis management agency to handle crisis situations overseas is an example of sharing the potential liability for emergency evacuations, in a situation where it would be irresponsible to ignore the potential risk, but unfeasible to manage it in-house. Another example would be the decision as to whether to use a car-leasing company for the company fleet, or to own the cars outright. By using a fleet-hire system, the management of the risks – breakdowns, accidents, servicing, etc – is transferred to the leasing company. One advantage of this system is that there is a clearly defined cost to this particular option – the fee you pay to the agency for the service that they provide.


There are two reasons for retaining risk. One is because the potential likelihood or potential impact is so low as be deemed acceptable – the ‘We will deal with it if it happens’ approach. This is actually a very effective means of dealing with low-level risks, as long as the potential consequences of such risks are well understood, and there are clear protocols in place for dealing with them. For example, if in the example above the company decides to own their own cars rather than lease them, then the risks associated with that decision would be accepted as part of the greater risk management process, but there would also be clearly defined protocols in place for when those situations did occur.

The other reason for retaining risk is if there is no feasible way of managing it though any of the other strategies listed. For example, the risk of an executive being kidnapped is one that would need to be managed if they were working in Somalia or Sudan, where such risks are a realistic part of operating in that region, but would not necessarily be part of the risk management strategy in New York or Zurich. It may be decided that the low likelihood of such an incident occurring there outweighs the prohibitive cost of insuring against such a situation.


Modern security management has grown beyond traditional concepts of merely protecting property, services and personnel. The range of present-day risks is creating challenges that require a fully integrated and professional approach to security management that is on par with every other aspect of an organisation’s operation management. The modern security manager needs to have a strong understanding of the underlying principles that create the foundation for effective security management, and this programme will introduce those principles in a structured way over coming modules.

Main Points

  • Security Management is always a balance between Freedom and Security
  • Appropriate levels of security can only be discussed in terms of the Perceived Risk / Threat
  • There is no such thing as total elimination of Risk, the best we can aim for is ‘As Low As Reasonably Possible’
  • Major RM strategies include Avoid, Reduce, Share, Transfer, Retain