DTR010 The Three Stages of Risk Management

Downloadable PDF Resources

  1. English
  2. English/Spanish
  3. English/Russian

This module will take you through The Three Stages of Risk Management.

  1. Introduction
  2. Stage 1: Risk Assessment
  3. Stage 2: Risk Control
  4. Stage 3: Contingency Planning
  5. Summary

The information in this document is part of the Deltar
‘Level 4 Management Award in Advanced Risk and Crisis Management’


For any security manager, whatever their role and whatever the size of operation that they are responsible for, there are three fundamental issues that they will be dealing with, and it is likely that the vast majority of their daily work can be clearly classified as belonging in one of those three categories.

The first issue is, ‘What are the problems that I need to deal with?’. The second issue is, ‘What should I do about it?’, and the third question is, ‘What do I do if something goes wrong?’. To put this into more technical terms, we are talking about Risk Assessment, Risk Control and finally Contingency Planning. This module introduces these three basic concepts, and shows how they act as the foundation for all security management operations.

Stage 1: Risk Assessment

The purpose of the Risk Assessment is to take all of the thousands of possible or potential risks that might occur, and to give them some kind of comparative value. This will allow us to decide which of them is more serious, and which need to be actively managed. The truth is, that if we take any simple situation – walking from our home to the train station, or delivering a package from your warehouse to a client, for example – there are literally hundreds of possible scenarios that could be considered as risks, from the road being closed or the tube being disrupted, to a twisted ankle or being mugged, and on to a major terrorist attack.

As an example, a risk assessment carried out in a factory might identify realistic possible threats such as workers stealing goods; an electrical breakdown that would stop the production line; a hole in the fence; a phoned-in bomb threat; suspicious activity outside the main gate; a major terrorist attack somewhere nearby, but which would lead to the police putting a cordon around our factory so that no-one could get in, or a breakdown in the access control system.

This is the first stage of a Risk Assessment, in that we have Identified Potential Threats. However, that is only the first part of the process, because we then need a way of putting them into some sort of order.

The accepted way of doing this is to create a Risk Matrix, based on two measures: Likelihood (the likelihood of an event occurring) and Impact (the disruption that event would have on our operations if it did occur). Both of these measures can range from Low (unlikely, low impact) to High (very likely, high impact).

By using this system, we can give different threats different values based on diffeent combinations of Likelihood and Impact. These can be broken down into five sections:

The Risk Matrix has been divided into five distinct Risk Zones, based on the Likelihood / Impact values. Each of these areas would identify a different class of problems, which would require different forms of solutions.

Stage 2: Risk Control

The purpose of Risk Control is to minimise the likelihood of any identified unwanted event occuring, and minimise the impact of any unwanted event that does occur.

Once we have identified the risks and given them a Comparative Risk Value, we can then identify those risks that can be most easily managed through our security systems. For example, if we have identified that the lack of access control means that unauthorised people are walking around our premises, the introduction of a Reception Desk and / or an entry-phone system could be one way of solving that problem.

In order to ensure that the most effective Risk Control measures are put in place, each identified threat should lead to the introduction of a specific Security Protocol / Procedure.

For example, if you are working in a situation where the possibility of a parcel or letter bomb is considered greater than normal, this would be identified during the risk assessment process. As part of your risk control measures, you would then develop specific security protocols to maximise the likelihood of identifying a letter-bomb, and to minimise the effect if any letter bomb that might be sent. This might involve screening all incoming mail at a separate location away from the main offices. You might also have ensured that all mail-room and reception staff had undergone specific training to teach them how to identify suspicious packages and what to do if they were found. (Reception staff would also ned to undergo the training in case someone hand-delivered a suspicious package, either themselves or using one of the major logistical companies).

If a suspicious package was found, you could then isolate the area whilst a specialist police team was called. As this was identified as a high-likelihood potential threat during your Risk Assessment , you should have developed good relationships with the police units, who would be aware of the threat and may well have taken part in joint-exercises with your staff to respond to a suspect package. All of these actions would be developed in response to the initial identification of a high-impact threat.

There have been a number of examples of letter bombs in the UK, and a company might be targeted because it is working in the pharmaceutical industry, or it may be associated with political or national issues that increase the likelihood of attack. In 2007, a single person sent seven letter bombs in the UK to companies associated with DNA testing and various traffic organisations. The Animal Liberation Front have also used letter bombs, as have Arabic organisations targeting both Jewish and Israeli targets, as well as Arab-language newspapers in the UK.

The first two stages of any risk management programme, namely Risk Assessment and Risk Control, are designed to prevent an incident occuring. The third stage, Contingency Planning, prepares you to react and respond as effectively as possible when something does happen. In some American risk management models, the difference between the proactive Risk Assessment and Risk Control stages, and the reactive Contingency Planning stage is described as ’Left of Bang’ and ‘Right of Bang’.

Stage 3: Contingency Planning

The purpose of Contingency Planning is to allow the security team to regain control of the situation, and return to to normal operational status, as quickly and effectively as possible.

One an incident has occurred, it is clear that it will have a negative impact on the normal running of the operation, whether it is someone forgetting the key to the front gate, disruption of your normal supply chain – or a water-pipe bursting in the office above, and flooding your whole control room. This is exactly what happened at the main police control room just before the London Olympics….

Some of the issues involved in responding to a ‘Right of Bang’ situation will be covered in more detail in the Crisis Management module, but it is worthwhile noting that when something does go wrong, your response will almost certainly consist of a mixture of pre-planned options and responses that you create ‘on the hoof’. As the nature of the problem becomes clearer, and you gather more information, the effectiveness of the pre-incident preparation will start to kick in.

Effective crisis management is based on the ability to manage the transfer of information around a number of different stake-holders, make decisions under pressure, deploy teams and then receive information from them once they have assessed the situation for themselves.There is also the need to deal with Secondary Consequences, that is, the knock-on effects from the initial problem that will in themselves become problems for your incident management team.

The ability to respond effectively to an unexpected event is, in many ways, the ultimate test of a security manager’s effectiveness.


The role of the Risk Management procedure is to give the security manager the tools to create viable and realistic risk management programmes capable of responding to the thousands of potential incidents that could possibly occur. The truth is that the vast majority of a security manager’s time is taken up dealing with the same few situations that occur on a recurring (and often daily) basis. An effective security management programme should be able to identify the predictable normal incidents that can be dealt with using Standard Operating Procedures, those that need a higher level of management input and decision-making, and those that can be classified as crisis and which could potentially impact significantly on the wider organisation and its activities.

  • Risk Management has three component parts: Risk Assessment, Risk Control, Contingency Planning
  • Risk Value is based on Likelihood and Impact
  • The Risk Assessment identifies possible Risks, and gives them a Risk Value
  • Risk Control consists of Protocols introduced to manage the risks identified in the Risk Assessment
  • Contingency Planning is concerned with the Reponse Options that would be triggered if an unwanted event did occur
  • Contingency Planning is also concerned with Secondary Effects that can impact on the organisation as a result of the unwanted incident