"Your team performs at the level you set — not the level you hope for."
Risk Assessment and Management
Instructor Sele: Every security decision is a risk decision. The question is never 'is there risk?' — there is always risk. The question is 'what is the risk, how significant is it, and what are we doing about it?' This module gives you the systematic framework to answer those questions professionally.
Section 1 — What Is a Risk Assessment?
A risk assessment is a systematic process: identify hazards (what could cause harm?), evaluate likelihood (how probable?), evaluate impact (how serious?), recommend controls (what reduces it?), and review (is the control effective; has the risk changed?).
Risk assessment is not a one-time exercise — it is a continuous process that must be updated whenever the threat environment, the site, or the operational context changes.
Section 2 — The Risk Matrix
The risk matrix plots likelihood against impact to produce a risk rating. Critical risk demands immediate action — operations may need to be suspended until mitigated. High risk requires significant controls within 24 hours. Medium risk requires controls within 7 days. Low risk requires monitoring with standard precautions.
| Likelihood ↓ / Impact → | Low Impact | Medium Impact | High Impact |
|---|---|---|---|
| High Likelihood | Medium Risk | High Risk | Critical Risk |
| Medium Likelihood | Low Risk | Medium Risk | High Risk |
| Low Likelihood | Low Risk | Low Risk | Medium Risk |
Section 3 — Risk Control Measures
Risk controls are applied in a hierarchy from most to least effective: Eliminate (remove the hazard entirely — e.g., close a vulnerable access point), Substitute (replace with something less dangerous), Engineer (physical controls like CCTV, locks, barriers), Administrative (procedures, post orders, patrol schedules), and PPE/Procedural (personal protective measures as a last line).
The hierarchy matters: administrative controls alone are weaker than engineering controls. Effective risk management combines multiple layers.
Section 4 — SMART Security Objectives
All security objectives derived from a risk assessment should be SMART: Specific, Measurable, Achievable, Relevant, and Time-bound.
A SMART objective: "Install CCTV coverage of the rear car park entrance by 30 June, reducing the blind spot that currently creates a Critical Risk for unauthorised vehicle access." Vague objectives produce vague results.
- •Risk assessment: identify hazards → evaluate likelihood and impact → recommend controls → review
- •The risk matrix combines likelihood and impact to produce a rating from Low to Critical
- •Apply controls in hierarchy: Eliminate → Substitute → Engineer → Administrative → PPE
- •All security objectives must be SMART — vague objectives produce vague results
- •Risk assessment is continuous — update whenever the threat or environment changes
"A client once told me they didn't need a risk assessment — they'd been operating for three years without a problem. I asked them: has a problem not occurred because your security is good, or because you've been lucky? They couldn't answer. We did the assessment. We found four critical risks that had existed for years — including a rear gate padlocked by habit that was no longer on any official access record. Luck is not a security strategy."
What is a risk assessment?