The Risk Onion

Over the last few weeks there have been numerous reports in the news media of ram raids of similar delinquency targeting a range of businesses, including small businesses. It got me to thinking about controls. There was one comment, in particular, from the owner of a chain of shops, with reference to ram raids. He said: “…forget about bollards [in front of shop doors], if they can’t crash through the door with a vehicle, they will take a hammer to the door instead…” [or words to that effect].

My initial reaction was a thought back to an old cyber-security lecturer I had, who suggested that there was no such thing as an infallible cyber-security mechanism. In cyber-security, just as in your own personal house, the determined burglar will find a way in – the best your security arrangements can do is to make the effort unpalatable or slow them down sufficiently for you to take action. As I thought about that, I don’t know why I was surprised, but it resonated with a general concept of risk management that I have reminded people in business of countless times. The purpose and object of controls is not to stop the risk from eventuating, but to contain it within an acceptable appetite.

In reality you wouldn’t just rely on a single control to protect your computer network or your house, but you would have layers of controls for that protection – the same is true for your business – you have layers of controls to protect against risks. In saying that, again, those controls are not designed to stop the risk from happening – you could do that, but it’s likely the controls would be extremely restrictive on your business.

You might have a username and password on your computer. That’s one layer. Perhaps you have a firewall. That’s another layer. Maybe remote access is controlled by a VPN. That’s another layer. You may operate Intrusion Protection Software. That’s another layer. For your house, you likely have locks on your doors. Perhaps you also have locks on your windows. You might have a burglar alarm. You could implement retinal scan, guard dogs, security patrols, electrified fencing and rotating invisible laser beams to detect movement or foreign bodies, but the cost of doing so – and the inconvenience – may well exceed the need for the risk – or outweighs the benefit of simply buying insurance. This is an example where there are a significant number of controls available, but our appetite to defend against the risk doesn’t extend so far as to incur that level of cost or comfort.

So, if you are facing an increase in ram raids, bollards may not stop them, but they do likely represent the first layer in your defensive controls. How far you go to implement additional layers of control depends on your appetite to defend against the robbery.


Risk Strata specialise in helping businesses understand their risk profile and implementing processes, controls and frameworks to effectively manage those risks so that you can make informed decisions to keep your business safe and healthy. We can tailor a package of services to meet your needs from basic profiling right through to the design and implementation of control frameworks, reporting metrics and appetites and training for yourself and staff. If you want to understand your business better, “let’s talk”.