The most common and unfortunate state of mind people adopt is that protection is the responsibility of someone else. You can personally exert an extraordinary amount of influence over your own safety and security by controlling your actions. Adopting the mindset that your personal safety and security is up to you is the first step in improving your chances. The next step is learning how to evaluate risk, and implement actions and controls to maintain and advantage in any environment. The first step is analyzing risk.
Finding the “right” risk metrics
In the evaluation of risk, the first and most critical step is to choosing a quality data set. The greatest gift the Internet has given us is a vast supply of information on demand. Unfortunately, much of it consists of un-researched opinion, or worse pure fabrication. When evaluating personal security risk, you have to select, vetted, relevant and appropriate sources of information or you will undoubtedly end up protecting your self against the wrong threats. The Department of State, CIA World Fact Book, UN Office on Drugs on Crime, World Health Organization and the Economic Intelligence unit are great places to start. Alternatively, there a number of professional reports that you can purchase on any city or area to which you may want to travel. Basing risk decisions on what you are fed by the media, Hollywood or that scholarly journal Wikipedia is unlikely to result in productive and useful plans to mitigate that risk!
This should not simply be a physical risk evaluation and it should include risks that could impact the success of your reason for travelling. You are choosing to expose your self to risk for a purpose, and if you don’t accomplish that purpose, you should choose not to take the risk in the first place. If you are travelling to Sierra Leone to import natural resources, anything that will prevent you from obtaining or importing resources is a risk. If you do not account for those risks, you may have a physically safe trip that results in you very adeptly undertaking a risky evolution for no productive reason. Culture, infrastructure, opportunity and preparation all play into it.
Once you have selected appropriate sources of information, you are ready to start dealing with the process of determining what to do with it. Analysis is simply a process of systematic evaluation of information. Ultimately, the real goal is to develop a consistent approach to evaluating the information you collect. The first step is to make a determination of what is likely to happen. This is a fairly exhaustive list of what may happen. It consists of the things that are likely to impact traveller to that country and have almost nothing to do with your personal ability, plans or circumstances.
Then next step is to look at the catastrophic impacts that could occur (Death, Permanent Injury, Loss of the deal, etc…). Remember, base these on your data set, not on your personal circumstances at this point. I then combine theses two lists into a set of potential occurrences. Here is the most important step in the process. Cross anything off the list that is completely beyond your control, leaving only the things that you can influence. If someone else with more money, more physical ability, or language skills you do not posses could influence those factors that is irrelevant to your risk evaluation. If you don’t have the skills, money or time to influence the potential occurrences, don’t spend time trying. We want a comprehensive list of things that are likely to occur in the area to which we are travelling.
We can now start to assign a probability and severity rankings to the list. A cold is pretty likely, but pretty low on the severity list. Being murdered is probably a low probability side, but at the top of the severity list. I rank severity in the same manner as we rank the scale of injury. 0 is no impact or no injury. 1 is minor injury with little to long-term impact. 2 are serious but recoverable injury, or serious but recoverable impact. 3 are permanent injures, or permanent unrecoverable impacts. 4 are death or catastrophic impacts. This is a somewhat arbitrary scale in that you simply have to lump it in to one of four categories.
Next we look at the probability of occurrence. Once again we place them into one of five buckets labeled A – E. E is improbable, or a freak occurrence. D is unlikely, or something that may happen once in a blue moon. C is moderate, meaning it might happen. B is likely, or something that will more likely happen then not. A is something that you would be pleasantly surprised if it did not occur.
In evaluating our list, we can now cross off everything we have labeled as a 0 or E. If the impact is 0, we are not going to waste time trying to mitigate the risk. If the probability is so low that it falls into the freak occurrence category, we will not spend time trying to reduce it even further. These is the list of things that are likely to happen, and against which we are going to apply time effort and resources to minimizing the impact or the probability that they will occur.
Minimize Probability Risk
The first thing I want to focus on is minimizing the probability. Not having an event occur is always preferable to minimizing the damage it may cause. We can minimize probability by our actions. There is an extensive list of these skills and good habits written out in Preventative Defense. Examples are locking your car doors, inspecting the tires on your rental vehicles, avoiding bad neighborhoods and making a conscious effort to blend in. Anything you can do to minimize the probability is an action.
Minimizing Severity Risk
The next step is focused on minimizing the impact of negative events if our attempts to avoid them fail. Examples are things like wearing a seat belt, carrying some simple trauma management equipment, and learning to ask for help in the local language. Anything you can do to reduce the severity or impact of the event called a control.
As I look at my list of things that are likely to happen, I write our actions and controls that will influence the probability or severity of the event. Every action and control (or risk mitigation tactic) has a cost and an effort level associated with it. The key to actions and controls is that they have to be affordable. If you develop a phenomenal plan to mitigate risk to nearly zero, but it costs a trillion dollars to implement, you may as well rely on a wish from a magic genie. They have to be practical. If you plan is so detailed that it requires 16 hours of your day to execute, you have no time left to accomplish your goal so you may as well not go. Lastly, you have to come up with actions and controls that you will actually do!
After I have listed my actions and controls, I evaluate my list of potential occurrences again and assign a new probability and severity based on the implementation of my actions and controls. Ideally, we are able to reduce both, but the reality is that we are far more adept at developing controls then we are at reducing probability so do not fall into the trap of reducing a probability rating based on a good control. In other words, wearing a bulletproof vest is great control if you are dealing with a risk of being shot. Putting on the vest does not reduce the probability of being shot by one bit.
I now look at my risk matrix again. I am looking for things that fall in likely or catastrophic category. Ideally there is nothing on the list that falls into the 1A category after our actions and controls have been implemented. If there is, then you need to apply more resources to mitigation (Usually money and time), or you need to reevaluate the purpose of your trip.
If we have developed effective actions and controls, things with a severity rating of A should have low probabilities and things with high probabilities should have low severity rating. If we have anything left on our list that does not fit that profile, we need to reconsider our actions and controls to determine is something more can be done.
Putting risk analysis and mitigation plans in action
Some risks are inherent in our work and our lives, and we have to accept them in order to be effective. The concept that we can or should mitigate risk to zero is costly, inefficient and ultimately impractical. Since there are some risks that I must accept, those with moderate or likely occurrence ratings and moderate or severe consequences will result in the development of an emergency action plan. The emergency action plan will be discussed in the next article, but it consist of identifying threat indicators and appropriate responses to break the cycle of violence or injury before it impacts us.
This can at first be an exhaustive process, however, a little practice goes a long ways. The more you do it, the more it becomes second nature. The key piece is to find actions and controls that are practical, executable and that you make the time and effort to actually do. Writing a plan that keeps you away from the local opium den is great, actually staying away from the opium den is what makes you safer.
Plan, Travel Safer and have more fun!
First Published at Aegis Academy
– Patrick Henry
Patrick Henry received his operational training and experience from the U. S. Government, 22 years of which were spent in the Marine Corps where he served in the Reconnaissance, Infantry and Intelligence fields. During his active service, he spent more then seven years deployed overseas in combat, operational and training assignments. After the military, Pat worked as a contractor and as the Director of Operations at a private paramilitary company, specializing in training special operations forces and providing protective services to select private clients. His education consists of an MBA from the University of Southern California (USC), and a BS from San Diego State University with an emphasis in Biochemistry, Cell and Molecular Biology and a minor in Psychology. He holds an extensive list of security and training related certifications from a variety of government and nationally recognized entities. He currently sits on the advisory committee at USC’s Master of Veterans Business Program, and is an active member of Infraguard and the American Society of Industrial Security (ASIS). He has been a guest speaker at ASIS, the San Diego Industrial Security Awareness Council and other private organizations on physical security, travel security, and competitive intelligence collection counter-measures.