Hey, good day, ladies and gentlemen, wherever you are in the world welcome. We're going to crack on with lesson four threat assessment. Part One. As I've said previously, this is broken up into two because there's just lots of it. And there's lots of it because there's lots of threats out there. This is very important.

Core reading, but it's very important that you understand the concept of a threat. We've gone through the definitions. We've gone through definitions of words, threat, Hazard, what safety what is security, so read back over those as well. But what we're also going to do is sort of break it down a little bit as to what the specifics of a threat and you've got to apply what those threats are in relation to whatever organization or company or even if you're a home relates to you. So just reviewing some of the bits of look some of the definitions some new ones threat assessment, this is determines the impact of a threat. I've used this term a bit.

And it's pretty much you looking at what's the threat, what's out there. What's potentially a threat and how it how it interacts with your organization, the vulnerabilities of your organization and maybe something just like traveling the travels a lot on bad roads. And, and it also includes a process of all that identification the vulnerabilities where it is on the grander scheme as far as being a threat to your company or organization. So determine the impact threat threat may have on project personnel Business continuity and reputation. And as it says that was usually a process or report. Some for some clients threat assessments I've written can be 24 or 30 pages long.

It goes into a lot of detail because there's lots of threats out there generally. And you'll will see those threat indicators are clues that lead you to believe a threat may be present. And it may be something as obvious as a notice from the US Embassy saying there's an increasing threat on hotels in your city from terrorism. Well, that's pretty self explanatory. The harder ones are built up paying crime levels around your offices that are affecting staff safety as they leave work in the evenings. It's hard to sometimes pick up so that's why you have that communication with staff, the more concerned they get, the more they should report that to you because you can't see everything.

It's impossible and you're You may get a lot of these indicators online, maybe you may speak to other NGOs or other businesses out there have a forum I, I'm on lots of forums where I constantly talk about things all around the world that are worse the security at airports, mood demonstrations, so all those can be little in like a jigsaw, little parts of that jigsaw that that allow you to make an assessment. critically think the process through make the assessment say all right things again, a little bit worse here or things again, a little bit worse on the roads between A and B when we travel every week, so we have to be a bit more careful. Examples there are large anti government demonstrations, smelling on electrical odors, that could be that your electrical heater, the wires are wearing out or the wires been sitting in front the heater and there's a there's a high threat of fire.

So just picking up on those, but also encouraging your staff to pick up on those things, not just ignore them not just sleep through the day and not smell the electrical odors. But to tell you about it. And are they you know, is the is the compound you're working from being watched. It could be terrorism surveillance as they plan the next attack. So threat indicators now varied and it takes quite a bit of skill and experience to be able to pick up on them and then to say, right, let's do something about it. direct threat is when your organization is directly threat that threatened by criminal activity.

They know you're a Western organization. So you've got lots of laptops and lots of money potentially in the safe. You've got lots of well paid staff. So terrorism, that can be another They are directly targeting you for attack because you're a Western organization or demonstrators because you're an oil and gas organization, or kidnapping, because they want to make a statement. You know, wide variety of reasons why you may be directly threatened an indirect threat is when you're in the wrong place at the wrong time, or it's a natural disaster. An earthquake doesn't care if you're American, or you come from the Middle East, you're Pakistani, you're Indonesian, it doesn't care does it?

So it's an indirect threats not targeted against you, your staff, your organization, and it's just, you're there and that's where the natural disasters and that's gonna affect every other person in the neighborhood. Who around them treat crime just walk in the wrong place wrong time. Back snaps laptop taken, mobile phone taken out of the hands of the staff and electronic electrical short circuit causes an office fire, maybe on the floor, three floors down. It's an indirect threat. The the challenge we're living in, we're sorry, working in office blocks, and also living in accommodations or flats or places like that is you might have the best security in the world. But it also relies on the security of all the other people around you.

If your security is tip top, and keeps all the criminals away, and all the threats of terrorism, if there's a fire three floors down, it's still a major risk to you. And it's an indirect threat, but something that you have to consider how you're going to minimize. And one way to minimize it may be just to establish more communications with the people around you, and to maybe have monthly meetings so that you can encourage them to improve their safety and security on mind. Another indirect threat. Obviously you don't be drove driving over them, they're not directed at you. It's not an ad, and someone's nearby, pressing a button that attacks your particular vehicles.

It's just out there and the first first thing that come along is going to hit it and detonate it. So there's the there's a definite difference between direct and indirect threats. And that has to be taken as part of your overall threat assessment. So how do we break down the threats? The threats, remember range from road traffic accidents to terrorism, and we want to give them a level. We want to be able to demonstrate to people when maybe when we put reports out or put security messages out, that this is a low threat, or it's a high threat.

And here's what explains often they're color coded often a given number so you'll see level one, low threat green so often on reports You see a little box that says low threat. And it's called Green, essentially stable green or blue, sometimes free and political, economic. And there's the definition of a low threat. And there's some recommended actions that you take below it. And then says at the bottom revises security policies at least once a year. So you will live in in Iceland, maybe something like that, where there's low crime levels, not so much natural disaster, no conflict, no, no historic terrorism.

Nothing really is going to affect us. So road traffic accidents is probably a biggie because although their vehicles are safe, the roads are good. The driving conditions are very good. The drivers are good. There's always the chance of road traffic accident. So overall, Iceland would be green and the threat of terrorists terrorism will be low as well as an example So medium threat level, usually yellow.

So your grades of colors start to project immediacy or urgency, largely stable, but there's a few little areas that a few threats, maybe higher crime, maybe more civil unrest or a combination of the two. That That means you have to have some additional security measures. And they're down there, evaluate next size emergency action plan twice a year if you have one or Incident Response Plan. And that's sort of country US, UK. And this is all and we're going to go through how you measure what the country is why the country is medium, it's usually an average of all the threats added up high, low, medium, high, low, high, high, high, averaged out. comes up with a two or a one or a three or a 3.5.

As far as country levels goes, and this will vary from company, and the way you look at things will vary from security manager, security manager, other ways to do it or sign up for and pay for services like controllers, who do all this for you. And that's a good way it gives you the whole world perspective. Various threat levels in countries because countries will be medium in most parts, but the northern borders when they bought us some other place will be high or extreme. So that that's one way of doing it. You do it yourself and you're already interested in your country, or even just component parts of that country, depending on your profile, your business profile, but this goes through the whole lot. So medium can be the US.

Lots of African countries are made But they do have higher levels sort of on the border somewhere with other countries that aren't quite so stable. High threat level level three, and are in so you get more urgent because obviously, we're working our way up to red, which is red for danger, largely unstable. So if you have travelers to these sort of areas, it's largely stable, you're gonna have to plan more, think more strategically about what could happen to them. And it says evaluate next size, your emergency exit plan four times a year at the minimum and says, revise your security security policies at least twice a year. Maybe more than that, again, depends how kinetic all this activity is. And that gives you some recommendations on what to do provide high risk awareness training, and these are just general outlines.

Some of those things may fit in Your office some of them may not. Moving on to four level four, very high as it says they're sometimes called extreme normally read if you're going to have a color code to it areas which are highly unstable so you're talking about your serious your Afghanistan's your wrecks, Yemen. Libya, for instance are good examples. And so recommended actions include those at level three, but also all the others below so your your There's your baseline standards for what security measures you need in place and you probably need a whole lot more. Some organizations for extreme countries for instance, may just bar travel to those totally. Or they may say we need armored vehicles for our staff to do any movement to be picked up by the air but that depends a whole lot on your profile.

While your companies your organization's profiles, too, as to what you can build in, and obviously the budget or the budget. But this is an example of an extreme very high threat level, and how you would mitigate, provide some of the mitigation measures. So, what is the threat assessment? How do I assess all these threats? And there's lots of moving parts. So you tend to start with a list of threats, as you've seen on the introduction.

And then you move around in priority, which is most likely, and how do you do that? Where do you get the information from? Do you start with your own intuition, which is and could be slightly biased in some areas. So do you use some more Formal background reading such as Department of State, some open source threat assessments, the foreign Commonwealth Office threat assessments from the UK to give you more of a baseline standard about what the threats are in your areas of interest. Or do you just use local not? so tight assessment is both process important.

We said it should be cyclical, which means you don't just do one and you're stuck. You do one and then you're doing the next one. And then you're doing the next one, because they always change. Circumstances always change around the world. Crime levels go up, and they go down, terrorism levels go up and they go down. road traffic accidents usually stays consistently high and usually gets worse because there's more traffic on the roads.

And drivers just seem to be getting crazier. So you're you're always constantly reviewing it. There may be a Adding 24 threats, you're just going to daily review the top five practices so you have to have to manage it best fit your daily routine. So as a rule of thumb, I tend to remake it recommends are a very high extreme countries, you should be dating your threat assessments almost daily because things happen almost daily. And the threats usually critical usually very, very important. Something is likely to happen on a day to day basis and when it happens is something big.

So it bombs its bullets. It's large demonstrations, aggressive police response, aggressive corruption on the streets, criminals knocking on the door demanding money or they're going to burn your place that high countries high level countries recommend the sort of weekly review so maybe Monday morning you get up and say what's changed The papers are important changes in criminal trends. They're doing they're becoming more violent. Okay, well, we need to do something about that maybe, maybe street crime goes up a couple of steps on your on your prioritized list. Medium, maybe every six months. So six weeks and says moderate there.

Sometimes we I've shown you a one to four threat rating, but sometimes organizations like a one to five, so they have low, moderate, medium, high, very high or also called extreme, and that's why it moderates thrown in there. And maybe every six weeks again that that that will vary. And sometimes a year there may be more demonstrations. Like I said before, there may be worse weather in monsoon so you may have to assess the threats in certain times of the year, a bit more often than you would notice. Low, potentially yearly, if there's hardly any crime, no terrorism, no threats of natural disaster, then really a yearly review should do it. But of course, if those circumstances change, and things speed up, there's more crime for some reason, then you would speed up that review, maybe do it twice a year, we do it monthly.

And we do it once every quarter. It's going to be up to you. But it's important that you do keep doing it and keep reviewing it. Oh, lots of writing on this one. So a threat assessment needs. Not going to read out every word because you have it in front of you and you also have in the handout.

So needs process. You need a report and your read context. So your process is how you get all the information together and how you analyze that information. How you identify the threats. You know, once you've identified the threats, that list may stay pretty solid. That may be something added on to maybe something you take off is not really a valid threat anymore.

But usually there'll be a list of 2024 things that are likely at some point to happen. So you've identified what the threats are. You have to consider measuring the threats then. So you give each one one of your one to five, one to four. Threat levels. Road Traffic, always, always, always extreme risk.

Even in the US, even in the EU. Even in Afghanistan, there's more deaths on the roads than there is from terrorism. So that would be a bright red extreme threat. Road Traffic, health usually comes Fire usually comes, you know, maybe the fire comes before health depends on where you are and your circumstances. And then you there's a lot more others, some of which you're not going to be interested in. You may not be interested in the corruption for instance, because it doesn't really affect you.

So, you know, put it down as a low put it to the bottom of the list. So you measure it. And then once you've measured each and every separate threat, then you put it in the top priorities are the extreme, very high once your reds are at the top of the list, followed by the oranges, followed by the yellows, followed by the greens, and really your that gives you a prioritized list where you can focus your security measures. So your immediate ones will be road traffic accidents, your house, your fires, anything that's red you've assessed as being red. There's been extreme threats of the ones you found. On first, once you've done that, then is down to the oranges and the yellows.

And eventually, if you ever have time, you'll be down to the lows which may or may not take up a whole lot of time. But that's your cycle. Identify, measure, prioritize, and that's your process, then that you want to put into report I found the easiest way of doing it is just having a table. The table would be all the threats. In the colors on the left hand column on the right hand column will be a brief explanation as to why it's there were traffic accidents, because you read a report from Zack saying that road traffic accidents are up 22% from last year as an example. So you'd have two columns that would give you prioritize ation your measurements and also a brief line for your bosses, whoever the reports going to go to, and when you ask for additional security measures or additional training time for staff, so you can justify your your good efforts.

And that is part of the process. That report may go out once every two years. So once every year, once every six months, again, it depends on what your boss is one independent, but that sells your analysis, your knowledge, your understanding of the threats to your bosses, who will obviously manage control your budget, strategy strategic level, then you have put it into context, which is why the use of that second column and how does that threat work in the capital city where your offices and how does it impact on your smaller outlying offices Maybe that you have a threat assessment for your office, your main office in the capital city and maybe that you do a threat assessment for your smaller offices elsewhere, or whoever's the office manager, you ask them for their, their analysis as well. So you have separate threat assessments may may be that you have a threat assessment for the road from the capital city to your office location, because it's not going to be anywhere near the same as threat assessment and in the capital.

So you have you can have different breakdowns. Then you've got it. Party report. You also need to explain in the report, what is meant by the threat levels. So going back to what we've just talked about these you will have a little box with the various threat levels low, medium, high, very high boxes, numbers. And then on the right hand column, you would have a brief explanation like it says there areas which are highly unstable personnel face multiple continuous threats likely directly impact on their well being.

And that's a key to what you mean by on the report. low, medium, high extreme. So you can, as I said, they go for a table or spreadsheet format, so it's easy to manage them and maintain this is the bit I'm reading out here. Make it easy for yourself. So that in six months time when you have to review it, or in two weeks time when you have to review it and update it. You've got most of your stuff now.

I've read through it says contacts. There's lots of language to it. And but you could have context regarding terrorist incidents. For instance, you could bring In your knowledge experience, like okay, it serves a levels a low at the moment, but it was only a few years ago when they attacked the shopping mall. And Al Shabaab will be very, very keen to do it. Again, it's just a matter of time.

So that's context as well, which you could, you could put in the comments, column related terrorist action. That's why it's maybe higher up than the bosses think it should be. Your knowledge is better in this area than this. And this is where you're justifying it. So you need some internal context as well. I mentioned about travel from A to B.

If your organization has travel, if your organization only stays in the city, I've worked for organizations that will only work in the capital city for that safety. There is you need to build in that context. So what's you have to look at things like what's your what's the mission of the business Is it just to stand a capital city or an office, people come to you, and the threat levels are different, and threats are different. Whereas if you're a humanitarian organization and you're going into Syria, then obviously the threats are a lot more different. You're not really interested in the corruption stuff. It's more of the bombs, the bullets, the likelihood of dying, the road traffic accident, still the health and all the infrastructure problems, so they're going to be there.

That's going to be your focus. So what time PR programs products do you provide something of criminal interest is out there I use selling stuff that some people really hate. So there's a chance there's going to be violence against your stuff, or some people really distrust so you have to you have to bring in this, this context. And if there's lots of travel in on bad roads, or even air travel On, if the airlines then you have to bring that in cultural, make sure your natural staff can be important of see some stuff, you'd be more welcome in some areas and not so much in other areas, you have to take that into account. That has to be a policy if if some staff do not want to go into certain areas because they will get killed, then that's an obvious policy, our staff will not go into areas where they will get killed.

So you have to have different staff who work in different areas. And that's that's common. And the context so does your office promote a culture that encourages safety and security. It's got to be a cohesive, systematic process that your staff are involved, that your bosses are involved. You if you're the only seller for safety and security, you're gonna hide into nothing because potentially your bosses or your your colleagues may not factor in Safety and Security into budgets for new projects. So your your, you have nothing to work on.

If there's no budget, then it's just totally up to you to remind staff all the time. And that's like a parent telling their kid not to do something, you have to have some sort of backup at the end of the day. Whether it's GPS tracking to slow down drivers, if they're constantly speeding, and it comes up in the report that you get, you tell them, tell them again, if they're ignoring you, then you fire them or you get them fired. You have to have that backup. We've done a budget for GPS tracking, you're going to think of different ways to do it. So it depends on the culture of safety and security.

So you need it promoted from the top you need to include it in your budgets for project planning. And then you've got a better opportunity of getting ahead of the game. So we're halfway through Section four, there's a lot of text to read. So that's why I want to get a lot of this threat stuff out the way before we actually look at the threats. There's lots of background stuff, it is quite complex. It does take a little bit of getting used to, to understand what the threats are.

I appreciate some of you will be looking at this in a totally different way that I do. So I'm just I'm just demonstrating the way that I look at the issues and I look at the problems, a lot of experience worldwide and working for various organizations. So that's why my present context and the way I viewed threats are the way they are you may have a totally different way. But this is the baseline sort of standard. Take what I've what I teach you is regarding the threats, disregard what you need to disregard us the stuff you think's of value and apply that to your business or organization. As always, I appreciate your time.

Thanks very much for listening. We've got Section B of section two of this coming up. So you're getting some more value for your money, and I have to do more talking so I have to drink some more water. Thanks a lot. Bye