Julian Talbot — Director, Risk Management Institution of Australia — Technical and Plenary Sessions

Bio (From the SARMA Conference Agenda)

Julian Talbot is a senior consultant with Jakeman Business Solutions and a Certified Protection Professional (CPP). He has Master of Risk Management, he was the lead author of the Security Risk Management Body of Knowledge (SRMBOK), directs the RMIA, and is the Assisstant Regional Vice President with ASIS International and a Research Associate with the Australian Homeland Security Research Centre.

Tech Session Abstract (SARMA Agenda)

This Presentation will discuss the business case for investment in security. In particular, it will highlight some of the best practice methods from a variety of disciplines that security risk management (RSM) professionals can use to measure and improve the effectiveness of SRM as a profit driver for large and medium enterprises.

Managing the Unexpected

The number one problem facing enterprises when it comes to SRM is the following, according to Mr. Talbot, we manage risk in the limbic (emotional) center of the brain. Some of our enterprises don’t take enough risk, while others take too much risk and don’t realize it. Still, more enterprises over-mitigate risks to be too low. His solution is that we start using both the limbic and neocortex areas of the brain. He listed 5 benefits this brings to the table. One, know the business benefits. Two, assess the maturity level. Three, collaborate. Four, understand barriers, build guidlines, and implement. Five, become better traders. The problem is that managers lack structured cost/benefit methods to evaluate and compare alternative security solutions. In Australia, they are taking steps towards mitigating this issue

Cost Effectiveness

The goal is to provide the necessary financial projections, business metrics, and assessment of contigencies and risk to support or reject business decisions. Based on information in the SRMBOK, he gave us 8 simple business case steps:

1. What is the problem?
2. Why?
3. What causes the problem?
4. What are the fixes?
5. What is the best fix?
6. Why?
7. What do we recommend for implementation?
8. What questions should we consider?

Plenary Abstract (SARMA Agenda)

Antipidean isolation may explain a lot of things – including a tendency to do things somewhat differently…it may, for example, explain why Australia went its own way and developed the first version of the AS/NZS4360 Risk Management Standard in 1994. Since then, it has been revised twice, been the basis for series of risk management handbooks (including HB167 Security RM) and is currently being evolved in ISO 31000 Risk Management Standard (due out in March 2009) with an Australian selected to chair 83 nation International Standards Association Committee developing it. The ‘land down under’ is also heavily involved in security and risk management through South East Asia and much of the work in this area reflects a multi-cultural blend of Asian, US, European, and other international frameworks. One of these, the recently released SRMBOK – developed by over 80 international SMEs – is an example of government agencies and the private sector working together to contibrute to an integrated body of knowledge for the security profession.

Introduction to Australian Style

In Australia, all security manuals are based on AS/NZS 4360 and the framework laid out in that standard.  ISO 31000 is being created based on the need for common lexicons based on the terms: Risk, Threat, Hazard, and Source.  Based on these two guidelines, Mr. Talbot wrote the SRMBOK beginning in May 2006.  He said that basically over dinner, a few colleagues and him came up with the idea that Security Professionals needed a guide.  The key players that made this guide happen were RMIA, Jakeman Business Solutions, Prime Minister and Cabinet, and over 81 SME’s.  Their objectives were to create a universal translator, organize gap analysis, and to make a guide that pertains to everybody.

Human Factors

Mr. Talbot pointed out that 90% of risk comes from human factors (HFACS).  These include: Inappropriate acts, pre-conditions, oversight, and organizational influences.  He applies the Swiss Cheese Theory to this problem.  You can never close all the holes, but the big problems are kept out.  Lets think about this with an example.  Say you leave your front door open on a hot day.  You risk the chance of someone barging in, but is that worth the nice breeze you get?  This is a very mild form of analyzing risk, but it shows us the basis of Mr. Talbot’s thought process.

In Retrospect

Julian Talbot was a great guy.  He took the time to speak with Matt Maisel and Caroline Furey, and really seemed to care about what SARMA was doing as a whole.  He served as a proving point that what SARMA has set out to do: Create common lexicons and make the security profession more compatible across the public and private sectors.  I think that the US should look to Australia and what they’ve done to help us in the same direction.