‘Physical Security – Risk, Technology and Captive Insurance’ with Lee Oughton

Lee Oughton (LO) is a Certified Security Management Professional – CSMP, COO and co-business owner/founder of Fortress Risk Management, Arsh Seguridad Privada, Legent Seguridad Privada, Legent Risk Management LLC and The Kindness Games LLC. All of which sit within the FORTRESS Group.

Lee’s career spans decades of international security and risk management. He has worked extensively within corporate and high-risk environments, particularly within the Middle East, UK & Europe, United States, ASIA PAC & LATAM.

Today Lee joins Human Risks (HR) from the Global Security Exchange (GSX) conference in Florida, USA to discuss ‘Physical Security – Risk, Technology and Captive Insurance’. 

Find out more and join the conversation at GSX here.

Lee Oughton - Interview for Human Risks

Physical Security – Risk, Technology and Captive Insurance’ with Lee Oughton

  1. HR: Regarding commercial real estate – in your opinion, what are the top three factors Security Risk Managers should consider when building crisis strategies for their physical assets?

    LO: Great question and a wonderful place to start this conversation. Security Risk Managers have now become a very important facet within the business resilience and business continuity of the enterprise. In my opinion, CSO´s and security risk managers, are now being recognized and afforded a seat at the risk committee table. This is extremely important, to ensure that the enterprise can get out ahead or in front of any potential threats, risks and vulnerabilities that could be detrimental to the organization as a whole and its brand integrity. In terms of my opinion towards ‘what are the top three factors Security Risk Managers should consider when building crisis strategies for their physical assets?’ (a) For me, it’s very simple and a focus should be applied upon the associated consequences, on the inherent risks related to the enterprise and its operations. (b) Then we must evaluate the security design of the building and the security postures that have been implemented. Such factors as security programs, human measures, architectural measures, procedural measures and equipment measures must all be looked at and understand before your strategies can be designed and implemented. (c) I believe a lot of times security risk managers often overlook and misinterpret the current security culture, and risk appetite of the organization. This is a fundamental piece and really works in tandem with the tenant and customer experience. The atmospherics of an enterprise is a key component where we must always ensure that we as the risk owners are empowering all employees to work in unison with the culture, the security needs and the overarching security risk philosophy.

  2. HR: When it comes to Captive Insurance, what benefits does this have for Security Risk managers?

    LO: Captive insurance is really an excellent tool for security risk managers, whereas it gives them a foundation to work from and build upon. We are always able to compartmentalize into three key areas: protecting the business, helping with tax deductibles, and allowing commercial real estate to build wealth. Focusing on all of the above allows the security risk managers to work closely with other key stakeholders adding commensurate value through the organization, the values and the overall infrastructure integrity.

  3. HR: How can a Security Risk Manager help their organization select a facility, or a piece of commercial real estate, which would best suit the operational requirements of that company?

    LO: The Security Risk Manager should be inserted into a project from the offset, this would then allow that practitioner the opportunity to evaluate the suitability of shortlisted properties for the organization to occupy. There are a lot of dynamics involved with building security design and associated risks. On a piece of commercial real estate, we must focus upon the Design Basis Threat (DBT) this process allows the security risk manager to evaluate, the potential adverse scenarios, examined in detail, that form the basis of countermeasures solutions. The process may involve several sub-processes, such as adversary path analysis, adversary task time modelling, determination of critical detection points etc.

  4. HR: How can technology support quick lock-downs and rapid re-openings?

    LO: Technology fundamentally, if used correctly and as a key component within an interoperability program, will be extremely important and in essence acts as the checks & balance, safeguarding and a command and control function. Technology should be utilized as the first responder element, alerting the operators who are managing that risk to the actual threat that they´re about to encounter or they are currently experiencing. We must remember that all operating environments can be extremely fast-moving, so we must ensure that we are nimble and agile being proactive at all times, whilst also having the resources and skillset to action reactionary methods when needed.

  5. HR: What are your top three tips when it comes to securing physical assets?

    LO: Three tips when securing physical assets. I am going to put it into three subheadings:
    Planning – The security risk managers need to work with the architects/project managers of the real estate or potential new purchase, to advise upon what needs to be built-in, rather than maybe built on later as an afterthought. This is a robust process whereas you must consider all current and future key stakeholders. We must also be efficient in understanding the market entry points, or geographies of the operating environment. For example, is there a high level of criminality in that area?

    Start-up– When it’s a start-up then security is often overlooked, as some business owners and key stakeholders will not see the added value of the security requirements, due to high costs and a perception that they will not enable the business, whereas the key decision-makers elect to use that money elsewhere. This is often not the case and can be extremely detrimental if not implemented or treated with respect to the offset.

    Operation– This relates to the risk management and security activities that protect the operation in its day-to-day business. This must take into account all asset groups, static or mobile, including people, property, intellectual property, information, corporate know-how, reputation and brands etc. Proactive security operations are more desirable than reactive.

    All of the above will give the security risk manager a solid framework when assessing how to secure all of the physical assets.

  6. HR: What more can be done in your industry to help Risk Managers safeguard their physical assets?

    LO: The approach I always adopt and is to encourage; “the help me to help you” process & methodology. It is proven that cohesive partnerships always work, and they work best when the security function is collaborating with and in the partnership role with all facets of the organization. So rather than asking for help, allow your proactivity to nurture an organic support network from the enterprise. Showcasing your added value and willingness to help yourself, will always send a great message to all business units, thus when you need them to come to your aid they will be extremely supportive of your advice and recommendations. Security practitioners on a whole need to be better communicators, in terms of understanding what is best for the business and when they require support from the business is ensuring that they put together a comprehensive and well thought out business case.

  7. HR: How can technology support the gathering and assessment of data in relation to measuring (and mitigating) risk, when it comes to self-insurance premiums?

    LO: So, I´ll take the approach here of why using technology is important for data management. So right now the human race is creating an astronomical amount of data, and a lot of this information is readily available if you know the right places to look, and you have the appropriate technologies that mine and store this data, for individuals, governments and private corporations. As an example, your social media footprint and engagement is great data for marketers, in understanding what is the consumer interested in purchasing. Social media can also be used and is often observed by protective intelligence analysts, who are using that forum to accumulate and map out a nefarious activity and bad actors who may affect the business operations of their enterprise. When all of this information is pooled and mapped you can then build certain profiles, which will enable you and your organization to be self-aware of what are the threats, risks, vulnerabilities and associated risks that you and your business could encounter. You can do this very well, with crime statistics around your commercial real estate, this information will then enable your security risk manager to compile risk matrices and risk treatment plans to mitigate those risks to as low as reasonably practicable (ALARP).

  8. HR: What considerations should Security Risk Managers factor in when considering self-insurance as an option?

    LO: I believe that you need to look closely at the drivers of crime and then formulate your self-insurance plan based on those findings. It’s founded upon turning crime motivation into crime prevention.

  9. HR: Are there any crucial factors that you advise clients on when it comes to ensuring that human life within buildings is protected to the max?

    LO: Human Life should always be considered as the most important factor and it’s really all about having a basic protection approach as the foundation, thereafter you can always evolve and enhance this methodology. (a) Put in place baseline security measures. (b) Carry out a full security risk analysis (SRA), this must remain a live and interactive document, which is updated yearly at a minimum. (c) Study the adversary capabilities, methods, strengths etc. in more detail through the design basis threat (DBT). (d) Consider risk mitigation options. (e) Design a risk treatment plan & (f) Implement your strategy.

Thank you Lee for taking the time to share your experience and views with us.

We wish you all the best of luck with the GSX conference.

To find out more about Lee’s work click here.

Read more?

We can help you today

If you want to see what the Human Risks platform can do, for your company.  Contact us today

Contact