The Australian Government Department of Defence skip navigation links |

Minister | Navy | Army | Air Force | Department

Defending Australia and its National Interests

Intelligence and Security

Under threat or at risk?

By Neil Porter

What's the difference and does it really matter? DEFRIMS will help you decide.

Scenario:

Your Commanding Officer (CO) informs you that the Defence Strategic Security Threat Assessment has just been revised. Intelligence suggests that the threat of a terrorist attack on Australian Defence establishments has increased and, as a result, Unit and Base Commanders have been advised to review their Security Plans to ensure they can meet the requirements of an increased threat level. You are the Unit Security Officer (USO) and your CO wants advice to assist his deliberations in relation to SAFEBASE.

What advice do you give? How do you support the advice you provide? What should you consider in formulating the advice?

These or similar questions are being fielded by Defence's security practitioners on an almost daily basis. The challenge is to provide advice that enables Command/Management to make informed decisions that will ensure the protection of their people, assets and information with minimal impact on functions, activities and resources.

The Defence Risk Management (Framework) for Security - DEFRIMS - has been developed by the Defence Security Authority (DSA) to assist Commanders, Managers and security practitioners to implement Defence's security policy, which advocates the management of security using risk management principles. This is consistent with the Government's policy on security management.

DEFRIMS is based on the generic risk management process from AS/NZS43601 , but expands on this to provide a complete framework for identifying and managing security risks through the production of a formal security plan. It includes detail relating to:

  • mandatory minimum standards;
  • comparative benefit analysis of risk treatment options;
  • development of action plans to ensure that selected treatment options are implemented and monitored; and
  • a formal mechanism for sharing responsibility for a security risk that cannot be effectively managed by the risk owner.

How can DEFRIMS help a USO advise his or her CO or Manager on appropriate action?

The DEFRIMS process

A key aspect of the DEFRIMS philosophy is the need to differentiate between threats and risks. Management of security in Defence has traditionally focussed on the management of threats - those things with a propensity to cause harm. This has often resulted in either dread-based risk avoidance or risk mitigation at all costs, instead of risk management.

A common practice has been to react immediately to a threat assessment, attempting to mitigate the threats with little or no regard to either the likelihood of harm occurring or, more importantly, the type of harm that could occur. Threats will always exist, but they may not pose a risk. Risks only emerge when there is a chance that the threat will interact with something (people, building, equipment, etc.), usually at a point of vulnerability, resulting in certain consequences. In the Defence security context, those consequences are the compromise of official resources. For example, in the current security climate, Al-Qa'ida terrorists represent a threat - the risk is that an attack from such a group will result in physical harm to our people or property, or indirectly cause some other disruption.

Rather than trying to mitigate the threat, (how do you mitigate the threat of terrorism?), we need to look at the bigger picture. Where, when and how might the threat interact with our particular unit or base and, what would be the possible consequences if it did? The answers to these questions will differ, depending on the particular unit or base involved. The course of action taken in response to the threat should also depend on these answers. Would the likelihood and potential consequences of a terrorist bomb exploding at a Command Headquarters be the same as a similar occurrence at a small Reserve training depot? Responses to a threat should be based on the potential risks, otherwise we could be wasting valuable resources that could be better utilised.

DEFRIMS will enable commanders and managers to better understand the security risks faced by their individual units, establishments or work areas and ensure that resources are expended effectively and efficiently to protect their people, assets, information and activities. SAFEBASE alert levels provide a baseline level of security for particular circumstances, but these levels should be assessed in relation to the actual risks faced by an individual unit or establishment; not be simply a knee-jerk reaction to a perceived threat.

Further information on DEFRIMS can be obtained from your local DSA office or your Service Security Authority, and full details will be contained in the upcoming revision of the Defence Security Manual (DSM).

Neil Porter is Assistant Director, Security Risk Management, in the Defence Security Authority.

  1. AS/NZS4360:2004 Australian/New Zealand Standard Risk Management; Standards Australia/Standards New Zealand; 2004 |

[ top of page ]