All organisations are created as dynamic entities that are always committed to improving and enhancing productivity and quality levels, with a view to gaining competitive advantage and achieving their operational and strategic objectives. In a constantly evolving environment, it is therefore essential to adapt to changes and reinvent (strategies, organisation and technologies), when necessary. However, this push for innovation cannot exist or be effective without a conservative approach aimed at protecting what already exists and safely managing both planned and spontaneous evolution.
Over time, risk management has therefore become an essential activity for any medium-sized company or organisation. The ability to successfully operate on national and international markets depends on how effective internal decision-making processes and risk management models are (for full compliance with sector standards and regulations).
Risk assessment activities play a key role in the corporate security management process, as they are preparatory to planning and implementing mitigation and monitoring strategies.
The assessment process can be very complicated, especially in regard to security risks, as they are indicative of someone wanting to harm an individual or group. Such risks are hard to represent with statistical variables, as one has to take into account the significant influence of the human factor as both a risk component and essential evaluation process element. Therefore, there is a need to use well-structured and repeatable methodologies and techniques throughout the evaluation activity; the goal is to mitigate discretion and bias without restricting analysts’ analytical expertise.
In complex organisations, this process becomes even more problematic and requires energy and resources that very often result in incomplete and not fully legally compliant evaluations.
 Security risks have been the subject of detailed international and national legislation, which has led companies to have specific responsibilities towards their people, society and the environment in which they operate. Security risk legislation is designed to set models and benchmarks to assess and managing all risks that may in some way impact working activity. In the Italian legal system there are two main general regulations having a strong impact on companies in terms of safety and health of workers: Legislative Decree no. 81 of 2008 and Legislative Decree no. 231 of 2001. In different times and ways, lawmakers have clearly prescribed that employers are responsible towards the persons employed by them. Regulations and case law have established that employers have an obligation to protect (duty of care). As per well-established case law, this duty applies not only to accident prevention (safety), but also to external risks that cannot be classified and identified ex ante (security).
DERM® (Dashboard for Enterprise Risk Management)
DERM is the innovative command and control platform developed by IFI Security to support organisations in assessing and managing security risks associated with assets and projects in and outside Italy, as well as complying with associated legal obligations.
Thanks to the synergy between analysis, intelligence and vulnerability assessment modules, the platform automatically generates a security risk assessment report (Documento di Valutazione dei Rischi di Security-DVR-S) for each asset of interest, pursuant to Italian Legislative Decree 81/2008. The DVR-S identifies the corrective action to take and related priorities for intervention. Specifically, the DVR-S:
- Describes company activities and the specific site or production unit under assessment;
- Provides detailed guidance to identify those formally responsible for corporate security and protection;
- Specifies the methodology and tools used for the assessments described in the report;
- Details the results of the various analysis and evaluation phases;
- Provides a plan to enhance security levels (recommended action and associated priorities for intervention).
DERM is a precious tool for employers and security managers to engage in consistent and systematic risk management, especially in case of medium/high-complex organizations and operations.