There are four stages in the development and management of a facility’s security program.
Stage 1 is the risk assessment, which focuses on the facility itself as well as the people within it. Stage 2 encompasses program design. Stage 3 concentrates on program installation and, finally, Stage 4 involves program management. However, despite all the talk about the importance of the risk assessments being the foundation for the development of a facility’s security program, it has been my experience that relatively speaking, very few are actually done. I find this odd given that the results of the risk profile are compared against the facility’s security profile to determine if the two are in alignment. If they are, that is great. However, it is far more likely that the security profile is below the risk profile. As such, this gap needs to be filled by personnel, hardware and/or document-based countermeasures.
The critical infrastructure world is obviously vital to a number of other facilities and operations; hence the term critical infrastructure. Pipeline monitoring stations, power generating facilities, telecommunications, refineries and various other utilities have the potential to suffer deliberate attacks and just as importantly, accidents and weather-related events. When critical infrastructures experience adverse events, there is typically a downstream effect where other facilities and operations are in turn impacted. This is why it is so important for a proper security program to be established and managed.
Perhaps one of the more important aspects to be considered is to ensure the ongoing operations of the facility. Many of these facilities operate 24 hours a day, every day. As such, it can be difficult to implement both updated and new equipment. It can also be a challenge to conduct tests and drills as people may not be able to leave monitoring stations except in the most dire of circumstances. Upgrading existing security and life safety equipment needs to take into consideration getting the most service out of equipment, yet planning for and replacing it before it fails, all the while continuing on with regular operations. These facts are all directly relevant to the four stages of security management and why risk assessments are often not completed.
How Often are Risk Assessments Completed?
First, speaking as both an educator and a consultant, I have asked many people, both students and peers how often they have conducted a risk assessment. The number of people stating that they have completed such an assessment can be counted on the fingers of one hand. And as a consultant, from one perspective it is not surprising that clients have not conducted risk assessments as this is often what I am hired to do. However, as part of my process, I always ask for previous risk assessments. Again, I can count on one hand those organizations that have completed risk assessments.
One must ask, why the reluctance to complete said risk assessments? Is it the lack of risk assessment tools available? Is it the lack of knowledge required to complete an assessment? Is it an intimidation issue where people don’t feel confident in conducting an assessment? Is it a lack of understanding of the value of completing a risk assessment? Is it all of the above, some or none of the above? I will address each of these issues moving forward.
Regarding the availability of assessment tools, there are software programs, standards and guidelines available to assist those interested in conducting risk assessments. I will admit my challenge with some software programs is the lack of transparency when it comes to explaining risk result outcomes. I have asked a number of salespeople over the years when they have tried selling me on their software what decision-making mechanism is in place to justify any particular outcome. Granted, this was years ago, but I have never had anyone be able to explain to me how a particular risk is ranked the way it is. The last person I talked to could not even tell me if the software program was qualitative or quantitative based. Another could not tell me the difference between a threat and risk. The software is there and there is no shortage of standards and guidelines available to the assessor in conducting risk assessments. A simple Google search reveals many methodologies. Therefore, it is not a lack of tools available.
The knowledge required to complete an assessment is readily available. As identified in the previous paragraph, because there are many methodologies available, it is simply a matter of completing each step in the process. For those who have never completed a risk assessment, it may sound intimidating, but the most important things required are the time and the desire to complete the assessment. The first assessment does not need to be perfect. I have conducted dozens and dozens of risk assessments. I constantly fine-tune the process and while my first risk assessment was a bit rough, it still provided tremendous value to my employer at the time. It also took several weeks as I was working on several other projects at the time, but they get easier to do every time and can be completed in ever decreasing time frames.
Some people may feel intimidated by the process. Large facilities in fact do require a fair amount of work. However, it must be remembered that the scope of the risk assessment must be kept under control. It is easy to be sidetracked through scope creep when evaluating any facility if the assessor thinks that each and every asset must be considered. Therefore, the scope of the risk assessment must be clearly defined. If a large facility is to be assessed, then the overall risks to the facility as a whole must be considered, not the risks to every specific asset. Alternatively, it may be necessary to break the assessment up into smaller, more manageable components such as mechanical areas, parking, perimeter, key facility areas, etc. Again, the most important elements required to complete such an assessment are time and a desire to complete the assessment.
Not understanding the value of the risk assessment, I suspect, is based on the lack of overall security management knowledge. Unfortunately, the security industry is an unregulated industry. This means there are lots of people who have never had any proper training when it comes to learning how to be a proper security practitioner. Considering that the risk assessment is the foundation for both developing and maintaining a proper security program, not conducting a proper risk assessment is tantamount to negligence. Regarding security being an unregulated industry, I find it interesting that in many jurisdictions there is a focus on creating mandatory training for security guards, yet their bosses and their boss’s bosses are in no way required to have any training on any aspect of security management. At any given time, only about 10 percent of ASIS International members are certified in that organization’s professional designations. So how is the lack of formal training tied to the infrequency of risk assessments completed? The value of the risk assessment and how it is to be conducted is discussed in great detail in numerous security programs. If a security practitioner does not have exposure to the security body of knowledge, how will they learn to be a proper security practitioner? Simple word of mouth or on-the-job training is usually inadequate in passing on the detailed and appropriate knowledge necessary for a security practitioner to be successful.
None of the reasons I have provided are acceptable explanations for not completing risk assessments. They all can be easily overcome. Risk assessments are absolutely necessary to the success of an organization’s security program. With a bit of practice, they can be completed on a regular basis, thereby increasing the protection of the assets in question.Recommend0 recommendationsPublished in