Why are So Few Facility Risk Assessments Completed?

By |2019-09-13T18:06:56+00:00September 13th, 2019|0 Comments

There are four stages in the development and management of a facility’s security program. 

Stage 1 is the risk assessment, which focuses on the facility itself as well as the people within it. Stage 2 encompasses program design. Stage 3 concentrates on program installation and, finally, Stage 4 involves program management. However, despite all the talk about the importance of the risk assessments being the foundation for the development of a facility’s security program, it has been my experience that relatively speaking, very few are actually done. I find this odd given that the results of the risk profile are compared against the facility’s security profile to determine if the two are in alignment. If they are, that is great. However, it is far more likely that the security profile is below the risk profile. As such, this gap needs to be filled by personnel, hardware and/or document-based countermeasures.  

The critical infrastructure world is obviously vital to a number of other facilities and operations; hence the term critical infrastructure. Pipeline monitoring stations, power generating facilities, telecommunications, refineries and various other utilities have the potential to suffer deliberate attacks and just as importantly, accidents and weather-related events. When critical infrastructures experience adverse events, there is typically a downstream effect where other facilities and operations are in turn impacted. This is why it is so important for a proper security program to be established and managed. 

Perhaps one of the more important aspects to be considered is to ensure the ongoing operations of the facility. Many of these facilities operate 24 hours a day, every day. As such, it can be difficult to implement both updated and new equipment. It can also be a challenge to conduct tests and drills as people may not be able to leave monitoring stations except in the most dire of circumstances. Upgrading existing security and life safety equipment needs to take into consideration getting the most service out of equipment, yet planning for and replacing it before it fails, all the while continuing on with regular operations. These facts are all directly relevant to the four stages of security management and why risk assessments are often not completed.  

How Often are Risk Assessments Completed?      

First, speaking as both an educator and a consultant, I have asked many people, both students and peers how often they have conducted a risk assessment. The number of people stating that they have completed such an assessment can be counted on the fingers of one hand. And as a consultant, from one perspective it is not surprising that clients have not conducted risk assessments as this is often what I am hired to do. However, as part of my process, I always ask for previous risk assessments. Again, I can count on one hand those organizations that have completed risk assessments. 

One must ask, why the reluctance to complete said risk assessments? Is it the lack of risk assessment tools available? Is it the lack of knowledge required to complete an assessment? Is it an intimidation issue where people don’t feel confident in conducting an assessment? Is it a lack of understanding of the value of completing a risk assessment? Is it all of the above, some or none of the above? I will address each of these issues moving forward.

Assessment Tools

Regarding the availability of assessment tools, there are software programs, standards and guidelines available to assist those interested in conducting risk assessments. I will admit my challenge with some software programs is the lack of transparency when it comes to explaining risk result outcomes. I have asked a number of salespeople over the years when they have tried selling me on their software what decision-making mechanism is in place to justify any particular outcome. Granted, this was years ago, but I have never had anyone be able to explain to me how a particular risk is ranked the way it is. The last person I talked to could not even tell me if the software program was qualitative or quantitative based. Another could not tell me the difference between a threat and risk. The software is there and there is no shortage of standards and guidelines available to the assessor in conducting risk assessments. A simple Google search reveals many methodologies. Therefore, it is not a lack of tools available.       

Knowledge

The knowledge required to complete an assessment is readily available. As identified in the previous paragraph, because there are many methodologies available, it is simply a matter of completing each step in the process. For those who have never completed a risk assessment, it may sound intimidating, but the most important things required are the time and the desire to complete the assessment. The first assessment does not need to be perfect. I have conducted dozens and dozens of risk assessments. I constantly fine-tune the process and while my first risk assessment was a bit rough, it still provided tremendous value to my employer at the time. It also took several weeks as I was working on several other projects at the time, but they get easier to do every time and can be completed in ever decreasing time frames.  

Overcoming Intimidation

Some people may feel intimidated by the process. Large facilities in fact do require a fair amount of work. However, it must be remembered that the scope of the risk assessment must be kept under control. It is easy to be sidetracked through scope creep when evaluating any facility if the assessor thinks that each and every asset must be considered. Therefore, the scope of the risk assessment must be clearly defined. If a large facility is to be assessed, then the overall risks to the facility as a whole must be considered, not the risks to every specific asset. Alternatively, it may be necessary to break the assessment up into smaller, more manageable components such as mechanical areas, parking, perimeter, key facility areas, etc. Again, the most important elements required to complete such an assessment are time and a desire to complete the assessment.  

Not understanding the value of the risk assessment, I suspect, is based on the lack of overall security management knowledge. Unfortunately, the security industry is an unregulated industry.  This means there are lots of people who have never had any proper training when it comes to learning how to be a proper security practitioner. Considering that the risk assessment is the foundation for both developing and maintaining a proper security program, not conducting a proper risk assessment is tantamount to negligence. Regarding security being an unregulated industry, I find it interesting that in many jurisdictions there is a focus on creating mandatory training for security guards, yet their bosses and their boss’s bosses are in no way required to have any training on any aspect of security management. At any given time, only about 10 percent of ASIS International members are certified in that organization’s professional designations. So how is the lack of formal training tied to the infrequency of risk assessments completed? The value of the risk assessment and how it is to be conducted is discussed in great detail in numerous security programs. If a security practitioner does not have exposure to the security body of knowledge, how will they learn to be a proper security practitioner? Simple word of mouth or on-the-job training is usually inadequate in passing on the detailed and appropriate knowledge necessary for a security practitioner to be successful.   

None of the reasons I have provided are acceptable explanations for not completing risk assessments. They all can be easily overcome. Risk assessments are absolutely necessary to the success of an organization’s security program.  With a bit of practice, they can be completed on a regular basis, thereby increasing the protection of the assets in question.   

Recommend0 recommendationsPublished in Physical Infrastructure

About the Author:

Dr. Glen Kitteringham CPP is a security professional working in the industry since 1990. He started his career at The Bay in loss prevention, conducted insurance fraud investigations with Bison Security Group and was a site supervisor with Minion Protection Services. In 1997 he joined Brookfield Properties as Manager, Security & Life Safety and left in 2010 as Director, Security & Life Safety for Western Canada. During his tenure he was instrumental in developing the national security and life safety program. Dr. Kitteringham provides a variety of consulting services including risk assessments, physical security evaluations, life safety and emergency response planning, mentoring and staff development and security program improvement. Dr. Kitteringham obtained his professional doctorate in security risk management from the University of Portsmouth in 2017, several 100 and 300-hour certificates in Security Management, Terrorism Awareness, General Management, Adult Learning specializing in Adult and Community Education and Adult Learning Specializing in e-Learning, his Certified Protection Professional (CPP) designation from ASIS International in 2002, his Masters of Science Post-Graduate degree in Security and Crime Risk Management in 2001 and a Diploma in Criminology in 1992 from Mount Royal University. He has been an adjunct instructor with the University of Calgary since 2008: online classes include ‘Security Administration’, ‘Physical Security Planning’, ‘Managing Investigations’ and ‘Emergency Planning for Industry’. He has instructed since 2010 for the Justice Institute of British Columbia developing and delivering online courses including ‘Introduction to Risk Management’, ‘Developing Strategic Partnerships’, ‘Technology Applications in Emergency & Security Environments’ and ‘Safety & Security Planning for Major Events’. He has several thousand hours experience in creating and delivering a wide variety of courses both in-class and online ranging from one to 200 hours. His expertise in security and life safety is well recognized internationally. He actively managed more than 8 million square feet of A and AA property with over 100 security staff. He conducted research into Crime Prevention Through Environmental Design, Laptop Theft Prevention and Offender Perspectives on Shoplifting, authoring or co-authoring over 150 articles, books and papers on various elements of security and life safety. His book, ‘Security and Life Safety for the Commercial High-Rise’ was published in 2006. He wrote Lost Laptops = Lost Data in 2008. Professional memberships include ASIS International, International CPTED Association and BOMA Calgary. He is active on the BOMA Calgary Public Safety Committee. He can be reached at [email protected] or http://ksginc.ca

Leave A Comment