Risk Assessments: A Pillar in Security Planning

M LIS

DE DI

M

W

G

TE A

TY RI

N

PR O FE

SS

®

NA

TIO CA

IO

OR

K

IN TE

®

RISK ASSESSMENTS:

A Pillar in Security Planning

by ITG Consultants, Inc.

©2014. All rights reserved.

CONTENTS

INTRODUCTION

INTRODUCTION 2

Avoiding and minimizing risk is something all organizations seek to accomplish with good reason. Natural or man-made hazards can adversely impact facilities, assets and people, which in turn impact the organization’s ability to continue to operate successfully, if at all. Without a definitive timeline associated with potential risks, many entities fail to position themselves to address those risks, leaving themselves exposed unnecessarily. Identifying the risks and the associated potential effect, well in advance of the occurrence, is vital to weathering such events when they happen. A careful, methodical risk assessment is a cost-effective, yet essential component in developing a comprehensive security program.

HISTORY OF RISKS 2 BEST PRACTICES 5 RESULTS 7 CONCLUSION 7 ABOUT ITG CONSULTANTS, INC. 8

HISTORY OF RISKS Risks are defined as anything that can potentially impact an organization in a harmful or negative way. Some risks are inherent to the environment or geography, such as earthquakes or tornadoes; others are man-made, as in the case of data theft. Fortunately, risks, once identified, can be defended against through a planned response, thereby mitigating the negative impact. Risks are distinct from two other concerns in security planning: vulnerabilities and threats. Vulnerabilities are weaknesses or an inability to withstand the effects of a hostile environment and involve issues that a perpetrator can exploit when targeting an entity. Threats are more closely related to risks. Risks can evolve into threats when they manifest themselves and the impact is no longer merely potential. Threats are imminent and have a defined timeline associated with them, whereas risks do not. Risk has existed since the beginning of history, keeping pace with the evolution of society and culture over the course of time. Natural risks have undergone less change, while man-made risks experience iterations with every new development in technology, not to mention social and geo-political conditions. For example, before the advent of the computer, no person or organization was at risk of losing information as a result of hacking while volcanic eruptions still pose the same risk they always have.

ISSUES AND MAIN POINTS Purpose and process of risk assessments: Avoiding and minimizing the potential adverse impact of risks requires organizations to identify risks as a key component when developing a comprehensive security plan. A methodical risk assessment is the initial step in that process in which the risks are identified. Simply delineating the risks, however, is insufficient for the purpose of defending against them. Two further steps in the 2

Risk Assessments: A Pillar in Security Planning by ITG Consultants, Inc

assessment process are vital to the planning process: evaluating the impact of the risks and assigning probability to them.

Two further steps in the assessment process are vital to the planning process: evaluating the impact of the risks and assigning probability to them.

1.

Assessing potential impact. In order to formulate a plan to address the risk, defining the specific impact of that risk’s occurrence is critical. Without approximating the depth and nature of the impact, determining an appropriate response is impossible. Will the occurrence of an anticipated risk result in the loss of an asset or human life? In the case of an asset, is that asset critical to business operations? To illustrate, the loss of a table saw to a carpenter is fundamentally more profound because of its significance to doing business than the loss is to an educational institution’s shop class. The merited response to the loss of a saw will vary according to the entity facing the risk. Ascribing a numerical value from a pre-determined scale will weigh the depth of impact of each risk relative to the other risks on the list.

2.

Assigning probability of occurrence to identified risks. Determining the likelihood of each identified risk materializing aids in prioritizing them for the purpose of bolstering defenses against their occurrence. Assigning each hazard a ranking of probability on a scale, ranging from unlikely to highly likely, will yield a betterdefined list with which to determine which risks to address first. In many cases, the probability projection is a subjective matter, approximated by the assessor based on existing knowledge and experience. Occasionally, empirical data exists and can be used to assign probability as in the case of area crime trends for the risk of burglary. While assigning probability to each risk is often subjective, it is imperative for the evaluation to be realistic. Common sense is an excellent tool with which to gauge the likelihood of each risk. For example, a business needn’t be concerned over erosion when its plant is located on the midwestern plains away from water flow. Conversely, a drug company that tests products on animals is wisely aware of the potential to be targeted by activists.

Utilizing a matrix to objectively organize the accumulated information is an effective means to generate a prioritized list of risks to address. The first column should list the hazards that have been identified; subsequent columns note the word-defined impact and numerical probability of occurrence. The Federal Emergency Management Agency (FEMA) produced a Guide for Developing High-Quality School Emergency Operations Plans1 that steers users through a similar process.

U.S. Department of Education, Office of Elementary and Secondary Education, Office of Safe and Healthy Students, Guide for Developing High-Quality School Emergency Operations Plans, Washington, DC, 2013. 1

3

Risk Assessments: A Pillar in Security Planning by ITG Consultants, Inc

calculating risk

HAZARD HAZARD

PROBABILITY MAGNITUDE WARNING DURATION

FIRE

HAZMAT SPILL OUTSIDE

RISK PRIORITY

4 HIGHLY LIKELY

4 CATASTROPHIC

4 MINIMAL

4 12+ HOURS

HIGH

3 LIKELY

3 CRITICAL

3 6-12 HOURS

3 6-12 HOURS

MEDIUM

2 POSSIBLE

2 LIMITED

2 12-24 HOURS

2 3-6 HOURS

LOW

1 UNLIKELY

1 NEGLIGIBLE

1 24+ HOURS

1 < 3 HOURS

4 HIGHLY LIKELY

4 CATASTROPHIC

4 MINIMAL

4 12+ HOURS

HIGH

3 LIKELY

3 CRITICAL

3 6-12 HOURS

3 6-12 HOURS

MEDIUM

2 POSSIBLE

2 LIMITED

2 12-24 HOURS

2 3-6 HOURS

LOW

1 UNLIKELY

1 NEGLIGIBLE

1 24+ HOURS

1 < 3 HOURS

The FEMA guide suggests columns to also note the amount of time a risk would afford responders to warn those affected and the duration of time over which the risk would sustain itself. ITG recommends additional columns to (1) account for the amount of stakeholder concern (such as employees’ worry over poorly lit parking garages giving rise to attacks) and (2) a conclusive column assigning numerical priority to each risk based on a mathematical average of the preceding columns.

weighing emotional & objective considerations

4

Risk Assessments: A Pillar in Security Planning by ITG Consultants, Inc

Weighing the emotional concerns may indicate one risk factor should be valued higher than another. Calculating totals may help you prioritize the risk factors and help you plan for budgetary expenditures better. This process is depicted in the following table: calculating risk with emotional and objective factors

HAZARD PROBABILITY MAGNITUDE WARNING DURATION HAZARD

FIRE

HAZMAT SPILL OUTSIDE

ACTIVE SHOOTER INCIDENT

STAKEHOLDER CONCERN

4 HIGHLY LIKELY 4 CATASTROPHIC 4 MINIMAL

4 12+ HOURS

4 VERY HIGH

3 LIKELY

3 CRITICAL

3 6-12 HOURS

3 6-12 HOURS

3 HIGH

2 POSSIBLE

2 LIMITED

2 12-24 HOURS 2 3-6 HOURS

2 MODERATE

1 UNLIKELY

1 NEGLIGIBLE

1 24+ HOURS

1 < 3 HOURS

0 NEGILIBLE

4 HIGHLY LIKELY 4 CATASTROPHIC 4 MINIMAL

4 12+ HOURS

4 VERY HIGH

3 LIKELY

3 CRITICAL

3 6-12 HOURS

3 6-12 HOURS

3 HIGH

2 POSSIBLE

2 LIMITED

2 12-24 HOURS 2 3-6 HOURS

2 MODERATE

1 UNLIKELY

1 NEGLIGIBLE

1 24+ HOURS

1 < 3 HOURS

1 NEGILIBLE

4 HIGHLY LIKELY 4 CATASTROPHIC

4 MINIMAL

4 12+ HOURS

4 VERY HIGH

3 LIKELY

3 CRITICAL

3 6-12 HOURS

3 6-12 HOURS

3 HIGH

2 POSSIBLE

2 LIMITED

2 12-24 HOURS 2 3-6 HOURS

2 MODERATE

1 UNLIKELY

1 NEGLIGIBLE

1 24+ HOURS

1 NEGILIBLE

1 < 3 HOURS

RISK LEVEL

RATING

12

10

14

Sometimes a less-likely event will be elevated to a higher priority as a result of the magnitude of damage it could inflict. Only after a comprehensive assessment has been completed are the priorities sufficiently clear to predicate action upon them. With a prioritized list in hand, organizations can begin the process of developing and implementing strategies with which to mitigate and defend themselves against those risks. Available funding will never match the cost to defend against all possible risks, which makes prioritization of risks the operative lens with which to determine how to allocate the existing fiscal resources. BEST PRACTICES Who should assess? All entities—whether academic, governmental, non-profit or for-profit— benefit from assessing for risks because all entities face risks as a result of existing and operating. Although each type of entity could arguably endure the same risks (as in the case of an earthquake), the adverse impact on their respective operations could be vastly different based on the purpose of their existence and the assets held in association with operating. In 2011, FEMA issued a national preparedness goal2 encouraging all types of organizations and 2

U.S. Department of Homeland Security, Federal Emergency Management Agency, National Preparedness Goal, Washington DC, 2011. 5

Risk Assessments: A Pillar in Security Planning by ITG Consultants, Inc

individuals to be poised to respond to and endure calamities of any variety: natural disasters, disease pandemics, manmade hazards, and attacks of terrorism. FEMA’s goal is that the United States would be “A secure and resilient nation with the capabilities required across the whole community to prevent, protect against, mitigate, respond to, and recover from the threats and hazards that pose the greatest risk.” Limited resource pools necessitate wise deployment of finances to mitigate risks, making the task of assessing them critical to all types of entities. Risk assessments can largely be self-conducted due to a wide array of free resources and rubrics available. County emergency management and chamber of commerce resources or industry associations have a wealth of information to tap. However, professional insight is highly beneficial in ensuring full scope of the process has been completed. Often, law enforcement professionals are unable to assist in the assessment process for the private sector due to a lack of staffing required to sustain the workload, making private security professionals the most available, economical and skilled resource available to conduct the assessments. What is assessed? Risk, defined as anything that can adversely impact an organization, can be approximated by assessing three main areas. First, the physical structures and surroundings in which the organization operates. Consider the terrain (for risks such as erosion) and neighboring tenants (for risks that could arise from adjacency to nuclear plants, for example). Second, the geographic hazards associated with the area. Is it prone to a particular type of natural disaster because it sits on a fault line? Finally, look at the industry practices that could incite human-caused risks, such as being targeted by activism. Obstacles to assessing: Most obstacles to conducting a risk assessment are not substantial in nature. Budget constraints are commonly cited as of primary concern. Yet with the ready availability of free, preliminary resources, the initial steps can be completed with nominal cost, if any. Obtaining area crime reports or census information costs measure in merely hundreds of dollars. Concern over the amount of time allocated to conducting an assessment needn’t be a large impediment either. Relative to the time investment made in threat and vulnerability assessments, this pillar in the process of developing a security plan is the least time consuming. However, conducting a risk assessment is worth the time for the simple but supreme reason that it enables the organization to operate from a proactive, instead of reactive, posture in the event that the risk materializes. Knowledge limitations are the most significant obstacle to conducting an assessment. Online tools and publicly available resources are readily available for the asking. While law enforcement’s role is limited to only those entities that are pertinent to national infrastructure, such as power stations, private security firms are poised with pertinent expertise to complete the assessments in a thorough and timely fashion. 6

Risk Assessments: A Pillar in Security Planning by ITG Consultants, Inc

Completing a risk assessment process will help achieve FEMA’s goal of creating a “secure and resilient nation”.

RESULTS Together with vulnerability and threat assessments, risk assessments shape the safety and security plan that no organization, regardless of type, should be without. The cost of conducting a risk assessment is relatively low, especially when compared the dramatic cost of interrupted operations if and when the risk materializes and becomes, by definition, a threat with a defined timeline. When a previously identified risk occurs, the overall cost to the organization in the long run will be lower, due to a more expedient recovery resulting from the proactive planning. The cost of hardening defenses against identified risks, by remediating structures or modifying policies, can be staged over the course of time. This allows the cost of implementing the plan to be budgeted for within the annual fiscal constraints. Having a comprehensive list of risks, prioritized according to the severity and probability, ensures the right risks are addressed in the right order, making the money invested in a risk assessment highly effective. CONCLUSION Organizations of all types and sizes face risks that can adversely impact their operations. Yet risks can and should be identified in advance of their occurrence. Risk assessments empower organizations to prioritize risks and proactively plan to defend against them thereby minimizing the physical and fiscal damages when and if the risk materializes. Remember, the assessment process needn’t be lengthy or costly, making it both an essential and achievable pillar in the organization’s overall security program.

7

Risk Assessments: A Pillar in Security Planning by ITG Consultants, Inc

ABOUT ITG CONSULTANTS ITG Consultants, Inc., is a Veteran-owned small business based in Pennsylvania providing training, consulting and security management services. David L. Johnson, president of ITG, is certified in Homeland Security – Level V, by the American Board for Certification in Homeland Security, previously served on its Executive Advisory Board and also serves as Chairman of The American Board for Certification in Dignitary and Executive Protection. Gale R. Ericksen, vice-president of ITG, is a Certified Protection Professional by the American Society of Industrial Security and is certified in Homeland Security – Level III. Together, the leadership team of ITG Consultants has nearly 6 decades of experience in international law enforcement, executive and dignitary protection and training.

NA

M LIS

DE DI

M

W

G

TE A

TY RI

N

PR O FE

IO

TIO CA

SS

®

For more information or a no-obligation discussion, visit our website at www.itg4.com or call (866) 904-4ITG.

OR

K

IN TE

®

BBB RATING:

A+

8