Tips for crafting a comprehensive risk assessment

As organizations move through 2023 and into 2024, emerging risks continue to surface, and security teams must be prepared to respond and mitigate potential threats to people, operations and assets.

Organizations in the United States will continue to face increased risk from natural hazards, such as wildfires in the West, tornadic activity in the Midwest and hurricanes in the Atlantic Basin. Many factors can be attributed to this increase in loss to natural hazards, including increased development in risk-prone areas and climate change. Organizations must be prepared to mitigate and respond to natural risks, including having the appropriate redundancy, limited points of failure or the potential to shift operations.

Additionally, organizations must be prepared for increased human-made and technological risks, such as active threats, corporate espionage, cyberattacks, terrorism and infrastructure failure. Many organizations continue to see increased attacks on critical infrastructure that support corporate enterprise and government operations. Continual efforts must be made to ensure risks are appropriately identified and proper mitigation measures are employed to minimize potential loss. An in-depth defensive posture deploys a layered security approach that incorporates people, processes and technology to protect assets. Companies and government entities should develop a layered security approach to help detect, deter and respond to human-made and technological risks.

Conducting tailored risk assessments

Although many industries face the same natural hazards based on geography, the technological and human-made risks can vary greatly by industry type or facility use. As a result of the potential threat diversity, security practitioners and risk adjustors should modify how they conduct assessments. The one-size-fits-all assessment that fails to account for business operations and industry-specific threats will most likely not deliver the results that a client needs to properly mitigate potential vulnerabilities. Instead, assessments must be tailored to the systems and operations of the assessed organization, taking an all-hazards approach.

Developing a comprehensive list of the threats that have the potential to impact operations is a worthy first step in assessing enterprise risk. Once threats are initially identified, establishing a radius of review for the assessed location will help to refine the potential human-made and technological risks within the operational area.

The next step would include reviewing the assessed site demographics and operational environment against open-source and proprietary data to ensure that all potential threats have been properly identified. A follow-up field review to validate the collected information is always recommended to ensure the source data is correct.

In many instances, the initial list of potential threats identified by an organization fails to incorporate human-made risks operating within the determined operational radius of review. For example, the failure of facility operators to identify critical infrastructure (e.g., pipelines, electrical substations, rail lines) or hazardous material facilities (e.g., chemical manufacturers, petroleum storage) that operate within the same geographical space could result in potential facility impacts, including the need to shelter-in-place or evacuate. Understanding the holistic threat landscape will allow security teams to properly develop mitigation strategies to help minimize operational impacts and increase their ability to return to operations.

Review controls

Once the assessor has properly identified the threats, the next step is to review the controls deployed by the organization to protect the facility and assets. This step includes checking the measures to harden the target, means deployed to detect and delay the potential threat, and operational processes to properly respond to the threat. The standard mitigation for most organizations involves physical barriers, security technology, security policies and procedures to minimize the potential for facility impact and assist occupants with the proper response to an incident. This review takes a balanced approach to ensure the intended operations can be maintained without compromising security. Physical security controls for a public or semi-public venue, like a school or church, take a far different approach than the security controls for a controlled access facility like a data center or power plant. Security professionals conducting a risk assessment must consider how the facilities being assessed are used to ensure that the controls in place — or controls that are being proposed — allow for successful operation. Thus, creating an assessment template that considers the facility use type and intended audience is essential.

Security professionals must take a balanced approach and research properly before conducting a facility risk assessment. Creating a unique assessment for each facility use type will produce the best results for an organization. Considering all potential hazards will identify the potential threats a facility could face. Conducting a complete information and field review of the facilities will yield comprehensive results and provide facility operators with a holistic view of the risk environment, allowing for the development of proper mitigation strategies to minimize loss.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.