Strategies in Security and Risk Policy to Help Mitigate Violence

March 9, 2020
Effective security and workplace violence prevention programs are necessarily more than the sum of their parts

It is rare to turn on the nightly news and not hear a story related to violence occurring in the workplace somewhere across the country. The threat of workplace violence is an ever-present concern for all businesses and is of particular concern for healthcare organizations.

The Centers for Disease Control (CDC) classifies workplace violence into four basic categories:

  • Type 1: Criminal Intent, in which the perpetrator has no legitimate relationship to the business or its employees and is usually committing a crime in conjunction with the violence (robbery, shoplifting, trespassing).
  • Type 2: Customer/Client, in which the perpetrator is a legitimate customer or client of the business.
  • Type 3: Worker on worker, in which the perpetrator is a co-worker of the victim.
  • Type 4: Personal Relationship, in which the perpetrator has a relationship to the employee outside of work that spills over to the work environment. 

The nature of the business greatly influences which of these types it is most likely to experience. We will concentrate on the prevalence of violence in healthcare organizations, where violence is most often perpetrated by customers, patients and patient’s families, against healthcare staff. Other industries such as banks, taxis, and retail establishments are more likely to experience incidents related to robberies and other criminal activity.

Workplace Violence in Healthcare

OSHA recognizes the unique nature of workplace violence in the healthcare environment, naming workplace violence a “recognized hazard” in healthcare and social service occupations and stating that;  “Healthcare has unique cultural factors that may contribute to underreporting or acceptance of workplace violence. For example, caregivers feel a professional and ethical duty to ‘do no harm’ to patients... and many in healthcare professions consider violence to be ‘part of the job.’ Healthcare workers also recognize that many injuries caused by patients are unintentional and are therefore likely to accept them as routine or unavoidable.”

Violence is so prevalent in the healthcare industry that OSHA has documented rates of “non-fatal assault” four times higher for healthcare and social service workers than they are across general industry in the United States, and that twenty-one percent of nurses and nursing aides have experienced at least one physical assault over the course of their careers.

Mitigation Strategies

Effective security and workplace violence prevention programs are necessarily more than the sum of their parts. They are a holistic blending of programmatic, environmental, and personnel elements that allows each to intersect with the others to create a layered defense that can reduce the potential frequency and impact of incidents.

This holistic blending of elements can most easily be expressed as hierarchical in nature, where each element builds off the one below. This approach also has the benefit of cost-effectiveness, as typically programmatic solutions are the most cost-effective to implement, followed by environmental and systems elements which may be addressed with one-time spending, and finally moving to use of personnel which results in a significant and recurring cost to the organization.

A successful workplace violence prevention program should be based on the implementation of effective programmatic elements that drive the program forward. These elements include multidisciplinary involvement, risk assessment, threat assessment and management, policy, documentation, and training. The programmatic elements are supplemented with manipulation of the organization’s environment to discourage, allow for early identification, and allow for a more effective response to incidents. If necessary, the programmatic and environmental elements of the prevention program can be supplemented with the addition of personnel.  

Programmatic Elements

The first key programmatic element that must be in place in order to implement an effective workplace violence prevention program is ensuring that the organization has multidisciplinary involvement. Implementation of the workplace violence prevention program should not be left solely to one functional area. It should be a collaboration minimally between security, human resources, senior leadership, safety, facilities, and operational units as each of the players bring a unique perspective to the table that will help shape the program around the needs of the entire organization. Arguably the most important player in this collaboration is the organization’s senior leadership. Senior leaders must set the tone for the program and their commitment to it will determine whether there is buy-in to the program across all levels of the organization.

As discussed earlier, a sound risk assessment process should be used to guide an organization’s overall violence prevention strategy. This process should make use of the multi-disciplinary team to identify what types of violence are already occurring or is likely to occur within an organization and what the potential impact of those types of violence could be to the organization, its employees, and customers.

Those types of incidents that are most likely to occur or have the highest potential impact for loss of life, injury to employees or customers, and financial and reputation impact on the business should be prioritized for mitigation. An excellent example of this is the potential for experiencing an active shooter incident, while the risk of experiencing this type of incident is relatively minimal, despite what many in the media would have us believe, the impact is so substantial that a business could be seen as negligent to have not taken at least minimal precautions against the eventuality.

In order to avoid perception bias in the risk assessment process, it is important that organizations implement effective methods of record-keeping regarding all security incidents, including those stemming from workplace violence. While general trending of frequency can be ascertained through study of available resources such as the FBI’s “Study of Active Shooter Incidents in the United States 2000-2013” and OSHA’s “Guidelines for Preventing Workplace Violence for Healthcare and Social Service Workers”, security is truly a situational discipline and an organization must understand the particular risks posed by its location, population, and activities to fully understand its security risk profile.

To understand these risks, there are multiple programmatic elements that an organization can implement. Developing a quantifiable understanding of the risk from Type 1 violence an organization may utilize either crime reporting data from their local police department or aggregated crime data from a third-party vendor such as Cap Index which provides a defensible overview of the risk posed at a specific geographic location in comparison to other areas.

Arguably, the most important element in understanding the risk an organization faces is developing an understanding of incidents and near misses already experienced. To facilitate this, an organization should have in place a robust security incident reporting process that ensures that all incidents and near misses are recorded in a searchable database that allows for analysis and trending of the data in order to identify not only overall trends but also to identify the role that specific individuals (whether victims or perpetrators) or areas play in the occurrence of workplace violence.

This can often lead to the identification of factors that were previously unrecognized by the organization as contributory to workplace violence risk. In some instances, this has been an individual staff member who is the victimized at a higher frequency than others, which may be an indication that the individual could benefit from additional de-escalation training. While in other instances it may identify a specific area of the facility that is experiencing higher levels of violence than others and should be prioritized for implementation of additional violence prevention measures.

A third risk that is often identified through analysis of incident data is the risk presented by a specific individual, in healthcare most often a patient who has assaulted or threatened staff on prior occasions, or whose behavior is escalating toward a potential assault. Once this person has been identified the organization can assess what measures are appropriate to reduce the risk they pose.

A multidisciplinary threat assessment and management team plays an important part in the management of this process. While often all that is required is a conversation with the individual outlining the organization’s stance regarding inappropriate behavior and an ultimatum that further unacceptable behavior will not be tolerated. In more extreme circumstances other measures may be required. In the cases involving a patient, these can include “flagging” the patient’s medical record to notify staff of precautions that should be taken, transferring the patient to a more appropriate unit or facility, implementing a “stand-by” conducted by appropriately trained and equipped Security personnel, or in the most severe cases discontinuing care for that particular patient if the organization is legally able to do so.

In cases involving targeted violence against the organization or an individual employee, such as domestic violence that an employee is experiencing that may follow them into the workplace, other measures may be more appropriate and the data may need to be captured outside of the organization’s typical incident reporting process. The employee who is the victim of domestic violence may struggle to tell the organization about something so emotionally charged, and co-workers are often hesitant to get involved in what is perceived as a personal issue, but a significant percentage of fatal violence in the healthcare environment is linked directly to domestic violence. It is because of this that we stress the importance of codifying in policy the requirement that employees inform their employer of any situations outside of work that may cause a risk to them in the workplace or of any situations that they are aware of with co-workers or customers that may present the same hazards.

In order to understand their resources and responsibilities within the workplace violence prevention program, all employees should be provided effective training in workplace violence prevention. This training can be delivered in person or through any one of many learning management systems (LMS) available to organizations, should encompass all the previously referenced elements, and should be delivered to all employees on hire with refreshers provided on a regular basis. Employees who are most likely to experience workplace violence, as identified via the organization’s risk assessment, should receive additional training providing them tools to recognize and de-escalate incipient violence and to protect themselves in cases where violence cannot be prevented.

Staff training can pay enormous dividends toward the prevention of workplace violence. In one example a cafeteria worker at a hospital identified that a man was acting suspiciously based on training that she had received. She notified the hospital’s security department whose officers were able to approach the man, disarm him of the weapon he had concealed, take him into custody, and prevent a mass shooting.

Environmental and Technological Elements

This base for the security and workplace violence prevention program is supplemented by the design of the organization’s physical space and the use of security technology.

The concept of Crime Prevention Through Environmental Design (CPTED) utilizes the elements of the physical design of the facility to discourage potential criminal activity. This is accomplished through natural access control, in which the environment is designed to limit how users can access the space to carefully delineated specific and limited portals that allow for better control. Natural access control can be supplemented using mechanical locking devices and electronic access control systems to ­­­­­­­­­­­­­further segregate areas from public access.

Limiting the number of options users must access the space enhances natural surveillance, in which the design ensures that the legitimate users of the space are positioned to observe the activity of others in the space so that they can more easily identify suspicious activity. In an effective CPTED application, natural access control and surveillance are accentuated through the use of territorial reinforcement, or the use of design elements to convey a sense of ownership of the space to discourage inappropriate or malicious use.

Ensuring appropriate lighting in parking and other outdoor areas is commonly utilized to increase both natural surveillance and territorial reinforcement in order to decrease the risk of criminal activity and workplace violence. Lighting also allows for effective use of video surveillance of these areas. While video surveillance is often used as a purely a forensic tool, it can also be utilized for early identification of suspicious behavior that has the potential to escalate into workplace violence situations and to allow for a more effective response to situations that are ongoing. One method that has been implemented at numerous organizations is giving receptionists and other front desk personnel viewing stations for exterior cameras increasing the number of people who may spot suspicious activity occurring around the facility.

There are many technologies that can be leveraged to contribute to a more effective response to violent events. These include duress alarms, emergency notification systems, gunshot detection systems, and intrusion alarms that can all be utilized to notify people of an incident and begin an appropriate response. Whether that be directing police or security personnel to the incident or directing employees and the general public how to avoid it.

Personnel Elements

While not necessary in all circumstances, and typically the most expensive of mitigation strategies, the use of personnel for response to workplace violence is often necessary. This can be as simple as working with local police to ensure that they understand the organization, the risks it faces, and its facilities to enable a more effective response if necessary.

In some facilities that have a higher risk of workplace violence than can be effectively managed by their local police departments, but do not have the level of threat or the budget to justify the employment of full-time professional security staff, have implemented the practice of utilizing existing staff and providing the training and building processes to allow them to respond to and help diffuse situations that are escalating toward violence. When an organization makes the decision, as many healthcare organizations have, that the risk level they face justifies the expenditure on dedicated security personnel, there are several elements they must consider. The first is whether to utilize one of the many third-party providers of security personnel or to develop its own security department composed of in-house personnel. Both options have pros and cons and can be the correct choice in some circumstances, but whichever is chosen, the organization should ensure that the security personnel are qualified and equipped to deal with whatever threats they can reasonably be expected to face in the course of their work. As the previously Security Solution Hierarchy model demonstrates, there is logical construct to building a cost-efficient security strategy. There are a plethora of remedies to be considered when implementing security solutions and remember that security is an anticipatory discipline, but combining these focused programmatic elements, environmental and technological controls, and appropriate use of security personnel an organization can greatly reduce the frequency and severity of workplace violence incidents.

About the Authors: Bill Nesbitt CPP has over thirty years’ experience in the security profession. As the President of Security Management Services International Bill has provided security consulting and training services to healthcare facilities, shopping centers, biotech companies, homeowners associations, educational facilities, hotels, manufacturing facilities, and sports and entertainment venues. He has also been retained to provide litigation support to law firms representing both defendants and plaintiffs in over three hundred actions alleging facilities liability due to inadequate security or intentional torts. He is a sought-after speaker on a wide array of security topics and has been interviewed by print and electronic media on numerous occasions. Bill is a Certified CPTED Practitioner through Florida Atlantic University, a Certified Protection Professional by ASIS International, serves on the ASIS International Healthcare Security Council, and has previously served on that organization’s Physical Security and Crime and Loss Control Councils.

Drew Neckar CPP, CHPA has nearly thirty years’ experience in the safety and security field. He has served as the senior-most security executive (CSO) for organizations in the healthcare, financial services, education, and hospitality sectors and as a Regional Security Director for Mayo Clinic. He has presented on various security-related topics at regional and national conferences and has been published in multiple professional journals. Drew is board certified as a Certified Healthcare Protection Administrator (CHPA) by the International Association or Healthcare Safety and Security, a Certified CPTED Specialist by the American Crime Prevention Institute, a Certified Protection Professional (CPP) by ASIS International and serves on that organization’s Healthcare Security and School Security Councils. He owns and operates Security Advisors Consulting Group a full-service security consulting firm and serves as the Vice President of Operations for Security Management Services International Inc.

  1. ASIS International and the Society for Human Resources Management (2011) Workplace Violence Prevention and Intervention Standard, Alexandria, VA.
  1. Federal Bureau of Investigation (2014) A Study of Active Shooter Incidents in the United States 2000-2013, Washington DC, Accessed at
  1. International Association of Healthcare Safety and Security (2016) Security Design Guidelines for Healthcare Facilities, Glendale Heights, IL
  1. The National Institute for Occupational Safety and Health (2012) Home Healthcare Workers: How to Prevent Violence on The Job, Cincinnati, OH
  1. The National Institute for Occupational Safety and Health (2013) Workplace Violence Prevention for Nurses, accessed at
  1. Occupational Safety and Health Administration (2015) Preventing Workplace Violence: A Road Map for Healthcare Facilities, Washington DC
  1. Occupational Safety and Health Administration (2015) Guidelines for Prevention Workplace Violence for Healthcare and Social Service Workers, Washington DC
  1. Occupational Safety and Health Administration (2015) Workplace Violence and Related Goals: The Big Picture, Washington DC
  1. Occupational Safety and Health Administration (2015) Workplace Violence in Healthcare: Understanding the Challenge, Washington DC
  1. SIA Health Care Security Interest Group and the International Association for Healthcare Security & Safety Foundation (2017) Mitigating the Risk of Workplace Violence in Health Care Settings, Silver Spring, MD
  1. The Joint Commission (2014) Quick Safety #4: Preparing for the Active Shooter, Oakbrook Terrace, IL
  1. The Joint Commission (2018) Sentinel Event Alert #59: Physical and Verbal Violence Against Healthcare Workers, Oakbrook Terrace, IL