Risk Assessment 101

Clients experiencing security problems frequently call in a security consultant to help. It may be an independent consultant who is not affiliated with any security product or service, or the representative of a systems integrator or security services provider who also serves in a consulting capacity.

When asked for advice, consultants may be tempted to recommend solutions based primarily on what is familiar to them or what has worked for their other clients; however, the key question is: Are those solutions truly appropriate for this client?

Just as a physician would not prescribe treatment without first conducting a thorough examination of a patient, a security consultant should not start recommending security solutions until there is a clear understanding of the client’s needs, goals, and operating environment.

Here’s a strategy for consultants and integrators to follow before making a technology or solution recommendation:

Step 1: Learn the Client’s Security Risks

A clear understanding of a client’s security needs starts with identifying and evaluating their security risks. This is done through a structured security risk assessment process that involves the following five phases:

1. Identify the assets that the client needs to protect. This includes people, property, and information, but can also include things such as reputation or operational capability.

2. Identify possible loss events. These refer to a specific type of incident or scenario that could occur that would result in the loss or harm of the assets you have identified. Loss events include things such as assaults, burglaries, robberies, theft of information, vandalism, and other types of crime.

3. Determine how likely each type of loss event is to occur. This involves a subjective analysis of data such as past incident history, crimes at similar or nearby properties, and police crime and calls-for-service reports. The likelihood of each loss event can be scored using a five-point scale: (1) very unlikely, (2) unlikely, (3) moderately likely, (4) likely, and (5) very likely.

4. Determine the consequences of each loss event. This involves identifying the negative impacts the client could experience if the event occurs, including injury, loss of life, financial costs, loss of revenue, compromise of confidential information, and legal liability. The consequences of each loss event can also be scored using a five-point scale: (1) insignificant, (2) minor, (3) moderate, (4) major, and (5) severe.

5. Determine the overall risk of each loss event. This is accomplished by multiplying the likelihood score by the consequences score. For example, if the likelihood that a loss event would occur was moderately likely (3), and the consequences of that event were minor (2), the overall risk score would be 6 (3 x 2).

Risk assessment results are typically shown in a matrix table that lists loss events from highest to lowest risk, along with their likelihood, consequences, and overall score.

Step 2: Determine the Client’s Security Goals

This begins by translating each loss event identified in the risk assessment into a corresponding security goal. For example, if information theft is identified as a loss event, an appropriate goal might be: “Protect confidential and proprietary information from unauthorized access or disclosure.”

Similarly, if auto burglary is identified as a concern, the related security goal could be:  “Deter theft from vehicles parked on company property.”

This method should be used to establish specific security goals for each loss event identified in the risk assessment. In addition to addressing potential loss events, clients may also have secondary security goals that are equally important. These can include meeting regulatory or insurance requirements, supporting employee morale and retention, and promoting a positive image of the client’s organization to the public.

Step 3: Understand the Client’s Culture and Resources

Effective security recommendations must align with the client’s mission, organizational culture, and available resources. Security measures that conflict with how an organization operates, or that exceed its ability to sustain them, are unlikely to be successful over time.

Some physical security measures may conflict with the image a client wishes to present to the public. For example, installing full-height turnstiles may be effective from a security standpoint, but the client may feel that they send the wrong message.

Similarly, security systems intended for on-site monitoring provide little benefit if the client lacks the staff to monitor or respond to these systems. In some cases, the client may simply not have the financial resources to implement a recommendation, no matter how necessary the consultant feels it might be.

Step 4: Develop Recommendations

Every recommendation made by a security consultant or integrator should be specifically intended to address one or more of the client’s security goals. For example, if one of a client’s goals was to protect confidential information, recommending card readers on file room doors, providing better locks on file cabinets, and using high-quality document shredders might be appropriate.

Another example: If preventing workplace violence is a priority, measures such as employee training, early intervention, and controlled access between public and non-public areas might be recommended.

When developing recommendations, always concentrate on the basics first. For example, doing simple things such as providing better lock hardware or reinforcing doors should always be done before installing things such as cameras or alarm systems. To the extent possible, every recommendation should be tied to a specific security goal. Recommendations that don’t address specific goals should come later, if at all.

Every recommendation made should provide a measurable risk reduction, and its cost should be reasonable when compared to the amount of risk reduction it provides. The cost of any solution should not exceed the cost of the problem. For example, if a client is losing a few hundred dollars a year due to thefts in an outdoor area, spending $200,000 to fence and gate this area probably doesn’t make sense.

All recommendations should also align with the client’s culture and desired public image while minimizing unnecessary inconvenience to employees and guests.

Additionally, when proposing security measures, consideration should be given to their potential impact on employee productivity. For example, creating physical separation between an office and production area may improve security, but could require employees to take a circuitous route that takes time out of their workday. When multiplied across multiple employees over the course of a year, this loss of productivity can become substantial.

Finally, consider the long-term sustainability of recommended security measures: Will the client have the financial capacity and staffing resources to continue to operate them over time? A good example of a failure in this area is the abandoned guardhouse often seen at the entrance to a manufacturing plant or gated community. At one time, someone thought having a guard at the entrance was a good idea, but when budgets got cut, the position was eliminated.

Step 5: Present the Recommendations to Clients

Recommendations should be presented with a clear description of what is being proposed and the specific security goals they are intended to achieve. Whenever possible, both the initial implementation costs and the ongoing operating and maintenance costs should be provided along with the recommendation so the client can make an informed decision.

For consultants who also sell security products or services, be sure to include recommendations that extend beyond what you provide – doing so demonstrates a genuine commitment to the client’s interests and reinforces the consultant or integrator’s role as an advisor rather than simply a salesperson.

In some situations, after fully understanding the client’s goals, a consultant may determine that their product or service is not a good fit for the client’s needs. In those cases, the best course of action is to communicate this honestly to the client, and when possible, refer them to providers better able to meet their needs.

Although walking away from business can be difficult, putting the client’s interests first strengthens your reputation as a trusted advisor and can provide great benefits in the long run.