Evaluating readiness: A must-do security assessment

Oct. 30, 2014
Meeting readiness requirements goes well beyond typical emergency preparedness

In many security functions, readiness requirements have not been fully identified and responsibility for creating and maintaining readiness conditions has not been formally assigned. Most people associate the concept of “readiness” with emergency preparedness, with “fire drill” being the most commonly thought of preparedness element. However, the full set of readiness requirements of an organization form a much bigger picture, much of which is not related to emergency preparedness. In most cases, that full picture is not addressed.

Even organizations working on improving their resilience often miss the readiness element, except for emergency preparedness. Limiting your preparedness perspective to solely those risks with potentially catastrophic consequences can leave your organization with unacceptable gaps in risk mitigation.

The following are some common contributors to low readiness states:

  • The concept of readiness was not a part of the business culture (and so current states of readiness and readiness evaluations were not a part of planning and preparations activities)
  • Preparations were insufficient to be fully ready in the first place (often due to poor readiness criteria and/or poor readiness evaluation and testing)
  • Failure to refresh or maintain initially-established readiness conditions (for example, people forget things; batteries discharge; phone numbers change, and tools and supplies get used, misplaced or relocated)
  • Readiness preparations had  been nullified by organizational changes (states of readiness were disestablished—in most cases unknowingly—by planned actions such as personnel changes or restructuring)

States of Readiness for Your Security Program

Does your security program documentation identify the states of readiness that you must maintain, and what their requirements are? Sometimes the operational response requirements are known or assumed, but not documented or validated.

For each type of response there should be a targeted level of response (optimal response), as well as the minimum acceptable response. Readiness preparations should be based upon the optimal response, with the objective in mind that unforeseen circumstances may hinder response somewhat, but not push it below the level that is acceptable.

Readiness Plan

A readiness plan lists the states of readiness that must be established, defines their requirements, and identifies the response capabilities that must be maintained along with what is required to maintain them. The plan should have a readiness validation schedule, which typically includes inspections of equipment (from flashlights to vehicle inspections), inspections of materials (evacuation maps, signage, awareness posters, call lists, and so on), verification of training and certification status, and exercise drills to gauge performance and help maintain acceptable performance levels.

A good readiness validation checklist will include people, process, technology and performance elements. A well-defined readiness plan can keep you from spending needless time and money on over-preparation, as well as help prevent under-preparedness.

Two Must-Do Readiness Assessments

Different situations require different levels of readiness. The consequences of not being ready vary significantly depending upon the context and purpose of the preparations. For example, the quality of fire and life safety incident response is critical due to the potential for catastrophic personal injury and severe property damage. Other situations do not require the same level of response. For instance, a pedestrian trespasser taking a short-cut across a parking lot may simply require security officer observation, while a group of gang members entering the property requires a very different response. Risk assessment findings are usually a good starting point for identifying operational readiness requirements.

There are two different high-consequence readiness situations where many organizations are more commonly not-ready than ready: Evacuation and shelter-in-place readiness, as well as technology deployment readiness

Evacuation and Shelter-in-Place Readiness

In response to a threat or hazard condition, personnel within a facility may need to evacuate or move to internal shelter locations. “Fire drill” is the exercise most commonly associated with building evacuation. Not all facilities have a specific fire drill requirement. Often, if the fire department or corporate policy does not require facility fire drills, none are performed. Even in facilities with evacuation drill requirements, shelter-in-place drills are not always performed.

Typically, over time, the evacuation and shelter-in-place readiness states of a facility declines unless specific measures are taken to maintain appropriate states of readiness.

Although the Occupational Safety & Health Administration (OSHA) does not have an evacuation drill requirement, its standards of safety state that businesses must provide all employees with emergency action plans. Such plans provide guidelines on how to respond and react to an emergency. Included in the plan is a list of designated individuals who are responsible for making sure all people have exited the building. Additionally, emergency action plans are to include a list of what first aid will be provided and who will be responsible for providing it.

References and guidance likely to help in your readiness assessments can be found here.

Technology Deployment Readiness

It is rare to encounter a significant security technology deployment that was on-time, within budget, and accomplished all of its important requirements. Contrary to what one might expect, usually the bigger the budget, the worse the project track record.

The history of technology deployments, including security technology projects, shows that it is a high-risk error to expect traditional project planning to sufficiently address project readiness factors. Due to the increasing complexity of advancing technology, risk factors impacting technical project success keep increasing.

A white paper that presents the five dimensions of complex projects, and an online tool for assessing technical project readiness, are available here.

Budget Approval Readiness Assessment

There is also a checklist under development for budget approval readiness, based upon feedback from numerous security budget approval stakeholders. If you have interest in such a checklist, you can be notified when the checklist is ready for download

About the Author

Ray Bernard, PSP, CHS-III

Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (www.go-rbcs.com), a firm that provides security consulting services for public and private facilities. He has been a frequent contributor to Security Business, SecurityInfoWatch and STE magazine for decades. He is the author of the Elsevier book Security Technology Convergence Insights, available on Amazon. Mr. Bernard is an active member of the ASIS member councils for Physical Security and IT Security, and is a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com).

Follow him on LinkedIn: www.linkedin.com/in/raybernard

Follow him on Twitter: @RayBernardRBCS.