While security threats evolve and challenges to managing organizational risk become more seemingly every year, the foundation of securing the business is knowing and understanding its vulnerabilities and how those vulnerabilities impact the Enterprise mission and strategy. We determine vulnerability by conducting an all-hazards risk assessment.
Before we get into an in-depth conversation on this issue, let me first demonstrate the importance of quality risk, threat, and vulnerability assessment by asking you a question; what do the following activities have in common? Enterprise Risk Management, Risk Management, Enterprise Security Risk Management, Business Impact Analysis, Business Continuity, Emergency Management, Global Supply Chain, and Cyber Security. If you answered risk assessment, you are correct. Each of these critical areas of business competence requires a risk assessment.
Risk, Threat, and Vulnerability Assessments are core functions of any quality security program. A risk assessment identifies, analyzes, and evaluates uncertainties to objectives and outcomes. It provides a comparison between the desired/undesired outcomes and expected rewards/losses of organizational objectives. The risk assessment analyzes whether the uncertainty is within acceptable boundaries and within the organization’s capacity to manage risk. The risk assessment results inform the responsible and accountable decision-makers(s) of choices available to manage risk and achieve the organization’s objectives effectively. In short, you cannot develop solutions until you understand the problem. A comprehensive risk assessment includes a detailed review of all physical security systems, people, processes, plans, policies and procedures.
A risk assessment is a process of identifying potential vulnerabilities and hazards and analyzing what could happen to the enterprise if trouble occurs. Knowing how to perform a risk analysis is helpful for almost any decision-making process, no matter your professional role or sector. When you analyze risk, you can develop soft skills such as critical thinking and problem-solving. This skill is necessary for anyone in a security management role. You may not be doing the assessment yourself, but you may supervise, evaluate, and interpret the work of others, including employees and consultants.
In other articles, I have aligned the risk assessment process with the problem-solving process, where we learn that you cannot develop a solution until you identify the problem. The problem-solving process for our industry is a comprehensive risk, threat, and vulnerability assessment that is conducted adequately according to quality management Standards.
I have professionally provided risk, threat, and vulnerability assessments for my clients for 22 years. Additionally, I have taught many different methodologies and helped develop several. Further, I have contributed to developing industry standards in this field of endeavor. I have learned a few things during this time, and I want to share my thoughts on the subject and practice of risk assessment with you here.
To receive an exceptional product, let’s consider the following topic areas:
1. What competencies should you look for in an assessor?
2. Who should be involved in the risk assessment?
3. What information should the final report contain?
What competencies should you look for in an assessor? When you engage an assessor, they should possess knowledge of your industry sector and, as a minimum, have professional certification as a Physical Security Professional (PSP) or Certified Protection Professional (CPP). Remember, the assessor’s findings are used for critical decision-making.
If the foundation of the information is flawed, then the resulting decisions will also be flawed. With Enterprise Security Risk Management (ESRM) rapidly becoming an industry standard, security management is a full partner and C-Suite level contributor requiring exceptional information.
Specific Competencies of an Assessor
Assessors must be good communicators. A good assessor must possess exceptional communication skills in both written and verbal communications. Additionally, they must be good investigators and collaborators to discern critical information from all the various aspects of the Enterprise.
Further assessors should have expert-level knowledge of threat assessment, open-source intelligence collection and analysis, physical and cyber security, auditing practices, business management, leadership, quality management, and root cause analysis.
Specifically in physical security, the following knowledge and topic area competencies are desirable. These may include:
- Exterior and interior physical security
- Systems integration
- Barrier systems
- Access Control
- Visitor Management
- Exterior Lighting
- Detection Systems
- Cameras and Analytics
- Protecting HVAC, Skylights, and Roof Hatches
- Crime Prevention Through Environmental Design
- Communications Systems
- Guard Forces
- Security Operations Centers
Enterprise Involvement
To facilitate a high-quality product means possessing exceptional knowledge and information. The information must be rapidly understood and assimilated by the assessor. For this reason, it only makes sense to gain critical information for those who know what’s going on, including successes, pain points, and near horizon events. Executive leadership, frontline managers, and select employees should be available to the assessor for interviews to become familiar with the mission, operations, and existing physical security programs and how the security management team supports them in their mission. The intended outcome of the interviews is to align risk, resilience, and security solutions with organizational strategies and goals to achieve resiliency and minimize risk when confronted with a human-made, technological, or natural disaster.
The below positions are what I consider to be a minimum; other people may be brought into the discussion depending on the organization’s structure, mission, operations, threats, and relationships.
- General Manager
- Operations
- Legal
- Human Resources
- Financial Manager
- Controller
- Risk/Security Manager
- Law Enforcement
- Emergency Responders
The Bones of the Final Report
All levels of management will view the final report and, therefore, we prepare it using third-party language and free of biases. The final report encompasses the following topical areas:
- Executive Summary
- Planning
- Threat assessment
- Campus and facility characterization
- Consequence assessment
- System effectiveness
- Risk analysis
- Risk management, Risk Register, and Risk reduction
·The Executive Summary: An executive summary is the first section of a risk assessment and provides an overview of the complete assessment; it is a condensed version of the risk assessment for C-Suite consumption. The executive summary is relatively short, usually one to four pages, and concisely describes all aspects of the assessment process.
Planning: The planning section of the document discusses the methodology used, project deliverables, the documentation considered, and the results of interviews.
Threat Assessment: The threat assessment results in six to eight high-level threats that are most likely to impact the Enterprise. To document the threat, the assessor considers and records past threat reports, crime statistics, information from law enforcement agencies, historical and point in time threat information, past unusual occurrence, and serious incident reports.
Campus and Facility Characterization: On most campuses, some facilities are more important than others. Learning about a building and its purpose serves to inform the assessment. It provides information that leads to a determination of consequence levels which are informed by impact and severity.
For example, let’s examine a campus with a supply warehouse, a manufacturing building, an administrative building, a maintenance building, and executive offices. How would you determine which of these buildings are more important to the Enterprise? We can rank them in importance by understanding the function of each building and how that function impacts the enterprise mission and strategy.
A more straightforward example is a water utility. Pumping stations are more critical if the top mission is to pump water to fire hydrants. Conversely, if the mission is to provide potable water, water treatment plants are more critical in meeting the enterprise's mission.
Consequence assessment: Consequence refers to the impact, severity, and likelihood of a threat event. There are many consequences, and each is rated negligible to severe. The primary impacts are finances, people, equipment, and reputation.
Impacts to finance refer to the total financial impact of the threat occurring a low impact event is budgeted, a medium event would mean that financial priorities are changed, and the budget shifted, and a catastrophic event would financially bankrupt the organization. In the case of equipment, we are considering impacts to mission-essential equipment required to keep the enterprise in business, the loss of which would stop operations. In production facilities, loss of equipment can mean loss of revenue. Think about the auto industry. If my revenue is based on producing 30 cars a day, and I lose a critical piece of equipment that stops production for a week, the value is not just the piece of equipment it is the lost revenue of 210 cars.
Impact on people is measured in loss of life and injury. A negligible event would be one where there is only minor injury, whereas a catastrophic event would be multiple deaths.
Impact on reputation is often measured by media coverage. Is the event even picked up by media (negligible), or has the event made international news impacting (a catastrophic event) stakeholders?
The last item to consider regarding consequence is understanding that it is a sliding scale—the weight of an impact changes with every organization. If an enterprise has annual revenue of fifty million dollars a year, then a five hundred-thousand-dollar impact is negligible. But if yearly revenue for the enterprise is a million dollars a year, then five hundred thousand dollars is catastrophic.
System effectiveness: System effectiveness measures the effectiveness of the physical security system when the threat engages it. Each of these subsystems is evaluated for effectiveness in detecting, delaying, and responding to the adversary. The systems are considered separately and as part of an integrated system.
- Exterior and interior physical security
- Systems integration
- Barrier systems
- Access Control
- Visitor Management
- Exterior Lighting
- Detection Systems
- Cameras and Analytics
- Protecting HVAC, Skylights, and Roof Hatches
- Crime Prevention Through Environmental Design
- Communications Systems
- Guard Forces
- Security Operations Centers
Part of system effectiveness is the plans, policies, and procedures that go along with the systems and how the systems are monitored. Are the systems monitored in real-time in a Security Operations Center or are we looking at a central monitoring center? These items address response time. An integrated system actively monitored by a SOC would result in a much faster response time than a central monitoring station where someone must be notified and despatched to the event.
Detection, delay, and response speak to the path an adversary takes and the resulting length of time for the adversary to achieve its objective. The timeline is measured from outside the campus at the first point the adversary is detected and completed when the adversary leaves the campus. The attributes of an effective system are early detection, delays that are longer than the adversary’s timeline, and a response force that arrives before the adversary can complete their task and leave.
Risk analysis: We conduct a risk analysis for each vulnerability and its corresponding threat/asset pair. There are several acceptable formulas to calculate risk. I prefer a modified Sandia National Labs formula R=Pa*(1-Pe)*C. Pa represents the threat and probability of the threat occurring, 1-Pe is system effectiveness/ineffectiveness, and C is the consequence. The formula generally results in a high, medium, or low-risk rating. With a bit of mathematical input, the formula can be converted to represent five levels similar to a National Institute of Standards and Technology (NIST) assessment. Low, medium-low, medium, medium-high, and high or low-negligible, minor, moderate, significant, and catastrophic.
Risk management, Risk Register, and Risk reduction: At the end of our assessment, we will have lots of recommendations for improvement. It is important to catalog the recommendations in a master plan or risk register. This way, the client can start budgeting and implementing the recommended improvements. From a quality management perspective, this is a significant step. Some assessors may even provide a snapshot of residual risk, defining the impact of the improvement in the long term. When the assessment is reevaluated in two or three years, we are not starting from the beginning but addressing what has changed since the last assessment making it a continuous improvement process.
The beginning, however, is “the foundation of securing the business is knowing and understanding its vulnerabilities and how those vulnerabilities impact the enterprise mission and strategy.” The detail required to make informed decisions is not something we can quickly accomplish. The process is thoughtful, detailed, and involved, not something we achieve using a checklist. The decision-makers will welcome the business approach to a quality management-based risk assessment.
You may want to read the ANSI/ASIS/RIMS Risk Assessment Standard for more detailed information. If you're going to get deep into the subject, read Vulnerability Assessments by Dr. Mary Lynn Garcia.
