Before making any decision related to the security of your organization, assess all possible risks and make a recording of your findings.
This will back up your security plan and also provide legal defense for the defined measures. If your organization does not have a written risk assessment, it must do so. If it does, a good practice is to review it from time to time.
The first decision to make before starting the risk assessment is if you will use an external consultant or your organization's internal resources. An outside consultant will bring experience and add credibility to the plan. The only drawback is cost. Sometimes, however, costs mean saving money in the long run.
Independent of your decision, sketch your own risk assessment. This will give you priceless knowledge of your property and/or organization.
With an assessment, the level of risk, the probability of failure and severity of the consequences, in your organization and/or property can be estimated.
Step 1 - Define Areas
Define areas in your organization. This way, you can look at each area individually, with its own particular threats/hazards and risks.
Do this by examining each physical location, relying on your feeling of risk – whatever makes sense to you.
Step 2 - Define Threats
Threats/hazards, potentially harmful things, are, for example, equipment malfunction, robbery, crime, fire, accidents, natural hazards, etc. Define who, what might be harmed and how. It does not matter how remote the likelihood of happening is.
Step 3 - Define Severity
Assign a severity degree to each threat.
Rate severity from 1 to 10.
10 = Most Serious
Severity is subjective. Use your common sense and/or opinion(s).
For example, death is 10, fire can be 8, excessive noise in the computer room, 3.
Step 4 – Assess Probability of Threats
Assign a probability degree to each threat.
10 = Most Likely
Since threats can involve matters beyond the scope of your particular organization/property, it is a good idea to do some research to estimate their probability.
In general, data can be obtained from:
1 - Local Police
It is important, however, to standardize the data by size of area and period of time. Define, for example, a time frame of one year and a radius from your location large enough to find a good cross section of different types of threats. Nonetheless, when compiling data, it is important to keep in mind the type of business/property, the type of security, the date and time of day in which the hazards/threats took place.
Proprietary incident data is very important and will improve the quality of your risk assessment. This is one of the reasons good incidental tracking procedures should be implemented together with your security measures.
With both the data you have gathered and that from your own experience, you can thus determine the probability of a threat in relation to another. The most likely should be high on the scale and the least at the bottom.
It is a good practice to formalize and write how you obtained the rank number from the compiled data.
Step 5 – Define Vulnerability
Vulnerability is the chance of a particular threat bypassing your security barrier.
10 = No security barrier/high vulnerability
The better the formation and application of your security plan is, the lower the vulnerability punctuation will be.
A risk assessment evaluation is dynamic. Each time the security plan is modified and applied, a reassessment is done. In the above example, auto theft was initially set probability = 4 and vulnerability = 9 since the only barrier was night lightening.
A change in the implementation of the security plan included a tour patrol and a camera system. With these new additions, vulnerability decreased to 2.
A well-documented risk assessment is a must in the making of a security plan. If an incident does occur, it can be a good defense in a lawsuit.
To reassess the area after an incident, implementing new security measures to prevent another incident, is very important.
Depending on the occurrence, measures, such as increasing guard tour patrols, installing cameras, gating the entrance, can change your risk rates significantly.
Nevertheless, if nothing is done, and the event occurs once again, it is going to be very difficult for the organization to defend itself.
Ultimately, a risk assessment will go a long way in securing your property/organization against all threats -- lawsuits included.