Mid-Atlantic Consultants Network

submitted by: Jim McGuffey, CPP, A.C.E. Security Consultants
………………………………………………………

A security plan should be implemented in four distinct phases: 1) A vulnerability assessment which identifies assets, threats, risks and vulnerabilities as well as constraints, such as operational issues, culture and cost. 2) Security Program Design which is the selection of countermeasures to mitigate vulnerabilities. 3) Implementation which consists of putting the approved solutions in place. 4) Maintenance continually ensures that solutions to threats are effective.

A security program’s objectives are to deter, delay, detect, deny, respond to and, or recover from reasonably foreseeable events. Since 911 some organizations have added “destroy” to the programs objectives. In order to accomplish these objectives, one must first understand what security problems exist.

Understanding security problems involve the assessment of the kinds of threats that could impact the assets, the probability of these threats becoming loss events and the impact on the assets, should the loss event occur.

If it is determined that a loss will have a measurable organizational impact (which should be estimated in dollars when possible) then countermeasures should be planned. As it relates to risk acceptance, this is determined by management and differs within each organization. An example of risk acceptance is the fine-counting of funds by banks or other institutions responsible for verifying currency. One firm may elect not to fine count $50.00 bills, citing the cost saved by weighing each bundle of currency instead of running each bill through a currency counter, while another firm may decide that this risk is only acceptable for $20.00 bills.

Ira Somerson, CPP cites three primary reasons are cited for security losses: failure to recognize vulnerabilities (weaknesses within a security program); failure to use proper countermeasures and failure to consider change. Unfortunately in today’s world, many companies have either lost their ability or interest to balance risk with profit or they have gambled on shortcuts to reduce expense, hoping to increase profits while placing their employees, their shareholders and the public at substantial risk of injury and or financial ruin.

The total protection of an organization requires that three major security processes exist; Personnel Security, Information Security and Physical Security. If you are serious about improving safety and security results, conducting a risk assessment at each location will greatly help to reduce risk exposure and ensure long-term profits.

Security experts all agree that the human factor poses the greatest single source of risk for any asset. Assets are people, property, information and reputation with people being the most important. Assessing risk requires identifying potential threats that could affect the organization and the frequency that they might occur. A risk assessment involves an accurate assessment of 1) Loss event profile, 2) Loss event probability, and 3) loss event criticality.

Unless management accurately assesses the level of risk that their organization can accept, they may cease to exist. Unfortunately too many companies have become breeding grounds for internal theft by electing to accept employee theft as part of doing business. I review numerous statistics and incidents related to employee theft which is one of the top threats to organizations. Most studies report that between 40 to 60% of employees steal from their employers in one form or another and approximately 1/3 of all business go out of business as a result of theft. We also know that theft occurs with all levels of employees to include CEO’s and their senior management team.

The Sarbanes-Oxley Act of 2002 directs management of publicly held companies to prevent and detect fraud within their organizations related to financial reporting .A risk assessment will not only help to meet some of the SOX requirements but it will help to increase morale, customer service, productivity and profits.

A risk assessment is also needed prior to designing or making major changes in a security program. A security manager might be wasting funds on a new CCTV system as well as placing the organization at legal risk without first understanding and reassessing the risks involved prior to changing the existing program.

Risk Assessment is the art and science of identifying security vulnerabilities and measuring the likelihood that the vulnerability will occur (foreseeability); prioritizing each identified vulnerability in comparison to all others identified (queuing); assessing the opportunity for risk to occur; and measuring each vulnerability’s impact upon the organization’s assets (criticality).

A risk assessment will identify the people things or processes that are necessary to continue the business and assess and determine whether or how much risk is acceptable and what action should be taken to reduce, mitigate, transfer or eliminate the threat.

BASIC STEPS IN THE RISK ASSESSMENT PROCESS:

Step One: Conduct a Security Survey. A security survey should be conducted of your facility and property by an experienced security practitioner and with someone who is familiar with your operation and property. A security survey is the basic tool used in a risk assessment. A security survey consists of an on-site examination to determine existing security measures, indentify deficiencies, establish the protection needed and recommend measures, to enhance overall security. If the person conducting the survey is an outside security consultant, the survey will provide the consultant a better understanding of the organization.

Step Two: Appoint safety and security focus group. Management will appoint a safety and security focus group representing all operational departments and facilities. These participants should be persons who are familiar with day-to-day operations and their facility and grounds. The security consultant will serve as the facilitator meeting with your safety and security focus group to train them in the Vulnerability/Risk Assessment.

Step Three: Identify Assets in need of protection. Assets are people, property, information and reputation of the organization.

Step Four: Identify risks or perils that could impact the assets identified. Risk refers to the possibility of experiencing harm or loss from a security incident, a threat or an event. Risks are natural and made-made and can be moral, economic or physical. The Loss event Profile identifies individual threats that could become events. This profile involves understanding the conditions, circumstances, objects, activities and relationships that can produce the loss events.

Following are a few questions to consider asking when identifying risks or perils that could happen. What person or position could commit the act? Would more than one person be required? How easy would it be to commit the act? Could identification documents be forged easily if needed for access? Could the identity of the perpetrators be learned if activity succeeded? Would the act generate a record or audit trail which would help in the investigation?

A threat is a person, place, thing or event which poses danger to an asset. Possible risks or threats to consider: Employee theft, external theft, workplace violence, fire, robbery, burglary, identity theft, bomb threat, injury, vandalism, natural disasters, industrial espionage, extortion, slander, payroll, accounts receivables and payables, purchasing and receiving, computer, information theft and cyber terrorism.

Step Five: Determine risk probability and ranking. Many security practitioners cite physical environment, social environment, historical experience, criminal state of art and the political environment as probability factors. Loss Event Probability measures the number of ways in which a loss event can occur. The more ways that a particular loss event can occur the greater the probability that it will occur. Factors that impact the likelihood of a threat occurring are: historical experience, social and physical environment, and criminal state of mind. Historical information is often the most helpful since frequency of occurrence suggests probability of future occurrence.

Qualitative and quantitative approaches are used to gather information needed in risk assessment with the qualitative approach being the most widely used.

The qualitative approach evaluates data obtained from police and community interviews, contract and employee interviews, analysis of existing procedural and physical security and process and operational studies. This data is used to assess threats and vulnerabilities and implement countermeasures consisting controls that discover a vulnerability or threat, reduce the likelihood of an incident and or reduce the impact of an incident.

The qualitative approach is often used when statistical information is not readily available and the organization has a more limited budget. These assessments are more descriptive than measurable and only estimated potential loss is used.

The quantitative approach utilizes the annualized loss expectancy (ALE) which is a calculation of the single loss expectancy (SLE) multiplied the annual rate of occurrence (ARO). The quantitative approach attempts to identify those threats and risks likely to occur and rank them in the order of seriousness to the organization and the likelihood that they will occur. Then based on that ranking, appropriate counter measures can be assigned. Ira Somerson, states in The Art and Science of Risk Assessment that probability can rarely be precise, and in some cases, promote complacency.

Step Six: Determine the impact of the loss or loss event on organization in dollars when possible. Loss Event Criticality refers to the impact of a loss on the asset which is people, property, reputation and information.

The Loss Event Criticality Rating assigns letter and numerical ratings to each anticipated event or threat. A or .85 is highly certain, B or .65 is highly probable, C or .50 is moderately probable, D or .20 is improbable and E means that the probability is unknown. $30,000 assigned to a critical event with a moderate probability .50 would be evaluated at $15,000. Criticality ratings used by security practitioners may vary. If unable to assign a probability factor you might note that event Y is more apt to occur than event X.

Step Seven: Determine countermeasures: When all risks have been identified and prioritized, countermeasures are identified to eliminate or reduce the threat or risk and improve vulnerabilities. Vulnerability in the security sense refers to a weakness within the system or lack of safeguards. Countermeasures consist of loss prevention, loss control and loss indemnification that transfer, mitigate, reduce or eliminate the risk or threat. Countermeasures include: police, procedures, personnel, barriers, equipment, records such as incident reports, access reports and transaction logs.

Step Eight: Perform a cost/benefit analysis: Countermeasures and security programs should not cost more than the benefits received and should relate to the level of risk exposure. Prior to spending capital to implement countermeasures, management must measure the return on the expenditures (ROE) which is done by determining the avoided losses (AL), recoveries made (R), and the cost of the security program or expenditure (CSP). AL+R divided by CSP = ROE.

On February 17th a pilot flew his small plane into an IRS facility in Austin, Texas. News stations rounded up well credentialed security experts to solicit comments. One expert stated that we needed to find a way to have TSA or other guards posted at the 5,000 plus small private air strips across the U.S. It reminded me of similar countermeasures following 911 when well intentioned experts over reacted with a counter measure that called for guards at every location throughout the world without weighing the benefits or costs or liability. In my opinion, the posting of these guards without specific post orders or specialized training only served to create a false sense of security and expose assets to even more danger.

I am a proponent of acting quickly to avoid future events but we must one must always remember a cardinal rule in security which calls for cost justification in the selection of countermeasures to ensure that the benefits outweighs the cost! With the Feb. 17, 2010 event, I would suggest that adding man-power without evaluating systems and processes is not a prudent action.

Step Nine: Risk Management: Your team will now implement, review, revise and improve these countermeasures as needed. This is referred to as risk management and it is the essence of continued success within the organization. Many companies have comprehensive security programs and have completed risk assessments but management fails to continuously track, monitor and revise the process as needed. I have investigated numerous thefts, injuries, and other security incidents where the facility had properly positioned CCTV only to find that the system was not working or monitored.

Which Businesses Need a Risk Assessment?

All businesses need a risk assessment regardless of size. Let’s look at a laundry room located inside an apartment complex. Would that sort of building or operation require a risk assessment? The business owner might say no, since these apartments are located in an upscale area but all businesses can benefit from on-going risk assessments.

There are inherent risks to this sort of operation (Laundromat in apartment complex) such as assaults but one risk that most people may not think of is the theft of copper or damage from water. Copper is now a highly sought after item due to its increase in value. I know of a recent theft at a small size local laundry room caused flooding when the copper piping connected to the washers was cut and stolen. The flooding damage most likely cost more than the actual loss of the copper not to mention the interruption of service to the tenants.

One cannot read the daily news without learning of numerous security incidents ranging from white collar crimes such as embezzlement where a banking executive created lines of credit using fictitious names and transferring funds into accounts controlled by the individual or partners in the scheme to violent street crimes, such as serious assaults occurring in hotels and other businesses as the result of inadequate or poor security practices.

I strongly encourage risk assessments for all size businesses, whether the local pharmacy, retail store, church, apartment dwelling, bank, grade school, university, insurance agency, beauty shop or large commercial multi-story building providing work spaces for thousands of employees. Following are three key reasons for risk assessments.

1. Risk assessments help to raise security and safety awareness within the organization. Employees like to feel secure and if they are involved in the risk assessment process, your security program is more apt to succeed. Whether the business is a sole proprietorship or a large operation, risk assessments help to protect the individual and their assets; property, customers, information and reputation. The risk assessment may not eliminate all risks but it sends a positive message to employees that you are concerned about their safety and security and have taken necessary steps to protect them from harm.
2. Risk assessments will help to identify risks that could results in injury to employees or customers resulting in 3rd party law suits. Judgments often exceed the amount of coverage provided by insurance and punitive damages may not be covered.
3. Risk assessments can have an immediate impact in reducing expenses and increasing profits both short-term and long-term. One example is fleet maintenance and driver training programs. During budget cuts or when inexperienced managers assume this responsibility, these expenses are often trimmed back without properly evaluating the result. The end result often results in a 3rd party injury where a driver kills or seriously injures someone in the course of duty. An investigation finds that the driver had not completed the required driver training and the truck had two bald tires and reported safety violations that had been reported for the past week without repair. Risk assessments look at the controls in place to prevent these sorts of incidents from occurring that could result in millions of dollars of court awarded damages.

Many managers are not excited about risk assessments because they associate countermeasures with additional expense which need not be the case. All expenditures should be cost justified and the cost should not exceed the benefit obtained. A good security manager or security consultant understands the importance of cost justification not only for a single expenditure but for the entire security program or department.

Often times a security consultant finds that management has spent funds on security equipment that were not necessary or that a project or job could have been done with less cost had more research been done or that a more comprehensive integrated system would have eliminated man-hours.

Who should conduct a risk assessment?

While most people can be trained to conduct a risk assessment only a security practitioner who is seasoned and experienced with proper security certification should work with the management team to ensure that the risk assessment process is effective. Employees will sense if someone who is trying to explain the program is not experienced and may not buy into the rationale and explanations provided.

What are some important considerations when evaluating foreseeability and what sources are utilized for evaluating foreseeability and counter measures?
Historical records are crucial in determining future events. Records maintained by the organization relating to losses and loss events are helpful when assessing future incidents since frequency of occurrence suggests probability of re-occurrence. The aforementioned probability factors are also reviewed and play a role in the selection of countermeasures and assessment of foreseeability.

Police and other community interviews, employee and contractor interviews, existing physical security and procedures, other facilities and like businesses, standard of care and best practices for similar businesses, police response, access roads, etc. are also considered.

REFERENCES:

Ira S. Somerson, CPP. “The Art and Science of Security Risk Assessment” 2009, ASIS International.
James F. Broder, CPP. “Risk Analysis and the Security Survey”, Third Edition 2006, Butterworth-Heinemann.
“General Security Risk Assessment Guideline” by ASIS international, 2003.
Disclaimer: Based on what the author believes are generally accepted security principles as of the date of its writing, and on data gathered from what are believed to be reliable sources, this article is written for general information purposes only and is not intended to be, and should not be used as, a primary source for making security decisions.

ABOUT THE AUTHOR

Jim McGuffey has 38 years of security management experience protecting public and private facilities and employees against crime, injuries and other work place incidents which destroy company profits! Jim also serves as an expert witness and is retained by both the defense and plaintiff regarding various security incidents.

Jim has earned numerous national awards for consistently improving safety, security and profit while managing numerous profit centers. He has managed numerous investigations of injuries, serious crimes and incidents occurring at malls and many other types of commercial and retail sites. Jim understands the importance that training, safety and security play in preventing and reducing these incidents.

Jim is unique compared to many security and safety consultants in that he was responsible for the P&L of all departments and functions in a service, distribution and manufacturing industry over a 26 year span, holding positions of branch manager, area general manager, district manager and regional vice president. He has substantial experience in managing both risk and profit within the entire profit center.

Jim earned a B.A. in Criminal Justice from Aurora University and an M.A. in Management from Webster University. He currently teaches “Criminal Justice Procedures” and “Crime in U.S. Business” at a college near his home. Jim has been an active member of A.S.I.S. since 1981 and is also a member of the prestigious International Association of Professional Security Consultants (IAPSC). He teaches classes at a local college on Crime in US Business and Criminal Procedure.

Jim earned the Certified Protection Professional certification which is valid through December 31, 2012. Throughout the world, the Certified Protection Professional (CPP®) designation is acknowledged as the security profession’s highest recognition of practitioners. It is evidence that an individual is “Board Certified in Security Management.” The CPP® is awarded based upon experience, education, and of an examination that provides an objective measure of an individual’s broad-based knowledge and competency in security management. Ongoing professional development is required in order to maintain the credential. The CPP® is administered by ASIS International, the preeminent international organization for security professionals, with more than 35,000 members worldwide.

Please contact Jim at jimmcguffey@verizon.net or 215-460-7370 to review your office or facilities to ensure that you have taken the necessary steps to protect your assets and prevent 3rd party law suits. Many companies have expensive and comprehensive security systems and processes in place but without quality supervision, on-going training and auditing programs, these measures mean little. Jim’s goal is not to increase your expenses but rather to ensure that your system is cost effective. Often a risk assessment will reveal that man hours can be saved by the installation of an integrated security system.

Jim acknowledges and thanks security colleague Ira Somerson, CPP, author of numerous publications on risk assessment and risk management and who recently authored “The Art and Science of Security Risk Assessment”, for taking time to review this paper.