5 Things to Consider Before Conducting a Security Risk Assessment
Whether you’re opening a new store location, adding loss-prevention measures or maximizing your current security resources, a comprehensive risk assessment is crucial. But don’t get an assessment done without first considering these five things.
Consider the Source and Its Risk Assessment Procedure
It doesn’t matter if it’s an article you read online, the words of an over-chatty neighbor, or the lofty promises of a television commercial, one piece of advice holds true: consider the source. This common-sense counsel is critical when it is applied to your risk assessment data.
The source and quality of your risk assessment data are critical. It is important to consider the following:
- Are you gathering all the necessary information?
- Is the person entering the event into the database doing so skillfully and consistently?
- Are you categorizing event data appropriately?
- Is your internal and external information reliable, accurate, and complete?
- Does your risk assessment equation add it all up effectively?
Failure to follow a sound risk assessment procedure can lead to faulty decision-making, which in turn can affect your bottom line. Resources could be over- or under-allocated, and you could choose less than ideal locations or set unreasonable goals. Also, these faulty decisions could lead to significant litigation exposure.
Risk Assessment Frequency and Consistency
We check the smoke detectors in our homes when we change our clocks at the beginning and end of daylight saving time. We get our vehicles inspected annually. And we even make it to the dentist twice a year – like it or not. These safety precautions happen in patterns – making them second nature to us.
That kind of consistency and frequency should also apply to your organization’s risk assessment strategy. Many organizations fail to factor frequency assessments into their risk assessment strategy.
Take some time to meet with your team and analyze when, why and how often you conduct your risk assessments. Many companies assess annually, while others assess only after a serious incident. Some do a partial assessment based on special circumstances that need to be addressed, such as a follow-up to a serious crime. If you need assistance, CAP can help you determine the pattern of crime risk assessment frequency that is right for your organization.
Employee Feedback: Perception vs. Reality
Perception is reality, right? Not always. Employee feedback is an important component in our risk assessment and prevention arsenal. But to make the most of this information, you must ensure that you understand and account for the gap between perception and reality.
Here are some things to consider:
- Was the feedback solicited or unsolicited, and how does that influence the responses?
- How do people’s own experiences affect their perceptions? For example, a suburban employee may consider vehicle break-in a highly dangerous situation, while an urban employee may view the same incident as a nuisance.
- Employees can see and intuit things that just might trump the data that you are gathering. It is important to collect these supplementary observations and impressions.
Articulating Your Risk Assessment Strategy and Methodology
Being able to articulate your risk assessment strategy is critical, particularly to upper management. Document your strategy and be able to explain the methodology used to draw any conclusions.
A thorough, thoughtful and data-driven approach to mitigating loss provides a clear picture of where resources are needed, how they will be allocated and what type of ROI to expect. A clearly articulated risk assessment strategy also serves to offer management insight into possible litigation issues that could arise.
Threat Vulnerability Risk Assessment: Threat vs. Vulnerability
Which came first, the threat or the vulnerability? Turns out, there is no chicken and egg question here.
Unless you have a reasonably anticipated threat, you do not have vulnerability. You are only vulnerable to threats that exist. You cannot know your vulnerabilities until you accurately identify and assess your actual and inherent threats. So while the terms may seem interchangeable or confusing, it is important to remember that vulnerability is really a result of a credible and reasonably foreseeable threat.
Not all risk assessments are the same. Different companies can rely on distinctly different methodologies to come up with dramatically different results. Before having a risk assessment, make sure you know how it’s being done and how the conclusions are being reached.