We can all agree that everything we do in security must be risk based. Whether it be an Executive Protection program, secure transportation, residential security or event access control, all mitigation, containment and control planning has to be based on a realistic and honest assessment of the challenges we are likely to encounter. Without a risk assessment, what are we protecting against? And if we don’t know the answer we are no different to a doctor prescribing medication without performing an examination and making diagnosis.
Below are four of the most frequently asked questions we encounter relating to risk assessments from both clients and colleagues, and the answers we think make sense. Please feel free to comment and add or ask questions.
1. Who should we use for our risk assessments?
Within this there are sub-questions:
a. Who is the “best” for risk assessments?
b. Should we use in-house resources or and external provider?
c. If external, do we use a large well established big-box firm or a boutique specialist?
Let us discuss each one separately.
a. Who is the “best” for risk assessments?
This is the old “how long is a piece of string” question. Risk assessments is an expansive term, and you first need to define what exactly it is you are assessing before you can ascertain who is best suited for the task. For example, you need a risk assessment for a hotel. In this case a consultant who is the world’s leading SME in physical security consulting for proprietary production facilities may not be the best fit. You need someone who not only understands security but also hospitality, guest experience, hotel operations and more.
Just because someone worked in a Michelin star restaurant does not mean they will shine as a short order cook. You need to source the right person or company for the job. Someone who has a proven track record assessing risk for exactly your requirement, your residence or facility.
b. Should we use in-house resources or and external provider?
There are advantages and disadvantages to both approaches. Using an internal person to conduct your risk assessment facilitates a strong starting point. They are familiar with the organization, the risks that exist, the history of security incidents and threats, the personalities, the company culture, and many other factors that give them valuable insight when performing the assessment.
On the flip side, in-house resources often suffer from the “not seeing the wood for the trees” syndrome. Meaning that they are so submerged in the security of the organization and how it has functioned until now that they have trouble seeing the vulnerabilities or thinking outside the box.
Another pitfall is the person doing the assessment not wanting to upset the apple cart. They are often reticent to write something that may anger their superiors or suggest that the current security set-up is not as perfect as previously thought. They often err on the side of caution when pointing out potential vulnerabilities so as not to put themselves in a precarious position with the company or their direct report.
An external provider brings a totally unbiased fresh set of eyes to the job. They are able to call it like they see it and provide a clear and honest appraisal of the existing security set up. They also bring the added value of varied experience and having seen the best practices at other facilities and locations. They usually have a broad knowledge of systems, technologies and methodologies that can benefit you.
One of the primary disadvantages of an external provider is that they are not always plugged into the clients’ parameters. It could be a lack of budget consciousness, where they are happy to make great suggestion that are prohibitively expensive or a tone deafness to company culture or the Principal’s lifestyle. Recommendations are made that clash with the energy and ethos of the company or that the Principal.
c. If external, do we use a large well established big-box firm or a boutique specialist?
This has been a hot topic of late. Both large security corporations and small boutique firms are capable of delivering excellent security services and products. Risk assessments are no different. What it comes down to is the person performing the assessment. If Bob the security consultant is one of the best at risk assessments for corporate headquarters and campuses, it matters not if he works for a larger or smaller company. He is the one doing the job and his level of excellence will benefit the client no matter who they work for.
The best advice we can give you is when you are looking for a resource to do your assessments, ask who specifically is going to be doing it. Even if there is a team involved, you want to see a bio and to know the experience of who is running the show. Even better, conduct a brief interview to understand if they are a good fit. If they are the right person, with the right background and someone you feel understands your needs, then use them.
2. How much should a risk assessment cost?
Clearly this depends on the size and scope of work for the assessment. However, there is one basic element in pricing that we think it is important to be aware of.
While EP and transportation are time-based services, consulting is not. It is knowledge based.
An EP agent is on the ground with their Principal for 16 hours at $X per hour plus overtime. A fairly straight forward pricing model.
This model does not work for security consulting. People often ask us, “well how long will it take you to do the assessment and write the report?”
How long is far less relevant to the importance the content. When you pay a doctor $500 for a consultation of 10 minutes, you are not paying for their time but for their knowledge. For their years of study and more importantly experience.
Consulting is not much different. A consultant with 20 years’ experience will assess a property and compile a report in considerably less time than a beginner, so that cost is not based on time but on the accumulated experienced that you are benefiting from.
Lastly, often consultants and clients think there is a correlation between the price and the number of pages in a risk assessment. “I paid a lot of money so I should get a 100-page report.” This is not correct. An effective risk assessment should be a user friendly, relevant, and applicable document that facilitates you improving your current security set up. It should be easy to read, understand and implement. Otherwise, it becomes a paperweight that no-one is actually going to read past the executive summary or ever implement.
3. How often do we need to conduct a risk assessment?
Risk assessment is a continuum. To relate to a risk assessment as a moment in time is a mistake that undermines many a security apparatus.
A written risk assessment needs to be a living document that is constantly updated and modified. Sure, you order the initial assessment for a specific day, but you cannot then shelve and forget about it until next year. The threat landscape is constantly moving and morphing, and it is necessary to keep up with the shifts and adjust your risk assessment accordingly.
Likewise, security officers, residential security teams and directors should be constantly looking around at their own facilities and teams; testing and checking whether things are as they should be. For example; are procedures being followed, do our emergency procedures still makes sense, are our people properly trained, is that camera facing the right direction or is that gate actually going to keep someone out?
4. What is the best method, system or app to use?
Sometimes people send us questions containing acronyms for risk assessments methods and we have to Google them to understand what they are talking about.
Fixed methodologies, checklists and apps are all tools for risk assessment. They enhance our ability to conduct the assessment, provide structure and remind us of all aspects that need to be considered. They do not replace a person or a human brain. There are algorithms that calculate risk probability and there is value to that however AI is not yet at a level where it replaces human instinct and intuition and feeling. It is incredibly difficult to conduct a remote assessment through pictures, video, live stream and/or other tools. There is something about boots on the ground, getting the feel of the property, the periphery around the facility, watching people’s movements, observing the security team at work and many more aspects that makes up a considerable proportion of the assessment.
Having said that, it is especially important that the risk assessment report be submitted in an orderly, logical, user-friendly manner, which allows for quick access and implementation. Many of the available tools can help with this or you can structure your own template to suit your needs. Whichever method you choose, be sure your assessments are consistent, concise, complete, and easy to use.
Risk assessments are an integral and often undervalued part of our security ecosystem. They make up the very basis of what we do and if followed, provide us the best chance of effectively mitigating, containing, and controlling an incident should one occur. So, if you are going to do it, do it right.
Good luck, and please feel free to reach out should you have any questions we have not addressed.