Physical risks in the workplace present a grave concern. Recently, the U.S. Occupational Safety and Health Administration (OSHA) estimated that 2 million people are affected by workplace violence every year. Data breaches, criminal intrusions and similar events add to these numbers.
Fortunately, facility managers can take steps to minimize workplace risks like these. In this guide, we discuss how to manage risk and provide some actionable risk management tips.
Why Is Risk Management Important?
What is risk management, and why is it important?
Risk management is the practice of identifying the most likely hazards in the workplace and then identifying mitigation strategies for them. These hazards might include fires, data breaches, intrusion, theft and other occurrences that put people and property in jeopardy. Developing protocols to mitigate their effects helps minimize business risk.
Security risk management in the workplace is essential for several different reasons:
- Safety: Risk management in the workplace helps keep people safe — employees, contractors, customers and visitors alike.
- Financial security: Risk management can preserve valuable assets and prevent financial losses.
- Operational continuity: Risk management helps keep the organization running smoothly without disruptions to productivity or deliverables.
- Dependability: Especially if your organization forms part of the nation’s critical infrastructure — it is necessary for economic or social stability — effective risk management ensures that communities can depend on your facility to continue operating reliably.
Top Eight Ways to Manage Risk in the Workplace
Below are eight tips for managing risk:
1. Engage in Risk and Vulnerability Assessments
Risk and vulnerability assessments are critical for keeping your workplace secure. The nature of threats is constantly evolving. Fire and natural disasters are ever-present dangers, but we continue to develop our capacity to minimize their risks and deal with the aftermath. And recent decades have seen a rise in workplace violence, cybercrime and active shooter situations, among other novel threats. The nature of these threats may change — we are faced with what is known as the “adaptive aggressor,” and your security systems will need to change to keep up with new tactics.
The main goal of a physical security vulnerability assessment is to discover and evaluate areas of vulnerability in the workplace. It works to understand the causes of those vulnerabilities — whether they are potential vulnerabilities or actual ones — and address them most efficiently and effectively. It can then recommend ways to minimize exposure to the threats or eliminate them.
2. Determine Vulnerabilities and Priorities
One of the first steps in many risk management approaches is determining the priorities of your workplace. Different security setups mitigate different risks. Security measures, including technology, operations and architecture, are designed to shield people and property from every conceivable category of hazard, including crime, fire, accidents, espionage, sabotage, subversion and attack. And different systems are designed to protect different types of targets as well:
- Personal safety: Some systems safeguard the personal security of people in the organization, such as employees and customers.
- Tangible property: Some systems safeguard tangible property, such as the plant, equipment, finished products, cash and securities.
- Intangible property: Some systems safeguard intangible property, such as highly classified national security information or proprietary information of private organizations.
Knowing what risks you most urgently need to mitigate and what targets you most extensively need to protect can help you manage workplace risk effectively and keep people and assets safe.
3. Plan Ahead
The best risk management strategies involve comprehensive planning. Reliable security systems designed to mitigate the identified risks are the state-of-the-art engineering best practices, and integrating these aspects of risk management seamlessly requires time and advance coordination. Your workplace may also need a custom setup that takes time to design, build and implement. Planning thoroughly for what you need ensures you’ll get a meticulously thought-out and carefully implemented security system that works for your facility.
4. Invest in Appropriate Countermeasure Techniques, Mitigation Strategies and Response Solutions
Effective deterrence and detection countermeasure techniques, mitigation strategies and response solutions form the backbone of most risk management strategies. They are particularly effective against criminal intruders, though the same methods can be useful against other forms of risk as well, especially when critical infrastructure is at stake.
For federal buildings, in particular, the Department of Justice maintains several categories of criteria for security levels. The different categories, which require increasing levels of risk management measures, include the following:
- Level I: 10 federal employees, 2,500 square feet and minimal public contact
- Level II: 11 to 150 federal employees, 2,500 to 80,000 square feet, moderate public contact and operations similar to those of the private sector
- Level III: 151 to 450 federal employees, 80,000 to 150, 000 square feet, moderate to high public contact and a mix of agencies such as law enforcement, government record services and judicial functions
- Level IV: More than 450 federal employees, a multistory facility containing 150,000 square feet, extensive public contact and occupants consisting of high-risk law enforcement intelligence personnel or district court services
- Level V: The same criteria as level IV, with the additional stipulation that the facility or agency is critical to national security
The risk management strategies recommended for each of these different categories include these measures:
- Level I: High-security locks, peephole, intercom, employee security training, controlled access, emergency backup power for lighting
- Level II: Entry control with closed-circuit television (CCTV), CCTV surveillance, visitor screening, guard and patrol assessments, controlled shipping and receiving protocols, central monitoring for intrusion detection and alarm response
- Level III: On-site guards, CCTV surveillance, visitor screening, controlled shipping and receiving protocols, central monitoring for intrusion detection and alarm response
- Level IV: 24-hour guard patrols,concrete or steel perimeter barriers, parking control, inflexible parking barriers, backup power system
- Level V: Determined by the specific needs of the agencies in question
5. Invest in Third-Party Regulatory Conformity Assessment
To gain peace of mind — as well as to provide documentation that you have the best risk management systems in place — you may want to think about third-party regulatory conformity assessments. You may need to comply with requirements under OSHA, the North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) program, the Sarbanes-Oxley Act, the Joint Commission and other regulatory agencies as they apply to your business.
If you’re considering participating in third-party regulatory conformity assessments, several metrics are available to help you determine their accuracy and success. These indicators include auditor experience, auditor training, freedom from bias and reliability of results, among others. Be sure to research the third party you are considering and evaluate its trustworthiness before commiting to the assessments.
Once your facility has chosen to go ahead with a third-party regulatory conformity program, there are a couple of best practices to keep in mind:
Assess the Level of Risk Associated With Noncompliance
The design of the conformity assessment measures should match the level of conformity assurance the facility requires. In one instance, the threshold for compliance might be high and the penalties associated with noncompliance extremely strict. In another instance, the standards for compliance might be looser because lapses in compliance might have a minimal practical effect. Facilities should tailor their regulatory conformity programs to their assurance needs to avoid unnecessary resource expenditures while still maintaining proper compliance and safety.
Integrate Existing Standards and Risk Management Measures
When your facility begins setting up third-party regulatory assessment measures, it’s likely that it already has certain standards and risk management procedures in place. For maximum efficiency in the transition, and to reduce the costs associated with establishing the new program, try to incorporate those standards and measures wherever possible. The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), for instance, have established many standards for the private sector that your facility may already incorporate into its practices.
6. Provide Adequate Training
A proper risk management process is most useful if employees understand how to use it and what to do when disaster strikes. For best results, combine a quality security system with a robust employee training program. Make sure employees know what to do in case of fire, a natural disaster or an active shooter, and practice drills to keep their memories fresh. Make sure employees know what to do if a theft or other crime occurs as well.
7. Engage in Frequent Testing
Any security system you choose for your workplace, whether to deter intruders, minimize damage in a fire, thwart cyberattacks or mitigate other risks, likely has many complex, interconnected parts that must remain in pristine working order. Testing your risk management systems frequently and performing necessary maintenance helps to make sure your systems can do their jobs when you need them to.
8. Invest in Commissioning
What is commissioning in the risk management landscape? Systems commissioning begins by documenting the owner or building manager’s needs and then takes a meticulous, organized, documentation-based approach to addressing those needs.
Commissioning provides several distinct benefits:
- Quality control and assurance: Commissioning typically provides quality control and assurance by including thorough planning phase documentation. This phase happens well before the design phase begins and is intended to lay out the design intent, clarify strategies and intentions and minimize errors. This phase also generally continues into the design phase with professional development and support.
- Quality deliverables: Commissioning helps ensure quality deliverables through the methodical, systematic approach outlined above.
- Performance documentation: Commissioning documents the performance of various equipment and systems to ensure that they are up to the specifications of the building owner or facility manager.
- Improved training: The rigorous approach of commissioning allows for improved training methods and documentation.
- Requirements and maintenance documentation: Commissioning also allows for improved documentation of the maintenance and other requirements of security systems and equipment.
Creating a Risk Management Plan
When you’re creating a risk management plan, you can make your job much easier if you keep these extra tips in mind:
1. Emphasize Passive and Protective Systems
Part of managing risk includes assessing valuable assets and determining how much loss the workplace would incur if threats damaged those assets. Valuable assets could include things like expensive equipment destroyed in a fire, or they could consist of intellectual property that becomes vulnerable to theft. Human capital is also a valuable asset — a disaster that caused injuries or fatalities would be catastrophic in terms of human health, safety and lives.
Fortunately, we have institutions in place — fire departments, police departments and federal disaster relief — to assist in an active emergency. But ideally, you can prevent your workplace from needing to call in those services. Investing in passive and preventive measures like security systems may cost a little in time and money upfront, but they can save you tremendous amounts of headaches and loss down the road.
2. Develop Actionable Metrics, Strategies and Reports
Whether your company is a federal organization or operates in the private sector, when it puts countermeasure techniques and mitigation strategies into practice, it needs to know those measures will be effective. But it’s not always clear how to determine how well those measures will work before you observe their response to an actual risk event. Fortunately, building owners and managers have a few useful metrics at their disposal:
Adversary Sequence Diagrams
Adversary sequence diagrams are useful both in the design of new security systems and in the assessment of systems already in place. They list the steps an intruder would have to take to gain access to a facility — for example, by entering a gate, then passing through a door, then traversing a series of corridors. Making a diagram of the steps an adversary would have to take to penetrate a facility can help determine areas of critical weakness and shore up the building’s defenses.
Vulnerability and Countermeasure Matrices
Vulnerability and countermeasure matrices are also useful both in designing new security systems and assessing existing systems.
Vulnerability and countermeasure matrices typically take the form of spreadsheets. Their rows list types of system vulnerabilities, and their columns list countermeasures the facility could take in response to those vulnerabilities. The individual cells of the spreadsheet, where rows and columns intersect, should contain percentages — these indicate the likelihood of mitigating threats against a particular vulnerability by using a particular countermeasure. Facilities can use these matrices to quantify the efficacy of their countermeasure techniques and gain insight into their mitigation strengths and weaknesses.
Security Event Logs and Patrol Logs
Security event logs and patrol logs are useful for existing security systems. Facilities can use security event logs and patrol logs to document instances of their countermeasure strategies in action. Patrol logs contain more mundane information — they may document every patrol, who performed it and what that person observed, even if no security breaches took place. Security event logs, on the other hand, provide documentation of a security breach or crime. They lay out the details of what happened and what countermeasures occurred, and over the long term they can offer valuable information to help thwart similar events.
Security systems can provide these logs electronically. The future of security patrols and rounds will utilize electronic personal devices to log activity.
Ongoing Risk Analysis
Ongoing risk analysis is also useful for existing security systems. At least once a year, a facility should review its risk management strategies, identify any trends from the security event logs and other data and update its mitigation techniques accordingly. Being proactive about updating procedures helps ensure facilities keep up with new and changing threats and have systems in place to guard against them. OSHA 3148 guidelines for preventing workplace violence in health care recommend an independent review.
3. Partner With an Experienced Risk Management Consultant
Much of the advice above may sound daunting, time-consuming, detailed and overwhelming for the average workplace to carry out alone. But partnering with an experienced, dependable risk management consultant can help. Risk management professionals can help your workplace locate sources of vulnerability, develop a plan for addressing them, design and install protective systems, and train your employees on their use and best practices.
A risk management consultant like Telgian will have extensive experience in the following areas of prevention and mitigation:
Risk Management and Loss Control
Loss control is a critical area of security and risk management for workplaces. A professional service can provide your workplace with the tools necessary for effective risk management and loss control, including assessment tools and benchmarks against industry standards. Our risk management and loss control teams can provide services such as quantitative risk assessment, design risk reviews and technical risk assurance.
Security Risk Consulting and Engineering
When you first consider implementing risk management strategies for your workplace, you may not be sure how to start, and you may not have teams with the technical knowhow to design, build and implement the systems you need.
For this reason, consulting and engineering services are vital for getting your physical risk mitigation systems planned, designed and up and running. They integrate the principal tenets of security with cutting-edge engineering techniques. The result is an eminently dependable security system that incorporates the latest features to protect against potential and actual threats.
We can help develop workplace asset security plans that encompass every phase of development, from planning to training and implementation, in both the public and private sectors. Our security consulting teams provide numerous services, including:
- Third-party regulatory conformity assessment
- Workplace violence and threat management
- Information security and cyber strategies
Our security engineering teams provide a diverse array of services as well, including:
- Security plans, policies, practices and procedures
- Workplace violence and active shooter awareness training
- Crime prevention through environmental design (CPTED)
- Emergency management
A professional risk management company like Telgian can also offer systems commissioning, particularly fire systems commissioning. Systems commissioning encompasses many different services from planning through post-installation, including:
- Detection and notification systems
- Fire suppression
- Life safety
- Passive protection
- Integration with existing building infrastructure
As we have described above, systems commissioning involves a rigorously detailed documentation system that helps determine particular needs and ensure quality deliverables that meet the specifications of the building owner or manager.
Here are a few of the goals of systems commissioning during different phases of the process:
- Design phase: In the design phase, risk management companies can prioritize goals by soliciting owner input, developing objectives, coordinating with local code authorities, creating detailed design plans, assessing potential integration with existing systems and developing necessary test criteria.
- Construction phase: During the construction phase, risk management companies get to work creating protective systems. They may partner with contractors, perform site installation reviews, maintain permit compliance, address any outstanding site liabilities and perform comprehensive integrated systems testing.
- Post-construction phase: After construction, professional risk management companies train facility staff members on the system’s operation and coordinate and confirm closeout documentation.
Fire systems commissioning can work in conjunction with services such as fire protection engineering. Fire protection engineering uses scientific knowledge about the nature of flammable materials and combustion to help design facilities that can reduce the risk of fire and help minimize losses in the event of a fire. Then, once commissioning is underway and has documented the needs of your building, engineers can work to design and build a robust fire protection system to keep your people and physical assets safe.
Contact Telgian for All Your Workplace Risk Management Needs
To see the benefits of a risk management strategy at your facility, partner with Telgian. Our engineering and consulting services can help you evaluate your vulnerabilities and put systems in place to mitigate risks to your employees, visitors and assets.
Contact us today to learn more, or give us a call at 1-877-TELGIAN.