Everyone wants one thing from security: the ability to be and feel safe wherever they are. Building owners and occupants are typically not concerned with how many security officers are in the building, nor do they care how many card readers and security cameras are on the premises—that is the responsibility of the security engineers and consultants to identify the need and subsequently implement.
In an industry that is mainly uncodified, security programs can vary greatly. An effective security program must:
- Identify the risks and hazards to the environment, facility, and occupants (real threats)
- Address the perceptions that the staff has about their safety (perceived threats)
Applying security controls to an organization that does not address the real and perceived threats wastes valuable financial resources and creates an ineffective security plan, which is why a security risk assessment is a vital component of any security plan.
At Telgian Engineering & Consulting (TEC), clients often ask our security experts for assessments as a generic request. Some clients ask for a Security Vulnerability Assessment (SVA) or a Risk Assessment (RA). Others may request a peer review from similar organizations.
TEC works with clients to quantify and identify their unique needs. This step helps us determine the full scope of services required, including operational, architectural, and technical elements. Security risk assessments often combine logical and physical security, so our experts must identify what exact elements need evaluation.
Mandated Risk Assessments
Many industries, such as healthcare and finance, are required by regulatory agencies to conduct periodic risk assessments. Other sectors, such as K-12 schools and higher education campuses, rely on the concept that best practices drive the need for risk assessments.
Some of the major regulatory agencies that mandate risk assessments are:
Occupational Safety and Health Administration (OSHA). Occupational Safety and Health Administration (OSHA), through The Safety, Health, and Welfare at Work Act 2005, requires that employers conduct risk assessments to identify hazards and provide a safe work environment.
The Joint Commission (TJC). The Joint Commission (TJC) requires healthcare facilities to have internal subject-matter experts conduct annual security risk assessments. The TJC also recommends that these facilities have an outside security expert perform an assessment every three years.
Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires organizations to conduct periodic evaluations for security effectiveness.
Security Assessment Process
Each security vulnerability assessment or risk assessment will consist of the following:
- Document review
- Site visit + Interviews
- Regulatory requirements review, if applicable
- Final Report
Document Review. The document review should examine incident reports, which help identify historic events and how often incidents occur. If incident-after-action reports are available, these are valuable for reviewing what happened in past incidences. We also review existing policies and procedures to help deter and mitigate, minimize the impact of, and describe the response to adverse events.
Interviews. We need to meet with the stakeholders and key leaders. Organizations have “personalities;” each is different and requires a unique approach. TEC needs to evaluate that and understand what solutions will work and what may not—some leaders prefer workforce-dependent solutions, and some prefer technology, each to a varying degree.
Site Visit. TEC will experts will walk the site, review existing conditions, and look for opportunities to improve security. As an outside subject matter expert, TEC can identify issues that internal experts may easily miss.
Final Report. TEC will document all results and findings after the SVA or RA. We will provide a formal report based on all data pertinent to the assessment. This report can also include our professional opinion of risks and concerns as well as our recommended mitigation strategies. If needed, TEC can provide a cost estimate to implement any recommended technology within the report.
The SVA or RA will address the following components of each concern, hazard, or event risk:
A. Probability of the concern occurring (1-5)
B. Impact of the event risk on people, operations/facilities, and reputation (1-5)
C. Current mitigation strategies that are in place to deter the event risk (1-5)
D. Internal ability to effectively detect, respond to, and eliminate the concern (1-5)
E. External resources available to assist in minimizing the impact (1-5)
The point values are determined on a scale of 1-3 or 1-5 based on the clients and our recommendation.
Quantification of Risk. Every organization faces many types of risk, and it is impossible to protect against every hazard. Quantifying the concerns can bring value to help the organization determine the “Risk Appetite,” which is what hazards an organization is willing to accept and not accept.
For example, a client may be willing to accept the high probability of losing certain tools on a job site but unwilling to lose specific specialized instruments.
Each concern is quantified as follows:
(A+B) – (C+D+E) = Assessed Value
We have taken B for some assessments and created separate values for people, operations/facilities, and reputation. TEC and the client work as a team to determine the values.
TEC’s objective is to eliminate the risk’s uncertainty by quantifying the concern’s probability and impact, and then reviewing the mitigation capabilities. Adding mathematical values to the components makes it easier to address the client’s real and perceived security concerns.
Security Assessment Recommendations
The recommended solutions should fit the personality of the organization. There are few standard approaches to creating a safe environment, so each organization’s process will be different. The recommendations should include operational and technology options. The TEC approach focuses on operations that are supported by technology.
Sometimes, the assessment outcome indicates the client has an unrealistic perception of a risk or concern. In that case, our security expert may recommend a strategy that better aligns the client’s perception with reality. This type of recommendation helps the organization apply cost-effective solutions to address its concerns. In this case, training and awareness information sessions may be the better solution, rather than adding hundreds of cameras and staff to monitor a low-probability issue. TEC’s recommendations heavily focus on being the most cost-effective strategies for our clients’ organizations.
Telgian Engineering & Consulting’s Security Assessment Services
TEC recognizes the crucial role of conducting risk assessments before implementing any security systems or solutions. This approach allows for the optimal allocation of resources, thereby assisting our clients in securing the most efficient and cost-effective solutions.
TEC identifies the risks or vulnerabilities and utilizes the industry’s best practices in delivering recommendations for improvement and mitigation. We base our recommendations on guidelines such as those set by the American Society of Industrial Security (ASIS), the International Association for Healthcare Security & Safety (IAHSS), and OSHA.
TEC partners with our clients to pinpoint their safety issues, enhance their safety posture, and offer personalized recommendations and solutions. Please contact us today to learn more about how our security consultants and designers can help improve your facility’s security.
Leading the industry since 1985, TEC is a full-service global engineering and risk mitigation consulting firm specializing in complex, multi-discipline public and private sector projects. TEC provides professional services related to the protection of people, property, information, and organizational mission against preventable losses. Solutions include strategic/enterprise risk management, fire protection engineering, industrial security, environmental health and safety, emergency management, operations continuity consulting, and construction administration services. TEC professionals are dedicated to delivering value through effective protection solutions that meet today’s unique risk challenges. Contact us for immediate support at 1.302.300.1400 or email@example.com.