How likely is a tornado to do catastrophic damage to your place of business? Is it probable that an active shooter will target your site? Are your employees likely to steal from you?
All of the above incidents are foreseeable for a business. But if you don’t know how likely one of these situations is at your own organization, what the impact of such an incident would be, and how you’d respond, it’s time for your organization to conduct scenario-based assessments.
How can you prepare for an active shooter? 5 best practices
What is a scenario-based risk assessment?
A scenario-based assessment is a risk assessment that’s directed toward a specific threat, concern, or hazard. Rather than assessing the vulnerability of an entire organization, a scenario-based assessment evaluates the risk of one specific scenario happening.
Why focus on assessing the risk of specific scenarios? It’s important to remember that to calculate risk, you must assess both the probability of an event happening, and the severity of its impact, should it occur. Some events might be unlikely, but if they actually happen and you’re unprepared, those events could be catastrophic.
Take an active shooter situation, for example. An active shooter may never target your company, but if one does, the impact will be extreme — people may be injured or lose their lives, your brand and reputation can be affected, you can suffer significant workforce loss due to fear, you can have a period of loss of production, and many other impacts. Because the severity is so high, it makes sense for every organization to assess the risk of an active shooter, and to create a response plan.
Your employees won’t stop an assault at work: Why not?
7 best practices for scenario-based assessments
- If you can foresee it, you should have a plan for it. When planning for scenario-based assessments, there is one important thing to remember: scenario-based assessments aren’t something you do just once. You should constantly be assessing the risk of various scenarios, because new risks appear often and old risks evolve. Basically, if you can foresee it happening, it should be assessed.
- Know which scenarios are most important. Make a list of all your scenarios and assign them each a probability and severity score of some kind. Then you’ll have a ranking. Start by assessing the scenarios with the highest probability and highest severity, and work your way down.
- Perform your assessments. Know what countermeasures each calls for to reduce the probability. And then find the best way to respond, adapt, and recover from each scenario to reduce the severity.
- Understand your gaps. What countermeasures do you have in place right now? What do you need to implement, and how much will that cost? Prioritize your deficiencies and your remediations. Then create a schedule that tells you when to implement additional countermeasures.
- Have an assessment schedule. Don’t try to do every assessment at once. Instead create a full year schedule of assessments, starting with the most risky scenarios and cycling through every foreseeable risk.
- Monitor continuously. Risk is dynamic and changes everyday. When a new threat becomes more probable, immediately assess and evaluate for that specific scenario.
- Respond to actual threats. Your organization may have a plan for active shooters, but what happens when someone actually threatens an attack? Make sure you respond and reassess when there’s a plausible incident.
Emergency planning: 10 organizations to build relationships before a crisis
Still have questions about scenario-based assessments?
Assessing individual scenarios may seem like a lot of work, but it’s important work, especially if you want to change the culture of risk at your organization. Often companies don’t believe those incidents will ever happen, so they ignore them. That type of risk culture is both impractical and dangerous; organizations have to start believing incidents will happen. Once they believe risks will happen, businesses can take the first step toward both preventing and responding to those incidents.
Still wondering about scenario-based assessment? Michael Martin, CEO of Circadian Risk gave a presentation on this topic at GSX 2020 with Ty Richman of Allied Universal on Sept. 23. Contact us for the presentation.