We write a lot on this blog about risk analysis and what they mean to your organization’s security. But how do you actually conduct a risk assessment? And what do you do when you have more than one site to assess?
This blog will offer some best practices for conducting thorough and efficient risk analyses at your business.
First, a word on terminology. Often you will see security experts use the terms “assessment” and “analysis” interchangeably when it comes to determining a company’s risk. They aren’t the same thing, however:
- A risk assessment is the act of collecting information to assess an organization’s security and risk.
- A risk analysis is a comprehensive examination of the data produced by one or more risk assessments in order to make decisions involving risk.
On to the best practices.
Ask the Expert: How Do I Identify If an Incident Is Probable?
Best practices for conducting a risk analysis
- Determine Inherent Risk: If you have a large number of facilities, it can be challenging to know which to focus on first when it comes to risk analysis. You probably don’t have the resources to send subject matter experts to thousands of facilities. By doing Inherent Risk, you’ll develop the ability to prioritize your locations. You can then create a baseline assessment after you prioritize your sites:
- Determine Severity by Identifying your most valuable sites: These are the sites with the most valuable assets. They might be manufacturing sites, company headquarters, or the location of your servers. If your business would be disrupted by an incident at a site, would it have a great impact on your organization?
- Determine Probability by looking into threats and hazards: Which threats are most likely to occur at those sites? Which incidents would cause most damage?
- Prioritize your sites: Based on the Inherent Risk of your locations, which sites are at higher risk? What threats are most common?
- Conduct a baseline assessment:
- Develop an assessment based on the baseline controls needed to mitigate various threats: Determine what locations do or do not have to get a better understanding of their effective controls.
- Send the question sets to your sites: Send your questionnaires to the person at each site who is most qualified to answer the questions.
Once you get your answers back, you’ll know which sites need to be analyzed first.
- Develop a question set based on your threats: If your most severe risk is an active shooter, does your site have weapon detection in your employee entrances? Does your organization do background checks? Write up a series of questions based on each threat and related set of controls.
- Send experts only when you need to: The security industry often handles assessments wrong, sending highly qualified subject matter experts (SMEs) into the field before we ascertain if their skills are needed at a site. By doing a baseline assessment, you’ll know where to send your most skilled experts and which sites can be handled by other personnel. If there are basic items that can be inventoried or assessed, consider using individuals like security officers or maintenance to collect the data and have the SMEs review the data.
- Conduct a detailed audit at each high priority site: During your analyses, don’t look for just the deficiencies at each site, but also look proactively for what each site needs. By layering those things together, you can create the most secure environment at each site.
- Present a visual report: Most decision-makers expect a static narrative report at the end of the risk analysis process. They might think they want this, but most upper management is unlikely to read a written report. Offer them a visual presentation instead, so they can actually see and engage with the data, using floor plans so they can see where issues are and how those issues can be addressed.
- Protect the report with PCII: Storing the report that is the result of a risk analysis in-house may make sense, but your reports can be used against you in civil liability cases or accessed by requests filed under the Freedom of Information Act (FOIA) if they’re kept internally. You can protect your assessments by filing them with the Cybersecurity & Infrastructure Security Agency’s (CISA) Protected Critical Infrastructure Information (PCII) program. If you file your assessments with PCII, rather than keeping your assessments internally, that document is sealed to the public.
- Focus on security objectives, not specific countermeasures: When it comes to a risk analysis, your priority should be the objective, rather than the specific controls the organization could use to meet that objective. There are almost always multiple ways to achieve a security objective; such as detecting an active shooter. You might detect an active shooter risk by installing a passive scanning device at a location, or by using security officers to search people at entrances. Options should be available to evaluate the corporate culture and effectiveness at controls meeting an objective.
- Track your remediation, post analysis: While it is seemingly customary to have a static report, you can’t reduce liability unless you’re actually making changes and tracking the results. A static report can’t do that, but a project management system can. Risk changes every day, and by using a project management platform to track changes, your organization can change quickly to address new risks and threats.
Need help with a risk analysis? Schedule your personalized demo today.