Ask the Expert: How is a Subjective Assessment Different from a Structured Assessment?

Let’s say you are unwell. Do you want a doctor to look at you and give you an opinion based on your symptoms you described or do you want the same doctor to run tests, evaluate you against diagnostic criteria, and then make a diagnosis?

Now apply the same scenario to risk at a site. Would you rather have a subjective assessment of the site or a sophisticated audit detailing your vulnerabilities and gaps providing risk analytics?

You probably want the doctor to perform a check-up and tests: a structured assessment of your health. However, in the security industry, we’ve been relying on subjective assessments of risk for years.

What is a subjective security assessment?

A subjective, or ad hoc, security assessment is relatively unstructured. Such assessments are completely based on the subject matter expert who is conducting the assessment. The assessment is wholly based on their observations, past experience, and value system.

Although this is the standard way assessments have been done, it’s problematic: if you send two experts in to assess a site, you run the risk of getting two completely different reports. Those two experts aren’t asking the same questions, they aren’t looking at the same things, and they aren’t making the same recommendations in their narrative report.

This can be particularly challenging when an organization needs to assess several sites. Traditionally, the organization sends out many assessors to their sites, but the data in those reports can’t be aggregated or quickly compared. If you want to know how one site’s risks compare them to another, there’s no easy way to do that because narrative reports don’t necessarily measure the same risks, because they are subjective.

Traditional assessments also tend to take a long time, and not necessarily because they are thorough. For every hour a security professional performs an inspection, they’ll likely spend 4 to 6 hours writing up their report.

What is a structured security assessment?

A structured security assessment is an assessment that has been designed before the walk-through. Rather than relying solely on the expertise of the consultant that’s conducting an assessment, structured assessments are checklists created with an objective in mind. A structured assessment may evaluate an organization's readiness for a specific threat or hazard, like a tornado, or may be used to assess compliance with a specific regulatory standard.

Until recently, structured assessments were used to conduct audits, gap analysis, and evaluate compliance. Thanks to technological advances and advanced risk methods, this approach can now be used to assess risk at a variety of sites.

An organization using a structural approach to risk assessments, must decide which scenario, like active shooters or theft, they wish to assess first. Next they need to create the criteria to mitigate or prevent a scenario, deciding what they need to assess from a security and compliance standpoint. Then a novice assessor all the way up to an expert assessor can conduct the assessment using the criteria, walking through a building or site with a tablet, making notes and taking pictures using an app.

This approach allows organizations to assess each of their sites based on the same criteria, and prioritize the remediations based on the sites that need it most. It’s a methodical, simple, and efficient way to assess security.

How can Circadian Risk help?

Circadian Risk’s Risk Analysis Solution enables organizations to use off the shelf assessments or create bespoke structured assessments, and allows assessors to collect assessment information in one tool. They can take pictures, use maps and floorplans to show your client exactly where they are in the building, take notes, and answer questions. The report is being created for them, in real-time, as they conduct the assessment. The results are immediately available, and using a central dashboard, it’s simple to compare the risk at sites across your organization.

Does this automate away the need for consultants?

In a word, no.

While there’s nothing more expensive than a cheap consultant, businesses will always need security experts to help them improve their defenses. In fact, even structured risk assessments require an assessorl to actually administer the assessment. A structured assessment simply creates a methodical process that helps companies gain more visibility into their risk.

Ready to create your own structured risk assessment? Schedule your personalized demo today!

About the Author

Daniel Young

Founder & Chief Innovation Officer

Daniel has been a security and risk advisor for more than 10 years, and is passionate about helping companies to better understand their risks to undesirable events on a daily basis. Dan previously served as the Regional Bioterrorism Coordinator for District 1 in Michigan, where he was instrumental in preparing communities for catastrophic incidents. He has also acted as the Private Security Liaison for the City of Lansing’s Critical Infrastructure Team, which identified and documented deficiencies in the city’s critical infrastructure.

He is a Co-Founder of the CSO Risk Council, a think tank of seasoned security professionals and thought leaders with extensive experience in managing the physical security and risks of large enterprises consisting of multiple sites and whose mission is to create a better process to develop and share innovative solutions and pertinent information with organizations to improve safety and security risk by providing a forum to discuss best practices and recommendations for specific risk scenarios and to network with other enterprise security professionals.