Without an objective risk analysis method, most security consultants are basing assessments on assumptions and myths. Are you?
Security professionals today are missing a standard method for performing physical risk analyses. If your risk analysis is based on objective data, it’ll be reproducible. Anyone else who follows that method will come to the same conclusions. That’s the true test for an objective, reliable method—it means you’re giving your clients recommendations they can trust.
Most security consultants use any one of several methods to analyze risk, or they develop their own assessment process. But in nearly every case, the methods are subjective. They’re based on assumptions and personal experience—and the results can’t be reproduced.
Across the risk analysis industry, risk assessments are heavily based on assumptions and best guesses.
In other words, it’s your opinion against mine.
I saw this in action once, at a federally approved training class for security, emergency management, and law enforcement professionals. And it was eye-opening.
When Risk Experts Disagree to Agree
The class was divided into five teams, and all the teams went to the same site—a water treatment facility. Everyone was taught how to use a common assessment tool, then practiced an assessment onsite. Participants broke up into separate teams, scored the assessment, and presented their results to the entire class.
Each group’s findings and scores were so dramatically different from the others that for the next two hours the class argued about whether or not the facility was a critical infrastructure.
Everyone had just been trained to use the tool. They all used the same tool, assessed the same facility, saw the same issues, and were onsite at the same time. How could they disagree so strongly on such a basic question? Because there was no objective data or standard method available—even with the same tool.
If security consultants can’t agree on basic scoring of assessments, how can we claim to keep our customers safe? Without a standard, objective industry method, your customers have no reason to heed any consultant’s findings or recommendations.
At Circadian Risk, we’ve developed a reliable, objective method that can be used throughout the industry, by any security consultant. Our mission is to create a way for security professionals to conduct reliable, fact-based assessments that actually keep their customers safe. Let’s explore how to analyze risk objectively.
Circadian Risk’s Fact-Based Risk Analysis
The Department of Homeland Security (DHS) has established the basic equation for finding risk: risk = probability x severity. It’s a good start at a standard method, but it begs the question: how do you objectively find probability and severity? Chances are, you refer to a handful of public statistics and your own experience—but that doesn’t dive deep enough to give the full picture of probability and severity.
The first step is to develop a baseline for establishing risk and probability. And we do it in the following order, because it enables you to focus on critical facilities rather than low-priority ones.
Step 1: Determine Severity
To determine severity, we need to calculate a facility’s impact and continuity. From there, we can identify opportunities to reduce severity.
Impact defines how important a building is to the organization—and to others outside the organization. It’s determined by evaluating the facility’s tangible and intangible assets, as well as its services.
Impact should be measured before continuity, because it identifies the most severe facilities. You can’t assess every single building at once—especially if a client owns hundreds of buildings—so the impact profile gives you a way to prioritize the facilities to start with.
Many consultants only look at assets and monetary impact. Don’t ignore brand impact or psychological impacts. Remember: attackers such as terrorists aren’t concerned about money, they’re out to instill fear. That’s a psychological impact, not a monetary one.
Perform a complete impact profile by measuring how severe the impact of an event would be to your organization. Consider:
- loss of assets or money
- loss of lives
- psychological impact of the event to your organization and the community
- effect on your brand
- loss of time
A single assessment of all possible events doesn’t yield usable information, because every incident impacts each building differently. An impact assessment should be specific to a single event—for example, a tornado, abduction, or an active shooter.
Continuity is a company's resilience. It’s the ability to adapt to changing conditions, and withstand and rapidly recover from disruption due to an event. Continuity is identified during the interview—it's typically a very detailed list of what the organization will do to reduce the severity of such events.
A continuity assessment identifies how an organization can plan, train, respond, and recover after an incident. We also want to know a building’s priority within the organization and who the organization depends on—for example, fuel suppliers for generators.
Step 2: Determine Probability
After determining impact, we’re ready to determine probability. Probability is a function of three variables: threats, hazards, and vulnerability.
A threat is an intentional attack. This is based on historical records of groups that would target a company, building, or infrastructure. It includes the capabilities of relevant groups.
Perform a threat profile on your most severe facilities first. The federal government evaluates threats to the entire organization rather than individual buildings, but each building has its own threat profile.
Every threat profile is different, because it’s based on location and on what the company does within that building. GM has multiple buildings and they all do different things. But a local dealership doesn’t have the severity that a powertrain plant has. Likewise, not every government building is a tactical target for attack.
When you do a threat profile, consider the groups that might target the facility. What are their capabilities? What have they done in the past?
To accurately determine the threat, it’s important to consider internal and external data. Most methods only look at external information—threats from outside of the facility. But this neglects the possibility of violence, verbal abuse, or harassment by employees or supervisors. Also determine if there are any chemicals or equipment within the building that can be used as weapons.This is where many consultants don't go that extra step. They focus on crime statistics but forget to ask about how many incidents have occurred within the building.
Hazards are natural events or accidents. These can’t be prevented, but they can be mitigated. Hazards are determined using historical data based on geography, surrounding infrastructure, and historical events. A chemical plant in Tornado Alley of Oklahoma has a different hazard profile than one in southern California.
Hazards also include potential accidents. For example, is the building close to an interstate or a railroad? Is it close to other facilities that could affect the organization, such as chemical facilities or oil refineries?
As with threats, it’s critical to examine internal hazards as well. Have there been any chemical spills in the past, or is there any safety equipment that’s missing or noncompliant?
A vulnerability assessment uses the results from the threat and hazard data. It identifies a facility’s vulnerabilities and deficiencies. From that, you can develop a plan to deter, detect, delay, and prevent/mitigate them. This data also allows us to determine the threat and hazard probability. For example, if a facility has a set of potential threats and hazards, but they provide exceptional access control and security monitoring, the probability will decrease.
Once we know the threats, hazards, and vulnerabilities of each building, we can focus on the most probable events and begin to determine how to reduce probability.
Step 3: Analyze Risk
The standard DHS approach to risk assessment assumes that risk is static. A building’s risk on Sunday is the same as it is on Friday. There’s no difference between Christmas Day and Inauguration Day.
But risk is dynamic on a daily basis. From a threat perspective, the risk level at Madison Square Garden is low when the facility is empty. Risk increases at game-time during a national basketball tournament. And if the president of the United States is in the building, risk increases even more.
Risk also changes based on critical modifications in the infrastructure, community, environment, and more. It extends beyond the building itself to local, regional, and even national levels. If the impact only affects a small town, risk is much lower than if the impact affects the nation.
Paper-based risk assessments can’t provide the data or expertise that are needed for a daily risk assessment. But with advancements in technology, we can create near-real-time risk assessments. We can use data mining and artificial intelligence to identify daily variables, and incorporate them into our severity and vulnerability assessments. Big data lets us use predictive analytics to identify precursors to bigger incidents. We can also benchmark buildings across various sectors.
Step 4: Calculate a Cost-Benefit Analysis
The final step in an objective assessment process is to perform a cost-benefit analysis. The cost-benefit analysis allows a company to make an informed decision about which improvements are highest priority and which ones can be delayed. This is accomplished by comparing liability to risk. What could happen if the company doesn’t make the improvement? Which corrective actions will give your client the biggest bang for their buck?
For example, if insurance is $1000 per month, but an asset is only worth $11,000, your client has paid for it in less than a year. Is it worth their money to continue paying for that insurance? Your client needs to know which corrective actions will yield the greatest possible benefit.
Many consultants don’t want to touch cost-benefit analysis, and they leave it up to the client to do this. But this is the end purpose of a vulnerability assessment. Security consultants are the professionals to provide the final recommendations—and help clients make smart decisions. We can no longer leave corrective actions and cost-benefit analyses out of our services.
Is This Risk Analysis Method Even Possible?
If we’re going to be honest, this risk analysis method requires an incredible amount of data—data that isn’t publicly available and isn’t being shared...yet. There are millions of data points to review daily—yes, daily. Significant events, weather conditions, and even holidays can affect risk. And if you don’t have the right technology, there’s no way to leverage all that data.
Sound impossible? It is, if you’re using traditional, paper-based assessments. Consultants that use paper-based assessments will continue to struggle to provide accurate assessments, precisely because analog methods can’t do the heavy lifting that’s required. There’s just too much data to consider, and it is too time-consuming to be feasible.
But with the right tool, the data can be collected and shared. And it can be used to implement a consistent, reliable, objective methodology that delivers real results.
It is possible to use an objective method that’s based on fact, not fiction. The technology is here, and forward-thinking security professionals are catching the vision of providing trustworthy risk analyses.
Circadian Risk Makes This Method Possible
Circadian Risk’s assessment software is a web-based tool that makes it easy to capture every risk and vulnerability, create reports in seconds, recommend detailed corrective actions, and provide interactive visual dashboards for your clients.
Now you can finally provide objective, detailed threat and vulnerability assessments that equip your clients to reduce their risk in strategic ways. Find out more about our threat and vulnerability assessment tool—subscribe to the blog.