This may surprise you, but there is no standard method for performing risk analyses in the physical security industry.

This isn’t the case in cybersecurity, which is guided by frameworks and standards. But physical security? Our risk assessments are traditionally based on opinions, assumptions, and best guesses. They’re not objective.

Objective assessments are based on facts and data. In order to best serve your organization, a risk assessment should go beyond local crime statistics and the personal experience of the assessor. Anyone who completes an objective risk assessment should be using the same data points, and should come to the same conclusion about a site’s risk. That’s the true test of whether an assessment actually is objective.

But how does this work?

A step by step guide to fact-based risk analysis

Let’s explore how to analyze risk objectively.

The Department of Homeland Security (DHS) has established the basic equation for finding risk:

risk = probability x severity

This is a good start, but how do you objectively find probability and severity?

Most security consultants refer to a handful of public statistics and their own experience—but that doesn’t dive deep enough to give the full picture of a site’s risk.

You need to develop a baseline for establishing risk and probability. We do it in the following order, because it enables you to focus on critical facilities rather than low-priority ones.

Step 1: Determine severity

To determine severity, we need to calculate a facility’s impact and continuity. From there, we can identify opportunities to reduce severity.

Impact

Impact defines how important a building is to the organization—and to others outside the organization. It’s determined by evaluating the facility’s tangible and intangible assets, as well as its services.

Impact should be measured before continuity, because it identifies the most severe facilities. You can’t assess every single building at once—especially if a client owns hundreds of buildings—so the impact profile gives you a way to prioritize the facilities to start with.

Many consultants only look at assets and monetary impact. Don’t ignore brand impact or psychological impacts. Remember: attackers such as terrorists aren’t concerned about money, they’re out to instill fear. That’s a psychological impact, not a monetary one.

Perform a complete impact profile by measuring how severe the impact of an event would be to your organization. Consider:

• loss of assets or money

• loss of lives

• psychological impact of the event to your organization and the community

• effect on your brand

• loss of time

A single assessment of all possible events doesn’t yield usable information, because every incident impacts each building differently. An impact assessment should be specific to a single event—for example, a tornado, abduction, or an active shooter.

Continuity

Continuity is a company's resilience. It’s the ability to adapt to changing conditions, and withstand and rapidly recover from disruption due to an event. Continuity is identified during the interview—it's typically a very detailed list of what the organization will do to reduce the severity of such events.

A continuity assessment identifies how an organization can plan, train, respond, and recover after an incident. We also want to know a building’s priority within the organization and who the organization depends on—for example, fuel suppliers for generators.

Step 2: Determine probability

After determining impact, we’re ready to determine probability. Probability is a function of three variables: threats, hazards, and vulnerability.

Threats

A threat is an intentional attack. This is based on historical records of groups that would target a company, building, or infrastructure. It includes the capabilities of relevant groups.

Perform a threat profile on your most severe facilities first. The federal government evaluates threats to the entire organization rather than individual buildings, but each building has its own threat profile.

Every threat profile is different, because it’s based on location and on what the company does within that building. GM has multiple buildings and they all do different things. But a local dealership doesn’t have the severity that a powertrain plant has. Likewise, not every government building is a tactical target for attack.

When you do a threat profile, consider the groups that might target the facility. What are their capabilities? What have they done in the past?

To accurately determine the threat, it’s important to consider internal and external data. Most methods only look at external information—threats from outside of the facility. But this neglects the possibility of violence, verbal abuse, or harassment by employees or supervisors. Also determine if there are any chemicals or equipment within the building that can be used as weapons. This is where many consultants don't go that extra step. They tend to focus on crime statistics but forget to ask about how many incidents have occurred within the building.

Hazards

Hazards are natural events or accidents. These can’t be prevented, but they can be mitigated. Hazards are determined using historical data based on geography, surrounding infrastructure, and historical events. A chemical plant in Oklahoma’s Tornado Alley has a different hazard profile than one in Southern California.

Hazards also include potential accidents. For example, is the building close to an interstate or a railroad? Is it close to other facilities that could affect the organization, such as chemical facilities or oil refineries?

As with threats, it’s critical to examine internal hazards as well. Have there been any chemical spills in the past, or is there any safety equipment that’s missing or noncompliant?

Vulnerability assessment

A vulnerability assessment uses the results from the threat and hazard data. It identifies a facility’s vulnerabilities and deficiencies. From that, you can develop a plan to deter, detect, delay, and prevent/mitigate them. This data also allows us to determine the threat and hazard probability. For example, if a facility has a set of potential threats and hazards, but they provide exceptional access control and security monitoring, the probability will decrease.

Once we know the threats, hazards, and vulnerabilities of each building, we can focus on the most probable events and begin to determine how to reduce probability.

Step 3: Analyze risk

The standard DHS approach to risk assessment assumes that risk is static. A building’s risk on Sunday is the same as it is on Friday. There’s no difference between Christmas Day and Inauguration Day.

But risk is dynamic on a daily basis. From a threat perspective, the risk level at Madison Square Garden is low when the facility is empty. Risk increases at game-time during a national basketball tournament. And if the president of the United States is in the building, risk increases even more.

Risk also changes based on critical modifications in the infrastructure, community, environment, and more. It extends beyond the building itself to local, regional, and even national levels. If the impact only affects a small town, risk is much lower than if the impact affects the nation.

Paper-based risk assessments can’t provide the data or expertise that are needed for a daily risk assessment. But with advancements in technology, we can create near-real-time risk assessments. We can use data mining and artificial intelligence to identify daily variables, and incorporate them into our severity and vulnerability assessments. Big data lets us use predictive analytics to identify precursors to bigger incidents. We can also benchmark buildings across various sectors.

Step 4: Calculate a cost-benefit analysis

The final step in an objective assessment process is to perform a cost-benefit analysis. The cost-benefit analysis allows a company to make an informed decision about which improvements are the highest priority and which ones can be delayed. This is accomplished by comparing liability to risk. What could happen if the company doesn’t make the improvement? Which corrective actions will give your client the biggest bang for their buck?

For example, if insurance is $1000 per month, but an asset is only worth $11,000, your client has paid for it in less than a year. Is it worth their money to continue paying for that insurance? Your client needs to know which corrective actions will yield the greatest possible benefit.

Many consultants don’t want to touch cost-benefit analysis, and they leave it up to the client to do this. But this is the end purpose of a vulnerability assessment. Security consultants are the professionals to provide the final recommendations—and help clients make smart decisions. We can no longer leave corrective actions and cost-benefit analyses out of our services.

What data points should be included in an objective assessment?

If we’re going to be honest, this risk analysis method requires an incredible amount of data, some. There are millions of data points to review. Significant events, weather conditions, and even holidays can affect risk. If you don’t have the right technology, there’s no way to leverage all that data.

Sound impossible? It is, if you’re using traditional, paper-based assessments. Consultants that use paper-based assessments will continue to struggle to provide accurate assessments, precisely because analog methods can’t do the heavy lifting that’s required. There’s just too much data to consider, and it is too time-consuming to be feasible.

But with the right tool, the data can be collected and shared. And it can be used to implement a consistent, reliable, objective methodology that delivers real results.

Circadian Risk makes fact-based risk analysis possible

Circadian Risk’s assessment software is a web-based tool that makes it easy to capture every risk and vulnerability, create reports in seconds, recommend detailed corrective actions, and provide interactive visual dashboards for your clients.

Now you can finally provide objective, detailed threat and vulnerability assessments that equip your clients to reduce their risk in strategic ways. Our platform collects thousands of data points—from internal site data to local weather trends— and uses that information to determine your sites’ risk profile.

Our assessments are a living document, prioritizing remediations, tracking improvements, and adjusting your risk score in real time. And no matter who completes an assessment, they’ll always get the same result, because your risk analysis will be based on hard, measurable, data.

Objective risk assessments keep your business—and people— safe

Remember: if a risk analysis is based on objective data, it’ll be reproducible. That’s the true test for an objective, reliable assessment—it means a consultant is giving you recommendations you can trust.

Most physical security consultants do not do this, however. They use a variety of methods to analyze risk, or develop their own assessment processes. In nearly every case, those methods are subjective. They’re based on assumptions and personal experience—and the results can’t be reproduced.

In other words, it’s your opinion against mine—and that’s not good for the security of your organization.

I saw this in action once, at a federally approved training class for security, emergency management, and law enforcement professionals. And it was eye-opening.

The class was divided into five teams, and all the teams went to the same site—a water treatment facility. Participants broke up into teams, assessed the facility, and presented their results to the entire class. Each group’s findings and risk scores were so dramatically different from the others that for the next two hours the class argued about whether or not the facility was a critical infrastructure.

Everyone had just been trained to use the same tool. They assessed the same facility, saw the same issues, and were onsite at the same time. How could they disagree so strongly on such a basic question? Because there was no objective data or standard method available—even with the same tool.

If security experts can’t agree on basic scoring of assessments, how can we claim to keep our customers safe? Without a standard, objective industry method, how can you trust any consultant’s findings or recommendations?

At Circadian Risk, we’ve developed a reliable, objective method that can be used throughout the industry, by any security professional. Our mission is to create a way for security experts to conduct reliable, fact-based assessments that actually keep your organization safe.

Want to learn more? Contact us to talk to an expert today.