Risk assessments are intended to keep your employees safe, but they can often make your employees feel unsafe. Every time you conduct a physical security assessment, there’s a percentage of people who are harboring unspoken fears. They aren’t afraid of an unsafe workplace—they’re afraid of the risk assessment itself.
Left unaddressed, those fears can get in the way of an effective assessment. Points of contact (POCs) with an unspoken fear can create animosity. You could get inaccurate data. Someone may not answer truthfully. They may be short with you, or unwilling to cooperate.
I’ve seen it happen many times.
What are they afraid of?
People fear what they don’t understand. A security assessment can be a scary thing for any number of reasons. Here are the most common ones you’re likely to come across.
Fear of liability
The biggest fear is liability. There’s a constant belief that if you know of a problem, you’re more liable. In most cases you are liable to an incident due to foreseeability or because employees already have knowledge of it.
The factor that really matters is if you know about something and you cover it up or ignore it. In that case, you can expect your liability to skyrocket. But if you acknowledge an issue as soon as you know about it and state how you’re remediating it, that’s what reduces your liability.
A risk assessment is another word for “audit,” and “audit” is a scary word. Many people inherently fear anything related to an audit, because it calls to mind images of the IRS, severe penalties and jail time. Even if your people know those aren’t likely outcomes from your security assessment, those irrational fears can still haunt them.
Is this about me?
Often, people immediately think, “What are my bosses not telling us? Are we being audited because we’re not performing well? Do they think I’m not doing my job?” They’re afraid that the assessment is more about rooting out their failures than about protecting the safety of its employees.
For the point person in a building or department, an assessment can feel like they’re being assessed, themselves. If the department fails an audit or assessment, they feel like their own job is on the line.
You’ll see this fear even when there is no failure. Often, physical security is outside of the POC’s wheelhouse—there’s a lot they don’t know or understand about security and risk. That increases their insecurity and uncertainty about repercussions.
What aren’t they telling us?
If you start doing risk assessments after a long history of neglecting them, expect the gossip mill to jump into overdrive. The word in the break room will be that the C-level isn’t telling the whole story.
“Why are we suddenly doing these assessments now? They just fired Sarah yesterday—did she do something illegal? What if they’re going to sell off this building and we’re all going to lose our jobs?”
Behind the gossip is a fear that there’s something the executives aren’t telling. Is there a problem, concern or threat? Is one of the employees psychotic? Employees panic internally, because they’re imagining the worst.
You’re interrupting my work
There’s also the mundane concern about the interruption an assessment creates. Your POCs have a lot of work to do, and a security assessment can disrupt their day-to-day environment. That interruption creates more work and more annoyance. Don’t be surprised when you encounter animosity towards an assessment, because many staff simply don’t have any spare time.
Handpicked related content: Security Is Everyone’s Job! Use These 7 Steps to Make It Work.
Fear of getting caught
Occasionally, there’s the person who’s been stealing, abusing internet usage or knowingly breaking company policies. A risk assessment threatens to bring their actions to light, and they’ll be afraid of getting caught.
Keep an eye out for these individuals and be ready to pry a little more if you’re seeing some red flags.
What to do about the unspoken fears
It’s always important for your organization’s leaders to be as transparent as possible. Communicate what’s going on, what the goal is and what to expect. Executives need to lead by example—communicating that physical security is important to the organization, and backing it up in their own actions. Executives should be clear that the goal is to protect employees, and that your company is doing everything possible to create a safe workplace.
Related content: How Your Corporate Culture Is Ramping Up Your Risk
If your company takes security seriously, assessments will be a regular part of the company culture. People will come to know that their safety is a priority for the organization, and eventually they won’t think twice about risk assessments.
As an assessor, set the tone when conducting your assessments and interviews. Send an email to the POCs and anyone else you’ll be interacting with. Introduce yourself, state your purpose and briefly explain your process. Offer to answer any questions they have. Be sure to do it far enough in advance that people can have their concerns addressed before the assessment begins.
During the assessment, make yourself available for conversations, and hold office hours during the engagement.
Chances are, you won’t be able to eliminate those hidden fears altogether. But by creating an environment that normalizes risk assessments, you can reduce people’s anxieties. As a result, you’ll face less friction from your points of contact, you’ll get more honest answers and your results will have better data.
Additionally, if you do assessments more frequently, these fears will subside.
Get more tips for your security consulting business, delivered straight to your inbox. Subscribe to the blog.