Why A General Risk Assessment Checklist Is A Bad Idea

Getting started with risk assessments can seem daunting. You might want a template to guide you. In fact, one of the questions we are asked most often is if we have a checklist or a template we can share.

Generic checklists, however, aren’t a good tool when it comes to conducting a thorough risk assessment. If you’re not evaluating risk by scenario, you’re leaving holes in your security.

What’s wrong with generic security checklists?

There are certain items that every building should have: handrails, working locks, and regularly-inspected fire extinguishers are a must for every building. But when you start thinking about preparing for specific risks - like a tornado or an active shooter - that’s when it’s important to drill down into your site’s specific vulnerabilities.

General checklists often focus on the universal countermeasures: the cameras, the access control, and the lighting for example. They neglect the specific countermeasures that can make a difference when you’re dealing with a potentially disastrous scenario.

This is why we recommend all organizations conduct scenario-based assessments, while being aware of their site’s inherent risk.

What is a scenario-based assessment?

A scenario-based assessment is a risk assessment tailored toward a specific threat, standard, or hazard. Rather than assessing the general vulnerability of a site, a scenario-based assessment evaluates the risk of one specific scenario happening, like a flood, fire, or even employee theft.

Focusing on the risks associated with specific scenarios helps you drill down and understand which countermeasures mitigate that risk most effectively. This approach also forces an organization to sit down and form a plan for each foreseeable scenario. This can seem like an intimidating undertaking, but it’s critical: some events are unlikely, but if they actually happen and you’re unprepared, those events could be catastrophic.

Additionally a scenario based risk analysis allows you to normalize the data from the assessment so you can do a relative comparison analysis or trend analysis over time.

To learn more about how to implement scenario-based assessments, read our seven suggestions for getting started.

How can a scenario-based assessment make a difference?

In 2004, an F4 tornado leveled Parsons Manufacturing’s metalworking and assembly plant in Illinois while 150 people were inside. No one was killed or even injured.

The lack of casualties was the result of careful planning by the company’s owner, Bob Parsons, He had given careful thought to the scenario of a tornado. He designed the building and security protocols with tornado safety in mind: three distributed storm shelters built of steel-reinforced concrete were incorporated into the building, and the plant employed an active weather response team, including one employee with training as a tornado spotter. Parson’s scenario-based planning gave the company time to get all employees and visitors to safety.

What is inherent risk?

Inherent risk is the risk that exists before you take any steps to manage it. It’s the risk that’s intrinsic to the site itself, as well as the business you’re conducting there. For example, the inherent risk of fraud is higher in businesses that handle cash than in businesses that do not. The inherent risk of a flood is higher if your site is located near a body of water.

No two sites have the same risk. Some locations are in high-crime areas, others may be in areas that experience fires. Because every site’s risk is so different, a general checklist won’t help you prepare for the threats likely to impact your site.

Inherent risk is a key concept in risk management. It is used to assess the overall risk of an activity or transaction and to determine the appropriate level of controls to be implemented.

How can you get started with assessments?

A checklist might seem like an easy way to get started with risk assessment, but it’s important that you begin to build out your own assessments. However, you have to start somewhere, and an excellent place to begin is with the ASIS International Physical Asset Protection (PAP) Standard.

This ASIS standard is designed to help organizations create, implement, monitor, evaluate, and maintain a physical asset protection (PAP) program that is tailored to their organization and their risk. It also opens the door to more comprehensive scenario-based assessments down the line.

To get started with the ASIS standard, talk to an expert today.

About the Author

Daniel Young

Founder & Chief Innovation Officer

Daniel has been a security and risk advisor for more than 10 years, and is passionate about helping companies to better understand their risks to undesirable events on a daily basis. Dan previously served as the Regional Bioterrorism Coordinator for District 1 in Michigan, where he was instrumental in preparing communities for catastrophic incidents. He has also acted as the Private Security Liaison for the City of Lansing’s Critical Infrastructure Team, which identified and documented deficiencies in the city’s critical infrastructure.

He is a Co-Founder of the CSO Risk Council, a think tank of seasoned security professionals and thought leaders with extensive experience in managing the physical security and risks of large enterprises consisting of multiple sites and whose mission is to create a better process to develop and share innovative solutions and pertinent information with organizations to improve safety and security risk by providing a forum to discuss best practices and recommendations for specific risk scenarios and to network with other enterprise security professionals.