Why A General Risk Assessment Checklist Is A Bad Idea

By Daniel Young | May 18, 2023 | 3 min read

Getting started with risk assessments can seem daunting. You might want a template to guide you. In fact, one of the questions we are asked most often is if we have a checklist or a template we can share.

Generic checklists, however, aren’t a good tool when it comes to conducting a thorough risk assessment. If you’re not evaluating risk by scenario, you’re leaving holes in your security.

What’s wrong with generic security checklists?

There are certain items that every building should have: handrails, working locks, and regularly-inspected fire extinguishers are a must for every building. But when you start thinking about preparing for specific risks - like a tornado or an active shooter - that’s when it’s important to drill down into your site’s specific vulnerabilities.

General checklists often focus on the universal countermeasures: the cameras, the access control, and the lighting for example. They neglect the specific countermeasures that can make a difference when you’re dealing with a potentially disastrous scenario.

This is why we recommend all organizations conduct scenario-based assessments, while being aware of their site’s inherent risk.

What is a scenario-based assessment?

A scenario-based assessment is a risk assessment tailored toward a specific threat, standard, or hazard. Rather than assessing the general vulnerability of a site, a scenario-based assessment evaluates the risk of one specific scenario happening, like a flood, fire, or even employee theft.

Focusing on the risks associated with specific scenarios helps you drill down and understand which countermeasures mitigate that risk most effectively. This approach also forces an organization to sit down and form a plan for each foreseeable scenario. This can seem like an intimidating undertaking, but it’s critical: some events are unlikely, but if they actually happen and you’re unprepared, those events could be catastrophic.

Additionally a scenario based risk analysis allows you to normalize the data from the assessment so you can do a relative comparison analysis or trend analysis over time.

To learn more about how to implement scenario-based assessments, read our seven suggestions for getting started.

How can a scenario-based assessment make a difference?

In 2004, an F4 tornado leveled Parsons Manufacturing’s metalworking and assembly plant in Illinois while 150 people were inside. No one was killed or even injured.

The lack of casualties was the result of careful planning by the company’s owner, Bob Parsons, He had given careful thought to the scenario of a tornado. He designed the building and security protocols with tornado safety in mind: three distributed storm shelters built of steel-reinforced concrete were incorporated into the building, and the plant employed an active weather response team, including one employee with training as a tornado spotter. Parson’s scenario-based planning gave the company time to get all employees and visitors to safety.

What is inherent risk?

Inherent risk is the risk that exists before you take any steps to manage it. It’s the risk that’s intrinsic to the site itself, as well as the business you’re conducting there. For example, the inherent risk of fraud is higher in businesses that handle cash than in businesses that do not. The inherent risk of a flood is higher if your site is located near a body of water.

No two sites have the same risk. Some locations are in high-crime areas, others may be in areas that experience fires. Because every site’s risk is so different, a general checklist won’t help you prepare for the threats likely to impact your site.

Inherent risk is a key concept in risk management. It is used to assess the overall risk of an activity or transaction and to determine the appropriate level of controls to be implemented.

How can you get started with assessments?

A checklist might seem like an easy way to get started with risk assessment, but it’s important that you begin to build out your own assessments. However, you have to start somewhere, and an excellent place to begin is with the ASIS International Physical Asset Protection (PAP) Standard.

This ASIS standard is designed to help organizations create, implement, monitor, evaluate, and maintain a physical asset protection (PAP) program that is tailored to their organization and their risk. It also opens the door to more comprehensive scenario-based assessments down the line.

To get started with the ASIS standard, talk to an expert today.

Are you ready to improve your organization’s risk management?

See Circadian Risk In Action Now
Schedule FREE Demo