Risk
Your Top Risk Mitigation Strategies: Effectively Engaging Risk Experts
When it comes time to assess your sites’ risk, what do you do? How do you assess your sites’ risk? Do you hire an outside subject matter expert (SME) to walk some of your sites every few years, looking for security issues?
If so, you might not be using that expert’s time well, and you might be costing your organization money. One of the most effective risk mitigation strategies is to use your experts effectively — and not waste their time (and your money) on tasks that can be done by others.
Imagine you’re going to the doctor’s office for an appointment, for example. You expect to interact with other people before you actually see the doctor: the receptionist processes your forms, a nurse takes your vitals, and then the doctor arrives to discuss your complaint and examine you. What would the cost of a doctor’s visit be if the doctor processed your intake forms, took your blood pressure, temperature, pulse, and wiped down the room after your appointment?
The same goes for security consultants. They’re highly paid experts. By engaging them to walk your sites, counting locked doors, you’re not using their expertise well — and you’re running up your own bill.
The trouble with the traditional approach to risk assessments
Organizations have a quandary when it comes to assessments. Often they feel they don't have the expertise in-house, and that they have to go outside their organization and bring in third party assessors.
This is an expense; there’s a daily cost to having the SMEs on site, and there's an additional cost for the SMEs to produce their reports. Most organizations simply don’t have the budget to hire third party SMEs to assess the baseline risk at all of their facilities.
Instead, they do one of two things:
They hire an SME to assess the sites that are experiencing the most issues, or
They send an SME to the facilities that are felt to have the most risk
Then the organization uses those reports to create plans for every site. The result is that not all sites will have an accurate portrayal of risk since they all have different characteristics, especially in relation to inherent risk and the effective controls that are in place. The consequence is that the enterprise lacks a picture of most of their sites' risk.
Should outside experts be assessing risk?
The short answer is no. Collecting risk data at all of your sites is likely a waste of time for SMEs and a waste of money for your organization. SMEs are highly paid experts on physical security. Walking around your facilities looking for malfunctioning cameras is probably not the best use of their time.
However, there are people in your organization who are well-placed to measure risk at each site: your internal personnel.
Using a self-assessment tool is an effective risk mitigation strategy
There are plenty of people within your organization who are able to collect data about risk at each site. Facility managers, maintenance supervisors, security leads, and security officers are able to walk through a site and gather the information you need for a self-assessment.
It’s not just because a lay person is able to take down information about the make and model of cameras, and record the last inspection date of every fire extinguisher. It’s also because your people know the site. They work at that building every day. They are deeply familiar with security at that facility, and can give you an accurate picture of any underlying security problems there — things that might not surface during a third party audit.
For example, site workers know which equipment doesn’t work well. They know which doors are left propped open at what times and by whom. They also know which risk scenarios are most likely. It is very likely that employees will be on their best behavior when an assessor is present, and the SME will not be privy to these occurrences.
When should you bring an outside expert in?
Once you’ve captured a full picture of each site’s inherent risk and effective controls, it’s time to engage with your outside expert, giving them the information gathered by your site workers.
The SME can then analyze that information, making recommendations for each site. They may still need to visit some sites to get a better picture of the risk there, but the preliminary work of gathering information has been done. You’re engaging with that consultant on a higher level.
Instead of the SME visiting three sites and you extrapolating their report to cover 300 sites, the SME is getting an informed data picture of every facility that they can interpret and analyze. It’s a better, and more cost-effective use of the expert’s time and talents.
Assessments and risk management software
This risk management strategy only works, however, if all of your sites are being assessed in the same way. You can’t send your site workers out to count cameras or locked doors without a standard list of questions. Nor is it efficient to send them out with a paper checklist.
Risk management software allows you to quickly send out a checklist for site assessments, and get the answers back in real-time, rather than expecting site managers to manually transcribe their handwritten notes. This approach provides your expert with an apples to apples comparison of all your sites.
To learn more about how Circadian Risk can help you create self-assessments, contact us now for a demo.