Security Risk Analysis

Following the killings at the Colorado Movie Theater I was asked if this massacre was prevented.  My response is that the vast majority all of security incidents are preventable if organizations would take time to utilize the security risk analysis process.

Every organization has an obligation to protect employees and visitors while on their premises. To ensure that basic protection is met, a security program is necessary. A security program’s objectives are to deter, delay, detect, deny, respond to and recover from reasonably foreseeable loss events. These objectives are not met by simply installing a burglar alarm and CCTV cameras. Implementing these security strategies can prove costly and ineffective without first understanding what your security needs are and what you expect security strategies to accomplish. There are basic steps that you can take with assistance from an experienced security practitioner to help you understand just what it is that a security program can do for you and the security strategies needed to help your business protect assets.


Conduct a Security Survey.

The security survey consists of an on-site examination to determine existing security measures and to identify vulnerabilities. This survey will help determine the protection needed and it will also be helpful in recommending measures to enhance overall security during the risk analysis process. A survey should be done prior to purchasing security equipment or changing an existing security process or system. It is conducted by a qualified security practitioner along with someone familiar with the property and daily operations at your facility.

Form a Safety and Security Focus Team.

This safety and security focus team is made up of key department heads familiar with day to day activities of your business and property. This team will work together under the leadership of the security consultant to conduct the security risk analysis. The focus team is not the safety and security team which will be formed later.

Conduct a Security Risk Analysis.

The security risk analysis is broken down into two components; the risk assessment component and the risk management component.

Part A: Risk assessment identifies threats and hazards that could impact your assets, the probability (your vulnerability) and likelihood of these threats and hazards occurring and their impact on people, property, information and reputation of your church. A few examples of threats that can occur at a business are: theft, vandalism, arson, assaults, fire, and severe weather events.

After the security survey, the safety and security focus team will consider the assets that require protection. Assets are people, property, information and reputation of an organization. When thinking about assets and subsequent harm from a threat, consider the difficulty and cost of replacing damaged or lost items and the harm and impact that a loss event can have on the reputation of your business. Assets are ranked in order of value and level of protection needed with people being the most valuable asset.

The next step is to identify threats and hazards that can impact your business. Threats are normally associated with humans and can either be intentional or unintentional (fire started by accident or arson deliberately) and hazards are associated with nature such as a hurricane. Following are a few sources to help identify threats and hazards that could occur at your business: 1) Police reports of crimes in your immediate area. 2) Uniform Crime Reports for your municipality. 3) Insurance carrier. 4) Internal reports. 5) Other like businesses. 6) Professional associations.

Your safety and security focus team will then decide the likelihood and probability for these threats and hazards to occur. Let’s look at likelihood of occurrence first. In order to evaluate likelihood, the safety and security focus team will review historical information. A best security practice is to review security incidents occurring in the past two years since recent incidents are a good indicator of future incidents. A few other factors to consider are: 1) Close proximity of your business to an interstate. 2) Isolation of your business. 3) Controversial issues involving your business. 4) Crime, gang activity and other socio economic factors.

Once your safety and security focus team reviews this information, each threat can then be ranked on a scale of 1 to 5 with 1 being the least likely to occur and 5 being the most likely. What do you consider a reasonable likelihood for each threat and hazard to occur? If you think after reviewing the aforementioned or other available information that the likelihood is low, then rank the threat or hazard low.

The same process is followed for the probability of occurrence. However, on the probability side think about your security program, security strategies, procedures, emergency plans and other operational processes that are in place to prevent or mitigate loss events or the lack of these things that would leave your operation more vulnerable to the loss event. If you think that you are lacking in processes and procedures, leaving your business more vulnerable to a threat then you would rank the probability of the threat occurring on the high side with 5 being the highest ranking.

Next your safety and security focus team will consider the impact of each threat to your business. If the impact is considered high, then rate as 5 and if on the low side then rank as 1. Consider the value in dollars as well as harm to the reputation of your business when ranking impact. Your team will then rank the impact on others on a 1-5 scale considering the harm to individuals and to the victims. The impact to others can be different than the impact to a business. For example, the impact of damage to an employee’s car while in your parking may be ranked as a 4 by the car owner but the business owner may rank the impact to their business with a lower ranking.

Once these scores are totaled across your chart such as on the attached sample chart, you will select security strategies to prevent or mitigate damage from each threat or loss event with priority focus on the highest ranked threats and hazards.

PART B: Risk management determines cost effective security strategies to mitigate threats and hazards and reduce vulnerabilities. One security strategy that is often implemented without proper evaluation is the implementation of a CCTV system. While this security strategy may be helpful, an experienced security manager or consultant understands the importance of conducting a security risk analysis prior to adding equipment, services or changing a security process. Making change without appropriate analysis may create liability as well as prove ineffective.

Remember, security strategies are designed to mitigate a loss event. When selecting security strategies, you will consider: 1) Implementation cost. 2) Maintenance cost. 3) Attractiveness of asset. 4) The likelihood of the strategy preventing the threat or hazard or mitigating the impact. 5) The cost benefit of the strategy. You would not select a $20,000 strategy to protect an asset from a threat that could cost $500.00 with a low probability of occurrence.

The final and most often over-looked part of the security risk analysis is the maintenance phase.  This is the phase that was overlooked in the Colorado Theater Massacre.

All too often cameras and alarms are added and procedures are put in place to increase protection but these systems and procedures are then neglected. An on-going audit and review program to ensure compliance with policies and procedures designed to protect assets, an emergency plan for all major events that could occur, and education and training programs to promote security awareness are essential for the success of any security program and the key is that these actions must be on-going.

How many times do we read that a company or municipality had the best CCTV and or alarm equipment only to learn that the system was not working! There are many examples, but a striking example was the burglary that occurred at a Paris Museum where thieves gained entry and stole several hundred million dollars in art. The burglar alarm had not functioned for nearly six weeks. Or consider the CCTV system in NYC where many of the cameras had not functioned for some time. Unfortunately a malfunctioning security system is often discovered only after a serious breach of security has occurred.


Jim McGuffey, M.A., CPP, PSP has 35 years of security management experience. He is board certified in Security Management, Physical Security and Investigations. Jim is one of 64 security professionals in the world who hold all three ASIS International Board Certifications in Security which are accredited by the Department of Homeland Security. He has a B.A. in Criminal Justice and M.A. in Management and has been a member of A.S.I.S. International since 1981. Please contact A.C.E. Security Consultants LLC to learn how we can help your organization improve safety and security which in turn will enhance your profit margin.


Hilton Head, South Carolina

Disclaimer:  The articles contained on this website are written for general information purposes only and are not intended to be, and should not be used as, a primary source for making security decisions. It is the responsibility of the end users and viewers to evaluate and seek out additional guidance as deemed appropriate for application.