As a result of the numerous domestic terrorist attacks and mass killings, I am often asked if these loss events are preventable and are attacks on places of worship preventable. My response is that the vast majority all of security incidents are preventable if organizations take time to utilize a security risk assessment process to improve safety and security at their facilities. The following is a summary of this process and in no way intended to address every aspect of a comprehensive security assessment.
Every organization has an obligation to protect employees and visitors while on their premises. To ensure that basic protection is met, a security program is necessary. A security program’s objectives are to deter, delay, detect, deny, respond to, and recover from reasonably foreseeable loss events. These objectives are not met by simply installing a burglar alarm and CCTV System or conducting an active shooter event.
Implementing security strategies can prove costly and ineffective without first understanding what your security needs are and what you expect security strategies to accomplish. There are basic steps that you can take with assistance from an experienced security practitioner to help you understand just what it is that a security program can do for you and the security strategies needed to help your business protect assets.
Improving Security Using Risk Assessment Methodology
Conduct a Security Survey
The security survey consists of an on-site examination of your physical protection system which consists of policies and procedures, well trained security personnel, and equipment/technology to ensure that these three components are working cohesively to protect a facility. This survey will help identify vulnerabilities within your physical protection system and operation and will also be helpful when reviewing security strategies to enhance overall security during the risk analysis process. A survey should be done prior to purchasing security equipment or changing an existing security process or system. It is conducted by a qualified security practitioner along with someone familiar with the property and daily operations at your place of worship or adjoining facility such as a soup kitchen or school.
Form an Ad hoc Safety and Security Focus Team
This safety and security focus team is made up of key department heads familiar with day-to-day activities of your business and property. This team will work together under the leadership of the security consultant to conduct the security risk analysis. The focus team is not the safety and security team which will be formed later if it does not already exist.
Who should be on this ad hoc safety and security team to assess risk? I recommend: a person representing: Senior Management (Pastor and Youth Pastor) IT, Security, Safety, Administrative, Operations, Finance, HR, and Maintenance. Most smaller size place of worship, combine these roles.
The security risk assessment is broken down into two components: the risk assessment component and the risk management component.
Part A: Risk assessment identifies threats and hazards that could impact critical assets, the probability or likelihood of these threats and hazards occurring and their impact or undesirable consequence on the organization. A few examples of threats and hazards that occur at businesses are theft, medical events, vandalism, arson, assaults, fire, active shooter, and severe weather events.
After the security survey, the safety and security focus team will evaluate and prioritize critical assets requiring protection. Assets are people, property, information, and reputation of an organization. When thinking about assets and subsequent harm from a threat, consider the difficulty and cost of replacing damaged or lost assets and the harm and impact that a loss event can have on the reputation of your business. Assets are prioritized in order of value and level of protection required, with people being the most valuable asset.
Identify Threats and Hazards
The next step is to identify threats and hazards that can impact your business. Threats are normally associated with humans and can either be intentional or unintentional (fire started by accident or arson deliberately) while hazards are associated with nature such as hurricanes. Following are a few sources to help identify threats and hazards that could occur at your business: 1) Police reports of crimes in your immediate area. 2) Uniform Crime Reports for your municipality. 3) Insurance carrier. 4) Internal reports. 5) Other like businesses. 6) Professional associations 7) Open-source information, 8) CAP Index.
Probability of Occurrence
Your safety and security focus team will then decide the likelihood or probability that these threats and hazards will occur. In order to evaluate likelihood, the safety and security focus team will review historical information. A best security practice is to review security incidents occurring in the past two years, since recent incidents are a good indicator of future incidents. While recent past incidents are important, we cannot rely solely on this element since threats are always changing.
A few other crucial factors to consider are: 1) Close proximity of your facility to an interstate. 2) Isolation of your business. 3) Controversial issues involving your business. 4) Crime, gang activity and other socio-economic factors. 5) And one that I consider most crucial, is the condition and effectiveness of your current security system (policies and procedures, technology, and well-trained personnel).
If policies and procedures, technology and well-trained personnel are working cohesively and theses strategies are audited and current, the probability of occurrence is low. However, if the policies are outdated, technology is not audited regularly for effectiveness and training is not ongoing, then the likelihood of a loss event occurring is high.
Once your safety and security focus team evaluate this information, each threat can then be ranked on a scale of 1 to 5 with 1 being the least likely to occur and 5 being the most likely. What do you consider a reasonable likelihood for each threat and hazard to occur? If you think after reviewing the aforementioned or other available information that the likelihood is low, then rank the threat or hazard low.
Undesirable Consequence of Loss
Now your safety and security focus team will consider the impact or undesirable consequence that each threat or hazard could have on your business. If the impact is considered high, then rate as 5 and if on the low side then rank as 1. Consider the value in dollars as well as harm to the reputation of your business when ranking impact. Your team will then rank the impact on others on a 1-5 scale considering the harm to individuals and to the victims. Consequence is impacted by your ability to recover from a loss event, which is enhanced by maintaining a resilience plan that is updated and practiced as necessary to meet changing threats.
Once probability and consequence of loss scores are totaled across your chart, select cost effective security strategies to prevent or mitigate damage from each threat or loss event with priority focus on the highest ranked threats and hazards, probability of occurrence and consequence of loss. There are only so many resources available, so we must have a method to prioritize protection efforts.
PART B: Risk management determines cost effective security strategies to mitigate threats and hazards and reduce vulnerabilities. One security strategy that is often implemented without proper evaluation is the implementation of a CCTV system. While this security strategy may be helpful, an experienced security manager or consultant understands the importance of conducting a security risk analysis prior to adding equipment, services or changing a security process. It is important and necessary to understand what is expected from the implementation of each security strategy. Making change without appropriate analysis may create liability as well as prove costly and ineffective.
Remember, security strategies are designed to mitigate a loss event. When selecting security strategies, you will consider: 1) Implementation cost. 2) Maintenance cost. 3) Attractiveness of asset. 4) The likelihood of the strategy preventing the threat or hazard or mitigating the impact. 5) The cost benefit of the strategy. You would not select a $20,000 strategy to protect an asset from a threat that could cost $500.00 with a low probability of occurrence.
The final and often over-looked part of the security risk analysis is the maintenance phase. This is the phase that is most often overlooked!
All too often cameras and alarms are implemented, and procedures are put in place to increase protection, but these systems and procedures are then neglected. An on-going audit and review program to ensure compliance with policies and procedures designed to protect assets, an emergency plan for all major events that could occur, and education and training programs to promote security awareness are essential for the success of any security program and the key point is, these actions must be on-going.
How many times do we read that a company or municipality had the best CCTV and or alarm equipment only to learn that the system was not working! There are many examples, but a striking example was the burglary that occurred at a Paris Museum where thieves gained entry and stole several hundred million dollars in art. The burglar alarm had not functioned for nearly six weeks. Unfortunately, a malfunctioning security system, an outdated or ineffective policy, or method of operating is often discovered, only after a serious breach of security or loss event has occurred.
As it related to terrorists, they seek nothing more than to damage or destroy a place of worship so that it cannot return to normal operations. Their biggest fear is failure. Part of any security strategy should include a resilience plan designed to assist the organization in the recovery process. This plan is designed to assist places of worship quickly adapt to disruptions of service and regroup by relocating to another facility or relying on other businesses to assist in continuing critical operations until normal services are fully restored.
The aforementioned writing is simply a summary review of a comprehensive methodology to evaluate and mitigate risk. I recommend an easy-read paperback entitled “The Security Risk Analysis Process” by Ira S. Somerson, CPP to obtain a more thorough understanding of this important process.
An important outcome of this process is that the end result is an evaluation of existing security and recommendations of cost-effective security strategies to improve safety and security which are completed by key personnel who are responsible for implementing the results produced rather than outside resources writing the plan with little or no input from the local team.
ABOUT THE AUTHOR:
Jim McGuffey, M.A., CPP, PSP has 50 years of security management experience. He is board certified in Security Management, Physical Security, and Investigations. Jim is one of 350 security professionals in the world who hold all three ASIS International Board Certifications in Security which are accredited by the Department of Homeland Security, International Standards Organization, and the American National Standards Institute. He has a B.A. in Criminal Justice and M.A. in Management and has been a member of A.S.I.S. International since 1981. His background consists of military, law enforcement and private security management. Contact: [email protected] Sine 2012, Jim has served as an instructor in the Department of State antiterrorism program in the Middle East, Asia, Africa, South America, Latin America, and Mexico teaching 75 courses on Hostile Surveillance Detection, Critical Infrastructure and Security Resilience and Protecting Bus and Railway Systems from Terrorist Attacks. .
Disclaimer: The articles contained on this website are written for general information purposes only and are not intended to be, and should not be used as, a primary source for making security decisions. It is the responsibility of the end users and viewers to evaluate and seek out additional guidance as deemed appropriate for application.