It’s like clockwork. If an electric company payment office receives a threat, the water company office across town calls to look into getting a bullet resistant barrier.
If there’s a school shooting anywhere, Total Security Solutions starts getting inquiries about installing bulletproof vestibules from schools nationwide.
A bomb is mailed to CNN in New York; TSS will be receiving inquiries from small-town newspapers all over the U.S.
“It’s natural for these things to be front of mind,” says Total Security Solutions CEO Jim Richards. “People worry about the threat that comes immediately to mind—and that’s gonna be the one they’re seeing on the news. Still, as a company, TSS strongly advocates for an ‘all-hazards’ approach. You take a comprehensive look at your challenges. We’ll help you come up with a comprehensive system for addressing them.”
A Four Step All-Hazards Approach to Physical Security Planning
The Department of Homeland Security (DHS) reminds us that, as you consider security, you “should take an ‘all-hazards’ approach. There are many different threats or hazards. The probability that a specific hazard will impact your business is hard to determine. That’s why it’s important to consider many different threats and hazards and the likelihood they will occur.”
DHS has collected many handy resources for organizations performing their all-hazards risk assessment; worksheets like this one can really help focus the conversation if you have many stakeholders or a large organization.
Many security experts advise the following four step all-hazards security planning process, based on DHS recommendations:
Step #1: Identify Hazards
Take a comprehensive look at the many hazards that your organization or facility faces. This list on the Ready.gov website is an excellent starting place. It’s easy to get focused on items in the news. (At the time of this writing these include ten mail bombs, a shooting at a grocery store, a thwarted school shooting, a successful school shooting, an attack on a Pittsburgh synagogue, tropical storm related flooding, and severe weather). So don’t forget about risks (like fire) that are so familiar we often forget how common (and deadly) they can be.
Now rate each hazard in terms of probability (how likely it is) and magnitude (how bad it is).
For example, a school might rate fires as a high probability event with low magnitude (there are thousands of fires in schools ever year, but fewer than 0.1% result in a fatality). An active shooter event, on the other hand, is highly uncommon—only about 0.03% of schools suffer such a tragedy. But an active shooter event is enormously damaging in terms of lives lost, lives damaged, public anxiety, erosion of institutions, the costs of trials and lawsuits, disrupted communities, and more. As such, its magnitude is near the top of your scale.
Step #2: Consider Your Assets
When considering assets, DHS points out, “injuries to people should be the first consideration of the risk assessment. Hazard scenarios that could cause significant injuries should be highlighted to ensure that appropriate emergency plans are in place.”
While people are no doubt your most valuable assets, they are far from your only assets. Your asset list will include both physical assets (buildings, equipment, etc.), as well as less tangible assets (data, reputation, community confidence, worker peace-of-mind, etc). Rate these in terms of how vital they are to your organization and its functioning or survival.
Now identify each asset’s vulnerabilities. What makes that asset likely to fall prey to one of the hazards you listed in Step #1? Is there a point of failure that exposes that asset? Is the asset especially attractive for some reason?
In general, a vulnerability will either
- increase the probability of an event (making the event more likely)
- increase the hazard’s magnitude (making it more damaging)
- or both
Step #3: Assess Impacts
Go through your list of hazards (from Step #1), and consider the potential impact on each asset (identified in Step #2).
For example, if you operate a lumber mill, your assets may include workers, lumber, vehicles, office equipment, decades of paper files, and your reputation. A severe flood may destroy your warehouses, offices, and vehicles, sweep away decades of records, and ruin your stock, but it’s unlikely to harm workers or your reputation. Meanwhile, a fire resulting from years of ignoring fire codes could kill or maim workers and will likely leave clients questioning your reliability.
When possible, pin down the monetary costs associated with the damage or loss of each asset. This calculation may seem heartless—especially when it comes to human lives—but it’s important. There is always going to be some stage in your hazard reduction program when costs need to be justified to someone. You need to be ready to show what’s at stake, both in hearts and minds, and dollars and cents.
Step #4: Weigh Possible Mitigations
A mitigation can reduce the impact a hazard can have on your assets (and thus your organization). A mitigation might do this at any stage—by eliminating a hazard or vulnerability, by reducing the probability of an event, by lessening the magnitude of the event, or by easing its impact. Some mitigation strategies will reduce risks at multiple stages. For example, installing a new fire suppression system won’t just reduce the probability and magnitude of a fire (addressing the hazard directly). It will also reduce your insurance rate, allowing you to purchase more coverage (and thus ease the impact if a freak accident should occur).
Embracing the All-Hazards Process
Jim Richards applauds any planning process that gets people thinking comprehensively about security.
“As the name implies, we develop total security solutions; they are attractive, integrated solutions that fortify a building in general. We can offer the physical means to protect. But comprehensive security entails a human-centered solution. We’re more than happy to help people think through all the hazards—including ones [that] building occupants might accidentally introduce, just going about their daily business. We like helping organizations formulate a solution that addresses many risks—and makes their facility a better, safer place to spend your day.”