The Importance of a Physical Risk Assessment

THE BACKGROUND

In today’s world security is on the forefront of everyone’s mind. Doing a simple web search for the word “security” will show a plethora of companies offering products to protect yourself on a personal level. Many people have installed security cameras, alarms, smart locks, smart lighting and more to protect their own homes…all of which can now be controlled from a cellphone. Similarly, businesses have taken steps to increase and modernize their security posture to protect their assets, employees, and clients. Twenty years ago the word “data breach” was hardly heard of. Today, we are constantly hearing about businesses becoming victims of cyber attacks that have left important and personal information exposed.

As a matter of fact, cyber security has become so focused on that many businesses have forgotten the importance of their physical security. Ask most if they can explain what a Physical Risk Assessment involves and I can almost guarantee you will get mostly blank stares back. Let’s take the retail industry as an example. As most are aware, these businesses are fighting for survival against online competition. Unfortunately, many brick-and-mortar stores are having to shut their doors. However, the online competition was not their only problem. In 2019, retail crime continued to be one of the major issues facing this industry, with losses in the billions of dollars annually. (NRF, 2019 research). These general crimes include burglary, robbery, property damage, employee theft, shoplifting, fraud, and workplace violence to name a few. So what are businesses doing to combat these types of issues? The answer is not enough.

I regularly interact with businesses facing constant issues with crime. Unfortunately, most have poor systems in place that actually work to mitigate crime or risks (I am specifically thinking of one very well known, large, national discount store chain). These systems typically give the business the ability to observe risks and crime, such as shoplifting, but do nothing to actually deter these activities from occurring in the first place. Many businesses have even gone so far to create loss prevention or security departments to assist in combating these issues. This sounds like a great idea, right? The problem is many existing policies and procedures make these departments ineffective. Having specific personnel crammed in a tiny office watching surveillance cameras does absolutely nothing to prevent crime from happening in the first place. Having a plain clothes security position, blending in with other customers, does not serve prevention either. There are two things not being implemented, in the majority of businesses, that have actually been proven to help statistically reduce risks. They are:

1) Employee Training

2) CPTED (Crime Prevention through Environmental Design)

Training employees on topics such as situational awareness and other security related issues can help them know what to look for, how to be more aware of their surroundings and how to use themselves to help mitigate risks. One study has shown that employee engagement can reduce theft by approximately 46%. How so? A trained employee can recognize a person that may be contemplating shoplifting and engage them in conversation. Is there anything I can help you with? Do you need any assistance with that item or finding other similar items? This engagement does two things. First, It tells the person, indirectly, I am taking notice at what you are doing. Second, it causes the person to re-evaluate their actions on a risk-reward thought process.

CPTED specifically addresses the physical built environment. Manipulating specific environmental aspects, such as employee placement, store layout, and the location of surveillance cameras can have a major impact on the psychology of a “would-be” criminal as they process their decision making. An excellent example of a business implementing CPTED would be the popular electronics store Best Buy. Walk into any Best Buy store and you see the same exact thing…a professional employee that gives a warm welcome as soon as you step inside the entrance doors. Every person that enters these stores immediately recognizes several things. First, this employee is part of the security department. Second, I have been personally observed and contacted by this employee. And third, this employee is standing behind a podium watching all security feeds on a monitor. Do you think this has an impact on someone with bad intentions? Absolutely! As you exit the store you make contact again with the same employee who checks receipts and thanks you for coming in.

WHAT IS A RISK ASSESSMENT?

The impact of crime in relation to business was briefly discussed. But a Physical Risk Assessment does not just focus on crime. A proper Risk Assessment should focus on what is known as an All-Hazards Approach. This simply means assessing all probable vulnerabilities and risks to a business. The Department of Homeland Security states on their website Ready.gov, “threats or hazards that are classified as probable and those hazards that could cause injury, property damage, business disruption or environmental impact should be addressed” in any emergency preparedness plan using the all-hazards approach. The one problem with some of the All-Hazard approach Risk Assessments is that they can be overwhelming and cover a number of things the majority of most physical locations would not need to consider. An example of an in-depth Risk Assessment can be found on FEMA’s website here. The key to remember is a Risk Assessment evaluates probable vulnerabilities/threats and then takes steps to mitigate or lessen the impact of the vulnerability. There could be hundreds of potential vulnerabilities but only a handful of major probable vulnerabilities. As an example, It would not be practical, for a business based in Tucson, Arizona to implement Risk Management strategies for major weather emergencies such as snow storms. Could it happen, sure. Is it probable that it would happen, no. The Risk Assessment considers these things during a CBA (cost-benefit analysis).

THE FOUR STEPS OF A RISK ASSESSMENT

A Risk Assessment includes four primary steps to help a business identify, asses, and mitigate vulnerabilities. Those four steps are: 1) Identify Hazards, 2) Identify Assets at Risk, 3) Analyze the Impact of Risks, and 4) Make Recommendations and Implement Strategies. A fifth step that should also be included is to regularly review your assessment and update as necessary. Identifying hazards as the first step involves assessing all parts of a physical building, it’s environment, operations, and surrounding areas. It must be known there is a difference between a “hazard” and a “risk.” A hazard is anything that poses a potential harm to any facet of the business. A risk is the likelihood of a hazard actually occurring. After identification there should be a process of correlating the specific assets at risk for each hazard found and how much harm could be caused. The next step would be conducting an impact analysis of the potential damage a risk carries. Depending on the type of risk, an impact analysis can show the monetary value a risk would pose, such as damage to property, assets, and money lost to having to temporarily close business doors. It would also include the amount of potential harm posed to employees and clients or customers. The last step is examining the identified risks through a Cost-Benefit Analysis and prioritizing them. Solutions are then created and implemented to either completely remove certain risks or lessen their impact if occurred. These solutions should be documented to show certain hazards have been identified and steps have been taken to reduce or eliminate the risks. It should be remembered this is not something that can be done once and forgotten about. On-going assessments should be conducted to re-evaluate the risk environment to see what has changed.