Best Practice: Conduct a Security Risk Assessment
Part 3 of our 3-part August cover story on why understand the threats can help prepare FMs for uncertainty.
Whether the danger of ISIS terrorists from abroad coming into the United States is the top security threat depends on whom you ask, says Lang, noting that there are homegrown terrorists, such as the Aryan Nation and others, in every state in the country. Other threats include those revolving around cyber security and actions by Russia and China.
Lang agrees that the risk of ISIS terrorists entering the country is a major threat, “but I wouldn’t say all our resources need to be put into that.”
In a world of many threats and limited resources for dealing with them, security experts agree that one of the best steps that facility managers can take in light of any threat is a security risk assessment.
Whether it’s ISIS, workplace violence, or an active shooter — which Ahrens notes all share many similarities — an assessment can give a clear picture of what threats have the highest probability of occurring. For example, the assessment results will be very different if the building contains a key transportation hub or houses an agency such as the Department of Homeland Security than for a building that does not.
Ahrens recommends that facility managers have a risk assessment conducted if one hasn’t been done in the past five years, looking at different threats and exposures that have occurred since the last assessment. A broad risk assessment that looks at terrorist and man-made issues and workplace violence is prudent from a liability standpoint, Ahrens says.
“You need to look at your building, your communication and awareness programs,” Ahrens says. “The risk assessment is what guides the plan. And look at some controls that weren’t implemented before that you might want to do now, such as mass communication. You need to tell people in the building where the staging is. And what if people go home? You need to have an effective communication plan.”
A security risk assessment for a business or organization must be considered in light of the specific organization’s mission or purpose and potential threats, Duda says. When a business or organization has known groups that oppose its existence, there is a higher probability that someone or some group will act, he says.
Whether it’s a terrorist or active shooters, Duda recommends hardening measures, physical and electronic security measures intended to mitigate or reduce the impact of an attack.
“Implement the recommendations that come out of the assessment, those countermeasures that make sense for the business or organization,” Duda says. “We hope for the best and prepare for the worst.”
Desiree J. Hanford, a contributing editor for Building Operating Management, is a freelance writer who spent 10 years as a reporter for Dow Jones. She is a former assistant editor of Building Operating Management.
Email comments and questions to email@example.com.