Every year or so, I get a medical check-up and every year or so the Doc says, “Why don’t we schedule that colonoscopy for you now.” The idea of doing a “deep dive” sends shivers up my spine. But you know what, he’s right every year or so you need to check your health on a deeper level. (Pardon the pun).
Well, the same goes for physical health of your facility; i.e., apartment building, corporate office, high-rise, hospital, retail space, etc. I mean, after all, that’s what vulnerability assessments are all about. They are designed to judge what kind of shape you’re in on a physical security level and then a prescriptions or mitigation strategies are prescribed to fix what ails you, err…the building.
Without a quantitative method for risk assessment and analysis, the question of, “Am I–or are we–in good health, from a security standpoint?” cannot be truthfully answered. In order to accomplish its purpose or function, every organization or owner must protect personnel and critical assets from all threats, both natural and man-made. Spending limited funds to protect personnel, assets, and equipment is a delicate balancing act in risk management. The question always arises: “Am I getting enough bang for my buck?” Responding, “I think so,” simply won’t cut it.
In risk management, the estimates calculated from a quantitative assessment are used as the basis for making decisions.
Using a quantitative methodology makes risk quantifiable; it becomes a yardstick that can be used to make decisions about allocating resources (funding and people). We believe risk is associated with the protection of assets (personnel or property) rather than the reinforcing or hardening of a building. In many cases, risk analysis and risk management become an optimization analysis that examines risk reduction values (due to the implementing of countermeasures) and the associated costs to implement the identified countermeasures through a simple cost–benefit study. Although performing a detailed risk assessment is normally a complicated task, by following a methodology where the results are site specific and tailored to an organization’s needs makes the process much more manageable. In turn, the results of the analysis can be used to make informed decisions in the allocation of resources to mitigate those risks.
Even so, a methodology that cannot be applied to both physical and procedural vulnerabilities and risks provide only partial value to the owner. Unlike qualitative or subjective assessment methodologies that focus on regulatory compliance, the methodology used should quantify vulnerabilities and risk, determine the cost effectiveness of specific improvements based on risk reduction and not necessarily costs, and help to prioritize solutions. This in turn allows decision makers to plan for and seek hard-to-get funding.
Assessing facilities without assessing their supporting infrastructure especially when it comes to energy systems is woefully shortsighted.
It’s kind of like going to the doctor for a runny nose and she never looks at your ears, eyes or throat. You’re going to have problems later.
Energy systems include electricity (for everything), fossil fuels/natural gas (backup generators/heating), steam (ambient control) and non-drinking water (chillers/HVAC). Analysis should identify the criticality of these components within a facility. That said, sometimes, the most vulnerable part of a building is not actually in the building. Most facilities have a single point of failure (SPF) at the point where the building or activity connects to the grid. A failure here can have a devastating impact, especially for facilities that provide quality of life functions. Unfortunately, SPFs come in many shapes and sizes. Tangible locations are usually easily and readily identifiable; such as, a building or an energy system node; however, SPFs within processes or procedures are a little more difficult to identify. Nonetheless, they may be vitally important and therefore cannot be overlooked.
Spring time is the best time for a physical security check-up. If you need follow-up lab work or visits, a corrective diet or an exercise plan, the summer months and the nice weather they bring, give you a chance to implement whatever the doctor orders.
Doug Haines, MPSE, is owner/CEO of Haines Security Solutions, Ventura, CA.