Making The Most Of A Security Risk Assessment

Making Organizations Safer

"The prudent see danger and take refuge, but the simple keep going and pay the penalty "

-PROVERBS 22:3

When starting a security program there is a desire to jump straight towards implementing a safety team, but this can cause many organizations to overlook what perhaps is one of the most crucial things that can determine the success of your safety programs; conducting an assessment of your current security practices.

You may hear many terms for a security risk assessment such as risk assessment, threat assessment, vulnerability assessment, or security audit. Although slightly different, they all have the same desired outcome; assessing your threat environment and current state of security practices.

The security risk assessment will most often focus on physical security, people, technology, and programs. It’s a way to identify ineffective safety measures, find gaps and assess controls to improve your security.

Why Do you Need a Security Risk Assessment?

• An assessment of your security operations will create a road map of how to get from point A to B, but having the security risk assessment completed is only the beginning of your journey as you need to find the best person to execute the plan!
• Pretty much all companies big and small hold a great depth of risk and responsibility through the law and the moral social obligation to keep those in their care safe.

How Does the Process Work?

• The assessment starts with identifying and ranking your assets which will later help prioritize the recommendations. The information gathered through on-site assessments and interviews with key staff and volunteers will help find gaps that expose your assets to threats within your organization.
• After identifying and quantifying the potential threats (violence, natural hazards, theft, domestic disputes and other incidents) you will have identified the greatest risks to your facility.
• At Kingswood, we then rank each protective measure using the following factors: fiscal cost, resource cost, risk reduction, and implementation timeframe within our reports. There are numerous documents, overviews and helpful guides online that you can find.
• One of the first questions you need to establish is who will undertake this process? Will you tackle this process yourself, be guided by a consultant or local police crime prevention specialist? There are pros and cons to each of these but ultimately it comes down to your experience, timeframe, and the access to funds to pay for the expertise required to complete this task.

Start by Interviewing Key People

The process should start with understanding your security culture, known issues, past problems, views of leadership committees, and opinions of those within your organization. This is the best way to start as the more rounded your conversation can be, the more focus you can place on what areas you need to assess. The security risk assessment will not be able to cover every aspect, nor should you want to as the report will become too lengthy and ineffective. The goal is to be able to act on a plan. You must be able to execute the recommendations to improve your security. Those that end up with a 200-page report find this too cumbersome and overwhelming. It’s fair to say you will get out of it what you put into it. If you’re doing this yourself, talk with everyone. If your hiring a consultant, discuss with them a fair number of people to interview and agree on this before the process starts.

Here are some examples using a church as an example:

• Facilities leaders
• Business administers and church finance
• Youth leaders, children’s directors, preschool staff
• Church leadership (trustee/executive board)
• Church staff (pastors/executive pastors/outreach program leads)
• Tenants and third parties that use the building
• Volunteers

What Should the Risk Assessment Include? 

The next step is to start a comprehensive assessment of the building, programs and administration. At Kingswood we deploy a methodology that most commonly covers these four principal areas:

• Human
• Physical Security
• Technology
• Administration

The security risk assessment process should be a slow, methodical walk through of each area to gain an understanding of church operations to then be able to offer improvements. (see checklist on last page.

Some Areas to Think About

Here are some areas you might want to cover when you conduct your security risk assessment:

• Building Services: Entrances, emergency exits, evacuation plans, active shooter, sign in/sign out procedures, staff training.
• Technology: Card access, alarms (panic/burglary), CCTV etc.
• Security Procedures: Background checks, response procedures, lockdown, fire, etc.
• Special Events: High profile speakers, private events, conferences, social functions, community outreach
• Physical Security: Doors, locks, lighting, alarms, protection of visual equipment, valuables, protection of human asset
• Staff/Volunteer Training: Situational awareness, scenario training, policy procedures, Emergency Action Plan (EAP), lockdown, medical (Include all hazards)
• Cash Handling: The modern use of technology (apps) and cash money movement
• Vehicle Operations: Insurance coverage, fair use, driver policies
• Foreign Travel: Risk assessments, insurance, K&R policy (kidnap and ransom), medical coverage, business continuity planning. Executive Protection (EP), contract security, medical coverage
• Building Tenants: Assess risk of organizations that may use your building after hours or sub lease space from you. Groups such as Alcoholic anonymous (AA), counselling services, domestic violence groups, divorce care, rehabilitation, mental illness all come with higher risk.

Present the Findings to Leadership

• At this point you should have an idea of how many pages the report will be. If you have hired a consultant will this be 50 or 200 pages? If you went through the process alone, how will you present the findings to your board or leadership team?
• Don’t take on a bigger report than you can handle so understand what it will look like before it's written. Once you have the report, meet with your safety committee and leadership team.
• Discuss the contents and work out what you can do to take immediate action and what items need further discussion due to budget or security culture of the organization. Some people worry about having all of the vulnerabilities laid out in a report. Remember you are not expected to act on everything in the report, prioritize and move forward with a plan!

Some Key Points to Focus On!

• A security risk assessment is an inspection that covers risks, vulnerabilities, and provides mitigating controls in the areas of physical security, technology, human vulnerabilities, and emergency preparedness. Make sure you guide the assessment in the areas to what will best serve you.
• A security risk assessment is vital to your success. You can do it yourself or hire a professional. Consider your objectives and determine what the best course of action is for you based on the budget you have available.
• Remember, if you conduct the assessment yourself, there is advice, cheat sheets and templates online. Use some caution with those though. Perhaps someone in your organization has experience in risk mitigation and management strategies that can help otherwise seek a professional.
• Talk with people from all over the organization to obtain their buy-in. All departments should be interviewed during this process to get the most rounded results possible
• The report is just the beginning. If using a consultant, find someone who knows your organization and community well and has the heart of a teacher to support you.
• Who can support you with the recommendations? Where will the budget come from and when is the best time of year to complete this process?
• What you are looking to achieve? Is it a 140-page document with 60 recommendations or 30-50- page document with more manageable recommendations? You’re the customer, you drive what the product should look like based on your ability to execute a plan.
• Remember a security assessment is not a one-off budget expense. You should see the value and expect to do this at a high level every three to four years going forward. Your safety committee can help execute the recommendations.
• A holistic security assessment is an investment not an expenditure. Failure to act could result in financial liability against your organization.

Building Assessment Checklist

1. Do you hold a detailed inventory (including pictures for insurance and police reports) of your building’s assets
2. Do you mark your valuable assets by writing your organization name on them with a permanent marker pen?
3. Do you have the appropriate lighting in and around the doors, windows, parking lots and entrances to your building?
4. It’s often a simple security measure to have the internal lighting on timers so they come on even when your building is not in use. Do you have any lights on timers?
5. Do you have outdoor lights on timers?
6. Do you ensure that shrubbery and trees around your lighting, doors, and windows are regularly trimmed back to ensure visibility to the widest areas?
7. Are the lighting controls protected so only those with permission can have access to them?
8. Are all of your external doors physically secure?
9. Do you have locking hardware on the internal doors of any areas that have children or infants so they can lock themselves in when needed?
10. Have you conducted an assessment to test the locks and hardware of the internal doors to make sure they are suitable to prevent a human threat from entering?
11. Do you keep records of everyone who has keys to your building including access control?
12. Do you audit your records to ensure that the people who have key/card access to the doors use rooms for a business reason?
13. Do you have an escalation process for missing, lost, or stolen keys/card access?
14. Do you have a sign in/out process for keys provided to tenants or for those that are used during special events?
15. Do you have a process in place that restricts access for tenants or renters of your building from other rooms or areas they do not need to access?
16. Do you have a culture around locking internal doors (offices/classrooms) when they are not in use?
17. Do you protect high risk and sensitive areas that are home to your safe, petty cash, TVs, server rooms, and confidential information?
18. Do you have a process in place to walk around the building checking for vulnerabilities before the last person leaves the building?
19. Do you check all windows on the ground floor are locked before people leave the building?
20. Would you consider your windows to be in good repair and are able to keep people with harmful intentions out?
21. Are all valuables secured on church property (cameras/audio visual equipment)?
22. Do you have a good culture around health and safety laws checking that corridors are clear of obstructions and emergency exits are identified?
23. Do staff and volunteers know where fire extinguishers are kept, and do you test them regularly?
24. Are you in compliance with all local rules and regulations? If yes, how do you know?
25. Do you have a strong culture around reporting torn or broken slip mats on concreated or non carpeted floors, reporting lose or damaged handrails, and other hazards that could cause injury?
26. Do you check that all staff offices and rooms are clear of hazards? What can be done to mitigate risk?
27. Could a member of staff or person outside of facilities shut off mechanical equipment such as gas and electric in an emergency?
28. Do you have maps of the building displayed in prominent areas to help staff find excavation plans and emergency exists?

Simon Osamoh is a British American and founder of Kingswood Security Consulting and the Worship Security Academy. He spent 14 years as a Detective in England working serious and organized crime. He moved to the United States to Head Counter Terrorism at Mall of America, Minnesota. Simon is a Christian and has spent over a decade helping non-profits stay safe and secure. He is the author of three books, Securing Church Operations, Church Safety Responding to Suspicious Behavior and 10 Powerful Strategies for Conflict De-escalation. He is the host of the Church Security Made Simple Podcast and a member of the Worship Facility Editorial Advisory Board.

NEED HELP WITH YOUR NEXT STEP? Book a free discovery call click here