Publicly held companies are required by the Securities and Exchange Commission to file an annual 10-K report complete with an examination of risk factors. While it would seem that the security organization ought to play a role in developing the enterprise risk assessment (ERA) to meet this requirement, companies' boards often hire outside consultants or task Audit or Finance with this responsibility. Security leaders do not always have a voice in the process.
Because of this, the CSO's classification of security risk areas, such as facilities (see table below), by criticality and risk mitigation options may not correspond with classifications identified in the ERA. A more holistic view of risk would better serve the organization.
The Criticality/Mitigation Options tool was developed to help security leaders bridge this gap by providing them with an organized, visual format for communicating the security organization's perception of risk levels and mitigation options.
This outcome of this process can be presented to the board or the ERA team as the starting point of a conversation about how to align facility classification criteria so that it considers not only financial or legal risk but also business continuity and crisis management concerns.
Using facilities as an example, the sample below provides potential options for security risk mitigation related to criticality level. The options should be adjusted to your organization based on industry, facility type, location, corporate culture, etc. While the example below discusses facility security, the same process of classification of criticality and identifying mitigation options should be applied to other risk areas such as employees, travelers, and expats.
|
Facility Security Options |
Comments |
Level 5 CriticalityTargeted or Collateral Risk Sites
| Review & ensure all actions at lower levels are occurring
| |
| Announce severe threat condition and explain expected actions
| |
| Deploy security personnel, emergency response teams, or assigned personnel according to plan
| |
| Prepare or begin total site shut down
| |
| Restrict or close all building access. Restrict access/parking to critical areas
| |
| Close or restrict entry to site to designated persons and emergency responders
| |
| Reduce site workforce to required critical people only.
| |
| Keep on-site sheltered personnel up to date on local/national events
| |
| Begin periodic briefings to law enforcement and Sr. Management
| |
| Inspect /search all incoming boxes, packages.
| |
| Restrict or suspend deliveries, mail, and shipments except emergency supplies if necessary
| |
Level 4 CriticalityMission Critical Sites
| Review & ensure all actions at lower levels are occurring
| |
| Notify all staff of threat level and brief them on assignment & expected actions
| |
| Ensure access control audit trails in place & functional
| |
| Prepare to search incoming individuals & vehicles
| |
| Restrict on site parking, deliveries, & inbound shipments
| |
| Place critical staff and emergency responders on notice to be available & appoint a "Security Team"
| |
| Compile & review daily reports on all unusual activities & occurrences
| |
| Review emergency operations center & establish communication with emergency management officials
| |
| Monitor world & local events closely including a daily review of the Corporate Security Website & links to key sites
| |
| Enact random time security guard shift changes
| |
| Ensure the facility manager and other members of leadership can be contacted 24 hours a day
| |
| Increase physical security and protection measures
| |
| If possible, have law enforcement vehicles park around the sight or facility
| |
| Provide all contractors, vendors and temps with identification & require they wear on company property
| |
| Employees must wear identification while on company property
| |
Level 3 CriticalityKey Facility Sites
| Notify all staff of threat level and brief them on assignment & expected actions
| |
| Review & ensure all actions at lower levels are occurring
| |
| Test gates, security doors/locks, cameras, monitors, recording, & communication equipment
| |
| Establish or verify law enforcement communications
| |
| Review specific site or business unit security requirements
| |
| Monitor government information & notification sources
| |
| Review and communicate reminder on bomb threats, unauthorized people, reporting & lockdown procedures
| |
| Full time security person for site or business
| |
Level 2 CriticalityEnhanced Security Sites
| Review & ensure all actions at lower levels are occurring
| |
| Maintain security levels and periodic validate the effectiveness of key measures via testing or drills
| |
| Identify and maintain restricted access areas
| |
| Utilize enhanced access controls such as security officers, electronic access, etc.
| |
| Maintain fenced areas to reduce liability or hazard risks
| |
| Review & update as necessary operational plans & procedures
| |
| Review security, threat, emergency, & recovery plans
| |
| Review supplies and necessity inventories
| |
| Develop or strengthen liaison program with security & law enforcement personnel from surrounding sites & communities
| |
Baseline Level CriticalityBaseline Security for all Sites
| All sites operate at this level of security or are making progress towards it
| |
| Appoint a facility security coordinator
| |
| Site management & security coordinator are briefed & accept responsible for site security
| |
| Complete risk assessment of site security risks
| |
| Develop a site security plan, obtain site management concurrence & submit annual letter to Head of Corp. Security
| |
| Educate employees on security risks and responsibilities
| |
| Post security signs & warnings
| |
| Issue identification & control access to the site
| |
| Meet lighting minimums
| |
| Establish program for Protecting Business Information
| |
| Report and investigate security incidents
| |
| Complete, maintain & test emergency response plan
| |
| Budget for added security measures
| |
