Security Shredding and Storage - a shredding industry publication

Export Regulations Security Risk Assessment: Five Steps to Completing a Security Risk Matrix

Companies that handle waste-related commodities, such as shredded mixed office paper, may not have the physical security of their buildings top of mind, especially if they have never experienced a security breach.

However, businesses that provide security and peace of mind to others through secure document destruction should stand as an example of overall physical security as well.

Conducting a security risk analysis, through the creation of a security risk matrix, can be an affordable, time-effective and streamlined process that ultimately prevents breaches in security and protects a facility’s most valuable assets. While it may not change the mind of a motivated offender, it can enhance the security of a facility so it is no longer a target for victimization.

 

The following five steps can create an effective security risk matrix to help determine how best to improve a facility’s security, regardless of the size and complexity of the operation. The process and examples cited have been simplified in order to introduce this type of assessment to those outside of the security field.

 

1. List the assets most valuable to the company.

The most valuable assets for businesses with multiple locations will likely be different for each site. However, the assets that should be at the top of the list: employees and visitors to the facility. A list of valuable assets should always start with human life and life-safety issues.

 

From there, the focus should be on “high value“ items. This value can be estimated in terms of monetary cost, replacement cost, inconvenience, lost time and business disruption. Think in terms of the materials, machines, computers, cash and vehicles, then arrange those in lists according to their different kinds of value (e.g. monetary cost, potential business disruption).

 

For example, if an intruder steals a forklift, it may be vital to productivity, but it can easily be replaced or rented within a day. Conversely, if an intruder steals a shred truck, the business could be compromised for a much longer period of time, depending on the size of the fleet. The business relationship with clients could be jeopardized as a result, diminishing both the shred company’s reputation and income.

 

Looking closely at how the list of assets is arranged will allow a business to begin to see what is important and vital to its operation and profitability. The list of key assets for each location should be capped at approximately 10 items, then ranked from 10 to 1, with people assets always being #10 on the list. The matrix is a quantitative as well as qualitative method to view security risk, therefore by placing a score of 10 to the most important assets, they are assigned a top score of 10 points.

 

2. Determine the potential threats to each asset.

The next step is to determine three specific threats that each asset could encounter. To do this effectively, take a whole hazards approach that can include crime and theft, mechanical sabotage, accidental fire and natural disasters. Include a realistic estimate of potential losses; these are referred to as loss events.

 

At this stage, make this assessment without time-consuming, in-depth research. This is an initial assessment during which “gut reactions” and knowledge as a business manager guide the entries. For example, if a shred truck is included as one of the top 10 assets, three potential threats that may be listed are theft, fire and sabotage.

 

In the event of theft or fire, the truck would be a loss, and the loss could be significant in regard to replacement, business delays and potential loss of clients. In the event of sabotage, perhaps by a disgruntled employee, the truck may be able to be repaired, but it may result in business delays as well as personnel losses.

 

3. Estimate the probability that these loss events will occur.

This step may require some thought, but does not require businesses to calculate a statistical probability. Rather, they should determine if these loss events are unlikely, possible or very likely. Other similar labels can be applied.

 

Once the probability of each loss event has been determined, assign points to that probability, such as 1 point for unlikely, 2 points for possible and 3 points for very likely. Remember, these probabilities are not being ranked, so each loss event for a particular asset could receive a score of 3 if all three loss events were very likely. For example, the probability that a shred truck will be stolen could be ranked as a 2 (possible), that it will be sabotaged as a 2 (possible), and that it will catch fire as a 1 (unlikely).

 

In determining probability scores, there may be lots of information to consider, such as past incidents at the facility, local crime statistics, weather patterns or attractiveness and vulnerability to those assets. In cases where it may be difficult to rank a probability, it may be wise to give it a high score until a more accurate probability can be estimated.

 

4. Determine the impact criticality of each loss event.

Next, estimate the impact each loss will have on the facility and its operation. The impact criticality is also a simple ranking of perhaps three criteria: 1 point for a low impact loss, 2 points for a moderate impact loss and 3 points for a critical impact loss.

 

A low impact may be nothing more than some lost employee time with regard to cleanup, equipment repair or insurance reports. A moderate impact loss may mean the need to outsource repairs, a brief period of lost profits, employee injuries that result in workers’ compensation, and overtime. In the critical impact loss, the company may suffer a significant interruption to its operation which may result in lost customers, lost profits, and in the worst scenarios, lost lives.

 

Some items frequently reported in the document and information destruction business, which qualify as critical impact loss events, are the dreaded data breach or release of personal medical information. Government fines can be crippling to a business, as can the damage to trusted relationships and reputation.

 

5. Calculate your scores.

After determining assets and threats and estimating loss event probabilities and impact criticality, add the numbers across the columns horizontally for each (see Table 1, example matrix) which should result in a ranking in the far right column. With the basic security risk assessment completed, it is time to analyze the data. First, look at the asset/threat combinations with the highest scores. Overall, these deserve the highest attention to security.

 

The matrix is a very basic security risk assessment including the quantification or scoring of security risk to specific assets. This is a basic skill and activity that many security professionals do on a regular and ongoing basis. The steps outlined here are some basic fundamentals to the procedures and methods which a security risk assessor may use in auditing or inspecting security at a facility.

 

Below is an example matrix with an explanation of the scoring:

Table 1. Shredding Operation Matrix Example
Asset    Threats  Probability  Criticality  Score 
Employees 5
5
5
hurt in fire
Workplace violence
Vehicle accident
1
2
3
3
3
3
9
10
11
Shred Truck 4
4
4
Vehicle accident
Theft of truck
Sabotage
3
2
1
3
3
3
10
9
8
Baler 3
3
3
fire damage
mechanical fail
sabotage
1
2
1
2
2
2
6
7
6
Computers 2
2
2
Burglary
Fire
Hacking
3
1
3
3
3
3
8
6
8
Warehouse 1
1
1
Burglary
Fire
Theft of tools
2
1
2
2
3
1
5
5
4

 

Explanation of Example.

For simplicity, only five 5 asset risk categories are listed and assigned the top score for the people assets as 5. This example is for a medium-size mobile shredding operation with several shredding trucks, perhaps 20 employees, a small office building and a large baling and warehouse building. The manager completing this assessment, valuing human life as the top asset, perceives that the most probable and critical threat of harm to employees may be from a vehicle accident involving a shred truck. The loss or damage to a shred truck receives a criticality score of 3 in every analysis, whether it is a vehicle accident, theft or sabotage. This further indicates that the shred trucks are assets worth consideration for a higher security level. Another standout asset deserving higher security levels and physical protection is the computer system. Though this asset is ranked toward the bottom of overall assets, the damage to operations and to reputation that might be compromised if the computers are hacked or stolen in a burglary is highly critical to the overall operation of the facility.

 

Additionally, the manager recognizes that a fire may not be a highly probable threat to employees, but it remains a threat with significant consequences. Lastly, the scoring for workplace violence may be a realization of specific dynamics within the current workforce, or it may be an otherwise mature outlook on the threat and reality of workplace violence in business and industry in general. Due to these scores and the significance of protecting employees from harm, it would be appropriate for the manager to conduct a specific security risk assessment to prevent workplace violence. Similarly, a specific assessment would identify vulnerabilities and guide countermeasures to improve the security of the next most significant asset, the shred trucks. This shows that security risk assessments themselves can be conducted in layers: an overall assessment of the facility’s most valuable assets can lead to a more targeted assessment of specific assets.

 

An Ongoing Process.

The security risk assessment process should be an ongoing and audited part of every operation since changes may occur at a facility that will impact the assets and scores listed. Companies will need to determine how often to conduct a risk assessment — perhaps annually or quarterly — based on the changing needs of the facility.

 

In the next article, I will discuss the concept of “security in layers” and provide instruction for conducting a vulnerability study that begins at the perimeter of a facility and moves toward the interior. This will provide practical, specific steps to address the risks identified in a security risk matrix.

 

Brian D. Baker, MA, CPP, is a security management consultant based in State College, PA. He has over 20 years professional security experience and also has operational experience in the document destruction industry. Serving corporate clients nationwide, he specializes in security risk assessment, workplace violence mitigation, executive protection and corporate investigation. Baker is also an adjunct criminology instructor for Penn State and a member of ASIS, International.

 

Social Media

Security Shredding on Linked In Security Shredding on Facebook Security Shredding on Twitter

Sponsors

Shredding machinery to cost-effectively meet your waste reduction and recycling needs.

Subscribe Today

Every other month, Security Shredding & Storage News brings you important stories about:

  • New Technology
  • Products
  • Laws
  • Processes

Security Shredding & Storage News features articles and services relevant to your daily operations.

Subscribe Today

Click here for printable mail in form, and Subscribe to Security Shredding & Storage News Today!

USIlluminations on Linked In

Member Login