Organizations face the possibility of physical risks, which include threats to people, facilities, infrastructure, physical assets, and critical operations, at all times. The best security teams don’t just have plans in place for dealing with potential risks; they are actively working hard to circumvent these risks before they even arise. Yes, having a solid plan in place for risk mitigation is key. However, it can be even more valuable to understand how to evade the risk in the first place.
In order for organizations to be most successful in their avoidance of physical risks and thereby be successful in safeguarding global operations, they need to conduct a comprehensive Physical Risk Assessment. With the information gleaned from this work, teams can then create a detailed, actionable framework centered around protecting their people, assets, and operations from physical risks. When physical security risks are avoided, organizations forgo the costly consequences often accompanying these risks, which include operational disruptions, financial implications, and reputational harm.
Not sure how to conduct a Physical Risk Assessment? Let’s discuss.
The First Phase of Physical Risk Assessment: Preparation and Intelligence Gathering
— How to begin preparation and intelligence gathering? The team must first define assessment scope.
Teams need to define their assessment scope, including the assets, people, facilities, and geographies under review so they have a solid understanding of who and what they need to assess. If you don’t know this information, you will not be able to hone in on the vulnerabilities targeting these specific people, places, and activities. Business activities, historical challenges, geographic risks – each of these provide critical knowledge to the teams working on the risk assessment.
Why do you need to understand your assets? Identifying your most valuable assets, such as personnel and intellectual property, is critical because damage to these assets would have the greatest negative impact. Understanding this helps determine which assets should be prioritized for protection, especially in high risk environments.
It is important to know which facilities are the focus during the assessment in order to best review the specific layout and makeup of the buildings themselves. Understanding the challenges and characteristics of each location allows teams to better understand what future threats may arise.
It is also critical for the team to have a robust understanding of the surroundings of each facility. Political issues vary city by city, as do environmental risks. Knowledge of the geography helps the team understand potential areas of exposure – which areas are most prone to crime, terrorism, hurricane risk, and other natural disasters – and also allows them to access historical information to determine patterns and trends associated with a specific area.
— Next teams must align and involve their stakeholders.
The next topic to consider during the preparation phase is the need to align all of the key stakeholders. The best time to align stakeholders is early in the process. Not only does this allow the security team the time to make adjustments before things are underway, but people will be more apt to approve if they are brought in before the project has started versus feeling as if their input and opinion is an after thought. Stakeholders to consider will vary depending on the organization but will typically include Security, Operations, Legal, and Compliance.
It is really important to get input from the various stakeholders as each person will have valuable input that is specific to their area of expertise. For example, leaders in IT will know about server rooms, Operations leaders will have input on possible threats impacting factory layouts and supply chains, and HR leaders may have insight on possible internal threats. The information provided by each expert stakeholder group will be extremely valuable in this process. Without this type of knowledge, the final assessment will lack specificity and likely be too vague to be effective.
— Now teams need to monitor both static historical risk and dynamic emerging threats.
The final step in the preparation phase includes leveraging threat intelligence to monitor both static historical risk and dynamic emerging threats. This is a crucial part of the process as if done correctly, teams are able to establish a proactive rather than reactive security posture. Historical intelligence provides teams a baseline to better understand what threat activities are standard and what is unusual. This information helps teams to better forecast what issues may occur in the future.
While historical insight is helpful, real-time data is essential. This intelligence provides current activities that may impede the safety and security of a physical environment. Monitoring news channels, online sources, social media networks, and so on, is critical in order to stay informed on the political protests, public health concerns, climate related risks, and other threats.
Threat intelligence tools are essential in both the accumulation and evaluation of historical information and the ongoing monitoring and synthesis of dynamic emerging threats. Artificial intelligence (AI) and machine learning (ML) capabilities are able to parse large-scale data faster than human teams can. With the enormous amounts of data available at any given time, technology is mandatory. Organizations that aren’t taking advantage of the benefits of tech tools will certainly miss early warnings and emerging threats. However intelligence tools are leveraged, teams can establish a baseline of normal operating conditions, positioning them to detect deviations in seconds and make more informed decisions.
The Second Phase: Getting the Work Done!
Phase two is where the real magic happens; when the planning and gathering of information comes to fruition. During this phase teams will:
1. Identify the exact threats that are likely to impact their organization.
In order to identify external threats – which consist of incidents such as crime, terrorism, activism, unrest, geopolitical instability, environmental hazards, and other physical hazards – teams can review the intelligence compiled during the last step of Phase one. Using information revealed via assessments of historical and real-time events, teams should have an understanding of what sort of threats are most likely to occur and most likely to cause potential damage to their organization. It’s time to carefully and strategically go through this information and create a definitive list of all threats.
Manual data sorting may have been sufficient two decades ago, but with the proliferation of open source data, it is now impossible to stay on top of all of the world’s information without the use of technology. And thanks to augmented analytics, which leverages advanced technologies like machine learning (ML), artificial intelligence (AI), and natural language processing (NLP), security teams don’t have to. Augmented data analytics is revolutionizing enterprise risk management – providing actionable insights, increasing cost effectiveness, improved decision-making, and enhanced overall risk management resilience at speeds that data scientists simply cannot replicate using manual tactics.
2. Identify their unique internal vulnerabilities.
Teams also need to pinpoint the most likely issues to manifest internally. Such as weak access control, single-points-of-failure, aging infrastructure, and procedural gaps. This information can be gleaned through insight provided by stakeholders, as well as via traditional observations, and interviews with on-the-ground employees. It is important to collate the most accurate information available and leveraging input from those on-the-ground and working in the areas at risk are the best sources of intel.
In addition, teams may consider implementing additional surveillance and monitoring tools to get a concrete picture of what is currently happening and what the potential pitfalls may be. Again, reviewing historical data in terms of which systems broke down most recently, when a particular piece of infrastructure was deployed, and so on, will also be important pieces of information to obtain. A combination of qualitative and quantitative information helps teams better understand the severity of vulnerabilities and where remediation efforts will be most impactful.
3. Construct scenarios to best prioritize risks objectively.
Once teams know the external threats to plan against and understand the internal issues that also need addressing, they can conduct likelihood scenarios and stress testing to prioritize risks objectively. Each stakeholder may consider their risk the most severe; however, it is important to manage this assessment in a very neutral and objective manner. Therefore teams managing the assessment will need to set rating scales that set parameters for how likely a threat is, as well as clearly define what each of the parameters means in terms of organization impact – i.e., financial loss, operational disruption, employee safety, etc.
Augmented analytics will be super useful in keeping biases out of this work, as the data can be objectively sorted by technology. Teams will need to contextualize threats to specific assets to determine what is relevant and what is irrelevant noise and how the relevancy between the two factors is measured. For example, protests are low-priority noise until they occur near critical facilities or personnel.
4. Finalize their greatest risks and create a plan to protect against them.
Just as this subhead states, the last element of this phase is all about definitive planning. All the work conducted up until this point should clearly illuminate what the most likely risks are, and which of these is most detrimental. Teams will need to spend time creating plans to avoid these threats, as well as plans on how to move forward if a threat comes to fruition.
The Third & Final Phase: Mitigation Strategies and Continuous Monitoring
As teams finalize their physical risk assessment, they will need to develop layered mitigation strategies aligned with assessed risks:
- Deterrence: Simply put, this strategy is used to deter the threat by making it appear that a possible break-in is impossible. This is done via three primary tactics:
- Visible security, such as guards, cameras, signs or flood lights.
- Perimeter hardening, such as walls and fences, or any other physical barrier that makes it difficult to enter an area.
- The last tactic here are audits conducted by the team to ensure that all activities being conducted to deter a threat are working effectively. This may include monitoring the guards, but also monitoring security systems, ensuring all cameras are working, etc. The audits confirm that deterrence strategies are being effective.
- Delay: This work entails analyzing a variety of “delay” elements – barriers, gated access, surveillance, redundancies – to determine the time it would take for an infiltrator to reach critical assets. Teams need to identify ways in which to delay the attacker so there is enough time to be notified of the attack and deploy whatever mitigation activity was deemed the right one for that scenario. The purpose here is to slow down the enemy and give internal security teams more time to detect the issue, identify the correct response approach, and put that tactic into motion.
- Response: The response strategy centers around the communication protocols, emergency plans, and rapid deployments that are put into place during or immediately after a physical threat or breach. The response strategies are designed to protect people and limit the damage to the organization and its operations.
Moving to a Predictive Risk Posture
Intelligence-based Physical Risk Assessment are essential for resilient operations. Teams that want to find risk management success today need to transition from reactive to predictive workflows powered by augmented analytics. Leveraging AI, ML, and risk intelligence tools allows organizations to continuously adapt to a rapidly changing threat landscape and better support companies operating in today’s increasingly complex global environment.
Having this reach and depth of knowledge changes the way security teams can plan, as if handled offline, it would take days to synthesize the same amount of information. Teams operating in a manual-only environment will be unable to deliver the level of risk management their organization needs to stay protected in today’s always-changing, unpredictable geological climate.
Organizations need a comprehensive Physical Risk Assessment and the phases and steps outlined above will guide global corporations and organizations through the process of identifying, analyzing, and mitigating physical threats using a combination of intelligence, technology, and expert analysis. This work is essentially a requirement in order to stay protected in a world in which extreme weather events are becoming common, intruders are becoming more savvy, and organizations are establishing facilities all across the globe – adding to the complexity of managing security in foreign areas, in cities with higher crime rates, or in areas with unstable political regimes.
Teams looking to explore solutions that deliver real-time intelligence and proactive threat forecasting should contact Seerist, the leader in delivering real-time insights, forecasts, and alerts that bring clarity to decisions and save valuable time for security and intelligence teams. Seerist offers augmented analytics to help organizations stay steps ahead of the risks that will impact their business the most and acts as an integrated part of an organization’s security infrastructure – helping them transition from reactive to proactive.
