Why your business should carry out a Threat and Vulnerability Assessment

Regular readers will know that I can rarely write a new monthly post without some terrorist incident grabbing our attention.  Barcelona, a beautiful city visited by many people during their lifetime and a place I have been to three times with good memories. Whilst the world is witness to many regular natural disasters that can bring a tear to one’s eye, several of which have occurred in these past few weeks alone, there can surely be little that compares to the act of someone waking up one day to carry out a wretched plan to murder innocent people who are simply going about their business. 

Whilst we all must live with the risk from terrorism as it rears its ugly head in apparent randomly chosen locations, we need to also consider the more traditional security risks to our organisations and businesses which are more real and relevant for the majority as we go about our daily routine. It’s very easy, in the face of highly reported terrorist incidents, to forget about and not invest in local security measures – or to simply think that all security measures are designed to thwart terrorists.

In retail, the value of shoplifting is on the increase. Cybercrime is the contemporary threat facing us all, from clever people with their highly advanced technical skills who can break in and hack information or funds, almost at will. There is also the disaffected employee or former employee who is able to cause loss of revenue and reputation should they so decide. A particularly bad customer experience can put an organisation at risk of retribution, where an individual feels they need to ‘get what they are owed’. An opportunistic thief deciding that the goods in the yard are worth climbing the fence for, and so on.

Let us not lose focus therefore on the basics of security. Things need protecting – and not just from terrorists. The average individual or organisation is thousands of times more likely to succumb to a domestic security matter than a terrorist incident. So how prepared is your organisation? You are probably thinking “Yes, it’s ok. We’ve got some CCTV and an alarm fitted. Never had major a problem yet”. But when you do have that significant problem, it may be too late.

If you want to get ‘all your ducks in a row’ in terms of your security, then you should approach it with two trains of thought, as you (or someone experienced and specifically competent) carry out a Threat and Vulnerability Assessment (TVA).

Try to think like the ‘bad guys’. “What do we have that anyone would want AND how would they go about getting it?” You can keep that question in mind throughout, as you conduct a TVA. In simple terms, you are going to write up a list of your most valuable/key assets and prioritise them in order of importance i.e. if they were stolen, damaged or destroyed, how would it affect your business? The business may even have to close, perhaps until things are fixed or replaced, but all the while costing you valuable time and resources.

For each of your key assets, you should consider the individual risks to them i.e. what could go wrong, and then use a 5×5 grid, plotting Likelihood against Consequences. This is a simple risk matrix and allows you to focus on what’s important to you, what are the risks to those important assets and, if the worst happened, what are the consequences to the business or organisation. By reviewing your assets in this way, including important processes, you can gain an idea of what measures you may need to put in play to reduce the likelihood or impact of something bad happening i.e. your mitigations.

If this all sounds very technical and complicated, it isn’t really, but it is good practice and will help you to sleep at night knowing that security safeguards and measures are in place to protect your most valuable assets. Many successful businesses of all shapes and sizes had disappeared overnight because of one incident that, had they prepared for, could have been less consequential. You cannot always stop the worst from happening, but you can often put in place measures to reduce the impact. Think of it as putting in barricades against flood risks – if you know you are in an area with a risk of flood, then the prudent businesses would put measures in place and not have to cope with having knee deep water in their offices.

You want to regularly check up on your assets and have an up-to-date TVA, either reviewed annually or any time that there is a major change to how you do things. Like most things that are essentially a distraction to the work that you do best, this is all something that you can outsource to those with the expertise who can come in and advise you, without getting in your way, and leave you with the peace of mind to know that you are doing everything reasonable to keep your operations secure. By using someone independent, it also provides for a fresh set of eyes that doesn’t have the ‘wood for the trees’ syndrome i.e. the risk of them being too familiar with everything so as not to see things how they really are.

In any case, if you haven’t conducted a TVA or had one done for you, it’s time to make the arrangements and ensure that your organisation, which the owners, employees, suppliers and customers are relying on, remains as risk free as possible.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *