The Risk is Real
By now, we have all become familiar with the failure of organizations to recognize and prepare for risk. The insurrection at the Capitol, the failure of the Electric Reliability Council of Texas (ERCOT) power grid, and the shutdown of the Colonial Pipeline are recent examples of events that highlight gaps in intelligence, cyber security, physical security, and infrastructure preparation to all-hazards.
What did these events have in common? Each of these locations had security and safety measures in one form or another. Whether security was personnel, physical, or cyber, they failed. As the examination of these incidents continue, the reasons for the failures pile up. What has become obvious is that self-risk assessment and tabletop exercises are better than nothing, but they lead to myopic thinking for single-action events based on the limited thinking of participants.
The Colonial Pipeline incident is a perfect example. Most tabletops had prepared for a war game scenario, but when it occurred it was a criminal attack. This attack was unsophisticated, but it nearly shut the country down. The Energy Department and Department of Homeland Security estimated if the pipeline were shut down for another 3-5 days, it would have shut most of the country down due to a lack of fuel distribution. No one had planned for alternative distribution methods to move gasoline and jet fuel if the pipeline system was non-operational.
I have seen the same thing in plans and tabletops for active shooter events. The bad guy is always in a hallway and everyone else is behind a locked door. What is the plan if the shooter is in the room with you?
The problem is that our thinking is limited by our experiences. Even some professional organizations have this issue. Recently, we conducted a risk assessment for a hospital system on the east coast of the United States a year after the Joint Commission had conducted their assessment. After we submitted our report, the client told us we found twice as many risk issues as previously identified and that we potentially saved the hospital system millions of dollars in lawsuits and losses from issues missed in the previous assessment.
That was not by luck. We identified the issues because we did not look at the hospital system through the same lenses. Checking boxes from a downloaded report will provide you with a generic recommendation during an assessment. One question may ask “Do you have an emergency operations plan?” If you answer “yes”, the assessment will advise you to review it regularly. The next question is typically “Is everyone trained on it?” In office interviews, administrators almost always answer “yes” to this question. In fact, office staff almost always respond with “yes” to every single question an assessment to appear prepared. However, employees may tell a different story.
A recent example of this was an HR Vice President who had written the Emergency Operations Plan for his organization. He raved about it in the opening meeting. When I mentioned I would be asking employees questions, he became apoplectic. He informed me he did not want me speaking to the staff. Within minutes of starting the on-site assessment, I understood why. Almost no one was trained on the plan. It had been more than 18 months since the organization had even run a fire drill. No employees hired in that period knew how to evacuate or where to go.
Mitigate Bias with an Objective Assessment
To eliminate organizational and personal bias from a risk assessment, you should never self-assess. Using your own people, or even people with regular relationships with your organization, conducting a risk assessment may help you check a box for your insurance company, the state, or even the federal government. However, it does not give you a clear picture of your organizational risk. As humans, we are very poor at self-assessment. We can be overly critical, or even worse, overly confident. Studies going back over 40 years have warned us about not self-assessing. In fact, Benjamin Franklin warned us about it in 1750: “There are three things extremely hard: steel, a diamond, and to know oneself.”
For example, T.R. Zenger’s 1992 study of several hundred engineers at a high-tech company found that 42% of engineers ranked themselves in the top 5% of engineers in their company. Going back even further, in a study by P. Cross in 1977, 94% of college professors said they do above average work. Study after study demonstrates this inability to assess oneself. The potential for harm in a Risk Assessment done using self-assessment increases your liability and may not mitigate your threats.
7 Signs to Recognize the Known Unknown
This output is clear when conducting on-site interviews with the staff who would be responsible for conducting the assessment. It is very easy in on-site interviews to recognize the people who know what they do not know. They immediately answer “no” when asked a question about having a policy, procedure, safety measure, or security measure. These types of people are few and far between. It is even easier to recognize the people who think they know but do not. There are seven tells.
- They do not answer the question directly and instead start sharing information about a security measure or plan they do have.
- They tell a “war story” every time you ask a question.
- They have a pet project to push and want you to recommend it.
- They do not want you to interview anyone out of their presence.
- They only want you speak to handpicked employees.
- They tell you they have whatever you have asked about but use excuses as to why you cannot see, read, question, or observe something while on-site.
- They don’t perceive any problems with their processes. When you find a problem and point it out, they may have excuses such as “It’s not always like that,” “It must have just happened,” or “I don’t know why they would say that.”
If this person is filling out your risk assessment, it is likely riddled with inaccuracies. Any decisions based on the document could open you up to liability, cost you money, create gaps in your security and safety, and make you more vulnerable overall.
The Value in Partnering with Certified Risk Assessment Professionals
A certified professional is required to recertify and keep abreast of new security developments. They have demonstrable work experience and are required to follow a certification code of professional responsibility. They are bound to be truthful, honest, and show integrity in their actions. They must be faithful, competent, and diligent in discharging their professional duties. They have no negative or positive relationships with anyone on-site and do not have pre-conceived notions about the site or personnel.
Third-party certified professionals can be objective and impartial in identifying strengths and vulnerabilities and recommending solutions. They make unbiased decisions based on facts and professional observations. They know their duty is to help the client, not fulfill a mandate by checking boxes.
How Can We Help?
Recognized as the leading emergency preparedness and active threat response training organization, Navigate360’s certified professionals conduct risk assessments on schools as well as other businesses, healthcare facilities, warehouses and distribution centers, among others. Our risk assessments help you uncover gaps in safety and security before they cause harm.