Monday, July 25, 2016

The Myth About Size – It Doesn’t Matter


Most small businesses and homeowners, for that matter, think that due to their small size they are exempt from conducting analysis of their crime risks or other threats.  Larger organizations; however, understand the necessity to conduct a formal vulnerability assessment and risk analysis review on a regular basis – usually once a year or sooner if necessary.

Every organization, large or small, MUST conduct a formal assessment of their risks.  If they don’t they won’t know what their risks are or what mitigation strategies to employ. The process doesn’t have to be too complicated or lengthy or expensive.  But some type of formal analysis MUST be done.  When conducting a risk assessment, the formula goes something like this; assess the criticality of the asset (see definition below), determine what threats there are (both natural and man-made should be considered), and what vulnerabilities there are.  Once you’ve done that you have your risk.  For you math geeks the formula is written C x T x V = R.


Assets are anything of value to the owner and can also be anything the owner has that is of value to someone else (the bad guy, for instance).  A diamond ring, a house or a store full of products – anything of value.  You also have to determine how critical the asset is to you.  So, yes, even your kids and other relatives.  Although some of my relatives I wouldn’t mind if they were to get taken by aliens. 

Something else to remember, assets can have many parts that should be evaluated; i.e., a gas station - has gas pumps, a cashiers cage, and retail space.  Each piece of the asset should be evaluated, so that a clear picture of what needs protecting emerges.  I found it best to use, a quantitative system, using numbers to assign value.  One to ten works fine but one to 100 works, too.  Find a numbering system that works best for you.


Next, what are you protecting your asset against (threat).  Threats come in all shapes and sizes.  I can in very short order come up with several dozen natural threats and almost as many man-made threats.  And, as the recent incident in France just showed us, threat scenarios can be almost limitless.  Suffice it to say, concentrate on the one or two most likely to occur AND the ones that would be the most disruptive.  Again use a numbering system to assign value.


Another way to look at vulnerability is to ask the question, “How much trouble am I in”?  Vulnerabilities can be physical in nature; i.e., a fence isn’t high enough to deter a burglar or it could be procedural, we don’t lock the gate to the backyard for example.  Both are vulnerabilities that can and will be exploited by a would be perpetrator.


These factors combined are your risk.  The risk tells you how much trouble you’re in. 


Once you know what kind of shape you’re in, you need to develop mitigation solutions, determine the cost benefit (like you wouldn’t put a $500 lock on a $100 bike) and what solution you are going to do first.

I recommend implementing solutions that produce the highest reduction in risk to the largest number of people first. 

The Trap

Don’t fall in to the trap of thinking the solution to mitigate all threats is to buy and install a close circuit television camera (CCTV) system or home security system.  While CCTV can be a very effective solution, it has to be connected to a response force of some type that is capable of responding to the treat in an adequate amount of time.  A recent article in the Chicago Tribune revealed that CCTV solves crimes less than three percent of the time.  This is primarily due to the fact that the cameras are not continuously monitored or responded to when bad behavior is detected.  If you rely on a police agency or security company to respond, you need to make sure they guarantee response within 5 minutes.  Research conducted by the National Institute of Justice in 2015 revealed that a burglar spends about seven minutes on average on site.  So if the responding force doesn’t get there when the bad guy is there, there’s a 97 percent chance he won’t get caught.  This is the reason large organizations have dedicated security forces on site.

Ultimately our goal and that of every asset owner is to deter, prevent and respond to a variety of threats, regardless of the size of the organization.  Whether large or small, everyone asset owner MUST conduct a formal assessment to know what their risks are.  So size, doesn’t matter.

Other risk management strategies and assessment methodologies will be discussed 6 – 8 September in Jacksonville, FL.  Call 805 509-8655 for more information about seat availability.

On-line assessment tools for small businesses, homeowners and schools are available at

No comments:

Post a Comment