Illustration by *Security Management*; iStock

Risk is Dynamic, So Physical Risk Assessment Should Be Continuous

By Daniel R. Young and Michael J. Martin

13 November 2023

Most companies assess their physical security on an annual basis, but that’s not enough. What if you performed risk assessments at all your sites every day?

If you’re shaking your head and saying it’s not possible, think again. In fact, daily assessments should be best practice for all organizations. They are the key to a real time view of your risk and your remediations, and not only are they possible, they can actually be easy.

Cybersecurity Is Assessed Continuously. Why Not Physical Security?

Daily physical risk assessment seems daunting, but we know it’s possible to assess risk continuously. We only have to look at our colleagues in cybersecurity, who assess digital threats daily. Currently, however, physical risk is analyzed annually.

The thinking behind the continuous assessment of cyber risk is that cybersecurity risks are generally more severe. Anyone who has worked in physical security would likely disagree. Both cyber and physical threats can be certainly expensive, and both can cause loss of life. Why then, when we are dealing with such grave scenarios, aren’t we assessing physical risk daily?

Another reason behind the continuous assessment in cybersecurity is that digital threats evolve quickly. This is also true of physical security and natural risks; risk is dynamic. Weather patterns change, criminals learn from one another, and changing world events have an impact on the threats faced by different industries. Annual risk assessments are often not enough to capture these changes.

Rethinking the Annual Security Audit

Two common perceived barriers to daily physical risk assessments are the cost and time involved.

Traditionally, security audits are subjective assessments performed by highly paid security experts. Such assessments are completely based on the observations, past experience, and value system of the expert conducting the audit. A traditional assessment also takes a long time; for every hour a security professional performs an inspection, he or she will likely spend four to six hours writing up their report.

[ Stay Aware of Threats. SM7 Newsletter: Sign Up ]

This is not the best use of your experts. Security professionals’ time is better spent coming up with strategies for remediation than collecting simplistic data that a non-security professional can capture.

A better way to conduct assessments, and to conduct them daily, is to use the people who are already walking around your facilities, like your security officers, maintenance individuals, or other facility points of contact.

Your Own People Are the Key to Daily Assessments

The physical security industry is heavily reliant on a small number of people when it comes to risk assessment, but the truth is, every workplace is full of people who are able to assess risk on a continuous basis.

Your security team is already making the rounds on your site. By equipping them with tablets, your officers can use a checklist, notes, and photos to document any vulnerabilities they see on their rounds.

Even if your organization doesn’t have security officers, your employees know your site better than any outside expert. They already know the gaps in your security—they know which doors are routinely propped open, which lights have stopped working, and where an intruder might be able to get in.

Encourage your people to let you know where risks and vulnerabilities are by creating programs that offer rewards, much as you might do for reporting safety risks. Many successful programs offer cash prizes or other bonuses, like vacation time.

If I Know About All My Risks, Does That Make Me Liable?

Businesses often ask us if they create liability by documenting risk. If a site has a broken camera and no one reports it, will the business be liable if an assault happens inside that building and a security officer doesn’t respond because of the blind spot? This isn’t good security, nor does it show a strong understanding of how liability works.

Gareth Leviton, former general counsel for Guardsmark, says that ignoring an apparent or easily discoverable risk will not shield an organization from liability.

“Legally, leadership has a duty of care,” he says. “Their duty to the company is to exercise due diligence to identify risks that can and should be discovered. Company leadership has a fiduciary duty to shareholders to identify and mitigate liability risks.”

In fact, remaining willfully ignorant of a vulnerability may be prima facie evidence of negligence.

“If you have a security audit done, and you don’t follow up with prompt corrective action, that’s potential negligence,” Leviton says. “However, if you fail to conduct a proper security audit and willfully fail to discover potential vulnerabilities that you need to correct, that may be equally negligent. A company cannot avoid potential liability merely by burying its head in the sand.”

Leviton likens a failure to conduct a security audit to a patient who is in pain but refuses to see a doctor for fear of hearing bad news. Even if the patient isn’t properly diagnosed, they are still sick. In fact, the patient is worse off, because there is no treatment plan in place.

“You are better off, from a liability standpoint, doing the audit and starting to correct any deficiencies, even if you can’t fix all of them at once,” Leviton says.

Your Annual Assessment Is Important, But It's Not Enough

Annual assessments are still important, and not just because they are required in regulated industries. An annual security audit is an important baseline that you can use to inform daily gap analyses.

A full security evaluation should be conducted once a year, and top security experts should be used to analyze the findings of those evaluations and recommend remediations. Daily assessments can build on those annual audits, tracking remediation progress, and documenting new risks when they appear.

You can use a baseline assessment to audit your security for specific scenarios as well. How prepared are you for a tornado? A fire? What about cargo theft? Using the baseline scores, your team can assess each site’s preparedness for each high-risk scenario.

Daily Security Assessments Show Your Risk Right Now

Often, organizations are confused when it comes to threats and physical risk. It’s easy to become distracted by the latest threat covered in the news: a cyberattack, a shooting, or a weather event. While those things are concerning, they may not be the biggest risk for your organization.

Many times, the biggest risks are caused by the smallest vulnerability, like an unlocked door or a security guard who allows piggybacking.

Daily assessments give you a window into the dynamic risk of all your sites, showing you which vulnerabilities need to be prioritized in real time, and which threats, hazards, or regulations actually pose the greatest risk to your organization.

Daniel R. Young, MBA, MS, is the founder and chief innovation officer at Circadian Risk Inc.

Michael J. Martin, MBA, is the CEO and founder at Circadian Risk Inc.