Security Beyond BordersHow a Security Risk Assessment Works

(Conduct an effective security risk assessment of any site)

By Francisco Mateo, CPP, CFE

Just think for a second that you’re a thief who wants to penetrate a corporate office to steal a laptop or a wallet. You know that you’ll have to get through the front gate; get pass the security officers, access control and CCTV system. You could bring fake identification and claim that you’re a contractor covering a vacation for the maintenance company.  You drop key names and make acquaintance with the security officers and presto you’re in the premises.

You must think through this and many more scenarios when conducting your security risk assessment, which are conducted to determine what risks your operations are exposed to and will need to manage.  The ultimate goal is to manage all risk effectively at the lowest possible cost.  Before any risk can be mitigated it needs to be identified.  Gone are the days when security practitioners can crawl into a cubby hole and pretend there are “no issues, no problems.”  The truth of the matter is that we face many hidden risk that lead to losses for the organization.  The proper way to identify, categorize and prioritize risk mitigation is through a properly conducted security risk assessment.


Like an auditor, the security practitioner seeks facts, appraises, draws conclusions and makes appropriate recommendations throughout the different risk assessment stages.

Six basic stages of the process include:

  • Observation
  • Inquiry
  • Analysis
  • Verification
  • Investigation
  • Evaluation

An initial walkthrough on the site would seek to establish how important things and people relate to one another. This visual examination should be done with a specific purpose, like establishing a mental comparison with practices and standards.  It is a good opportunity to take pictures or video of the site for later recollection.  The more familiar you are with the site the more vigilant you’ll be to deviations from the norm.

Next, you’d identify the key stakeholders on site to conduct an initial interview.  The initial inquiry would set the tone for the rest of the questions to come throughout the assessment.  The general guideline is to ask open-ended questions; avoid becoming inquisitorial or corner people as they’d tend to get on the defensive and raise barriers to effective communication.  Treat everyone as allies throughout the process.

The initial interview should seek to answer the following questions:

  • What is the operation at the site?
  • Who does what?
  • Why is it done (where and when)?
  • How is the operation accomplished?

Additionally the purpose of the interviews is to attempt to get at the heart of a security problem.  Like many other social phenomenon security is influenced by the perception of those who benefit from it, so you want to know: what does management perceive to be the major problem areas? What does management expect the assessment will accomplish in regard to solving these problems?

During the initial interviews seek to evaluate statistics and conditions that would be conducive to losses.  Remember that losses could be perpetrated from within the organization, or from third parties on the outside. 

Internal Issues

Seek to establish the potential internal issues that may lead to a loss event at the site.  A list of possible internal issues is provided below:

  • Breach of security policy
  • Petty theft
  • Breach of access control
  • Stock loss
  • Break-in
  • Workplace violence
  • Deliberate product tampering
  • Site closure
  • Staff reduction
  • Harassment
  • Commercial espionage
  • Labor dispute or strike
  • Other

Social Environment

Leverage your local staff’s knowledge to assess the local social environment. Identify social issues with potential to adversely affect the operations and/or the security of the staff, products, intellectual property and assets. Use the non-exhaustive list below:

  • Very low-income environment
  • Low level of education
  • High level of unemployment
  • History of labor disputes
  • Political/social unrest
  • Predominant religious environment

Violence/Crime Risk

Discuss with the local Police representative the current and local crime rates and trends. Inquire about any local/regional potential threats of violence and/or terrorism. Assess the police response capabilities. List all potential security issues that could impact the security of your staff, products, intellectual property and assets of the organization. Use the non-exhaustive list below:

  • Petty crime
  • Street crime
  • Drug smuggling
  • Violent crime
  • Mob and gang activity
  • Black mail/extortion
  • Product contamination
  • Road blocks
  • Hijack
  • Protests
  • Riots
  • Terrorism threats
  • Other

Using a standard risk assessment chart, assess the rate occurrence versus the impact for each of the issues that apply in order of priority.

Risk Chart 








Risk rating

Target level



10 to 9

Means that security measures/procedures should meet the target level for a high risk rating


8 to 7

Means that security measures/procedures should meet the target level for a medium risk rating



Means that security measures/procedures should meet the target level for a low risk rating


Compliance Grade








Level of compliance



10 to 9


Security measures/procedures are good where the risk is High

8 to 7


Security measures/procedures are good where the risk is Medium



Security measures/procedures are good where the risk is Low

5 to 3


Security measures/procedures only partially meet security standards

2 to 0


Security measures/procedures are non-existent or inadequate


Political Risk

Political risk has increased the threat of asset loss to many organizations operating in a given country.   The risk is mainly caused by changes in a country’s political structure or policies.

  • Tax laws
  • Tariffs
  • Expropriations of assets
  • Tighten foreign exchange repatriation rules

Once you have identified the risk related to the various activities within the site, the needed countermeasures can be effectively planned and implemented.  To accomplish this task, it is necessary to examine all the security activities and relationships at the site.  The following is a general assessment checklist that integrates the site’s security activities:

Basic Security Information

  • Previous assessment conducted at the site
  • Security supervision
  • Security practices and procedures
  • Security incidents centrally reported
  • Potential dangers in the vicinity of the site
  • Is the site on a natural disaster zone?
  • Emergency numbers readily available

Security Guard

  • Internal or Outsourced
  • Guards on site 24/7
  • Guards properly trained
  • Guards have Standard Operating Procedures (SOP)
  • Guard tour verification system
  • Use of security technology
  • First Aid responders
  • Incident report writing

Vehicle Access Control

  • Inbound/Outbound search
  • Employees and contractors vehicles parked outside the property
  • Passengers badge separately before entering the property
  • Staff car park access controlled by a card reader and a barrier
  • 90° turn for vehicles entering the site
  • Access to Un-/Loading areas controlled or remotely controlled
  • Inbound/outbound trailers subject to load and/or seal checks before entry/exit is granted or prior to be loaded/unloaded
  • Subcontractor deliveries under close supervision
  • Written working instructions available for the gatehouse staff
  • All entry/exit movements recorded in a log book at the gatehouse

Pedestrian Access Control

  • Manned reception
  • Electronic access control
  • Access control equipped with anti-pass-back function
  • Individual access to the site guaranteed
  • Access control guarantee out of working hours
  • Access control located on the division of the public and non-public area
  • Additional entrances monitored by CCTV with an intercom linked with a guard room or manned control
  • Unused external doors & entrances locked or manned

Staff Badges

  • Staff Badge system in place
  • Badges equipped with a photograph as an identification
  • Badges worn prominently
  • Subcontractors wear a badge visibly
  • Subcontractors’ badges different from staff and visitors’ ones
  • Third party badges delivered on arrival and surrendered on departure
  • Third party staff identity systematically checked before badge delivery
  • Spare badges kept and handled in a secure manner


  • Visitors are pre-announced
  • Visitors are registered at the front desk/gate house
  • Visitors logged in and out upon arrival/departure
  • Mandatory for all visitors to wear a badge visibly
  • Visitors’ badges different from staff’ and subcontractors’ ones
  • Visitors accompanied at all times
  • For factory and R&D facility, visitors are restricted from access to certain areas
  • Visitor badges surrendered on departure


  • CCTV system is installed
  • Permanently staffed control room for CCTV
  • The CCTV system is digitally recorded and all images are saved at least for 30 days
  • The CCTV system has adequate night vision
  • The CCTV system covers the perimeter
  • The CCTV is linked with motion detection
  • The CCTV system covers the vehicle, pedestrian, and restricted access(es)
  • The CCTV system automatically detects selected unusual events (opening, motion, unauthorized presence, etc)


  • Access to the compound controlled by a manned gatehouse
  • The perimeter clearly marks the legal private property limit
  • There are signs saying “Private Property, no trespassing”
  • The fencing is equipped with a penetration detection (alarm) system
  • The fencing is lit at night? (Ideally from inside the perimeter)
  • The perimeter barrier partially or totally comprises a building
  • The fencing is secure from penetration
  • The fencing is regularly checked for damage / penetration
  • The fencing is free of adjacent structures (trees) which could help an intruder

 Building Security

  • The building is secure, fenced with good physical protection and perimeter access control
  • The building is protected by windows fitted with bars, shutters, locks and robust doors
  • An intrusion detection alarm system (IDAS) is installed
  • The IDAS is activated after working hours
  • The IDAS alarms is linked to a 24/7 Security Control Center
  • The alarm link to the Security Control Centre is tamper-proof
  • There are SOP’s that lay out the response to such alarms
  • Emergency exits are linked to a 24×7 alarm system
  • The site is fitted with panic buttons (Reception, other)
  • If there is a safe containing cash or valuables it’s fixed to the floor
  • The gates/doors closed and locked when not operating or permanently monitored by staff
  • The windows and the glass doors facing the street or/and car park are protected by shatter-resistant film
  • Entrances, and exits are lit
  • Any sensitive and restricted outside areas  are illuminated

Key Control

  • There is an in/out key management log book
  • There is a key log book with individual key serial numbers
  • There is a file of authorized persons
  • The key control procedure is available in writing
  • There is a Master Key system in place
  • The Key System was implemented and is supervised by a manager
  • The key control procedure includes a periodical inventory
  • Spare keys are stored in a secure place

Loading and Unloading Areas

  • The loading/unloading bay doors are adequately secured with locks
  • Gates/doors are closed and locked at all times when not operating or permanently monitored by staff
  • The loading and unloading bays are physically separated
  • Drivers are prevented from entering the warehouse or storage areas (pre-picked area not included where drivers help loading)
  • Drivers prevented from entering the building from un/loading bays
  • The loading/unloading areas are under full CCTV, guard or staff surveillance
  • All consignments onto the truck/trailer are checked along with shipping documents by a Supervisor
  • The lighting of the internal loading and unloading areas provide daylight conditions at night time
  • Returned products are stored separately and securely
  • Delivery checks are performed

Waste Disposal

  • There is a clear procedure on managing waste documents and CDs
  • Paper recycling bins are available
  • Shredders are available for sensitive documents
  • Locked and secure bins available for bulk document destruction
  • Documents destroyed by a trusted company
  • Company periodically audited

Staff Security

  • Pre-employment screening is permitted by law
  • Pre-employment screening is performed before appointing a new employee or temporary staff
  • Recruitment files/data kept and secured
  • Security awareness training conducted for new employees
  • Mobile phones with cameras or video cameras prohibited
  • An employment termination procedure is in place (Confidentiality agreement, company property )
  • Staff searched when entering/leaving the premises
  • There has been a security awareness campaign in the last 12 months (posters/stickers/etc.)

Restricted Area

  • There is a double check of individuals entering restricted areas ensuring that the badge holder is the right person
  • Unauthorized or forced access to restricted areas is detected and followed up by a control room or mobile guard for response
  • Access points to restricted areas are covered by CCTV
  • Gas tanks (Ammonium) are kept locked
  • Contractors/cleaners are supervised/monitored when in restricted areas

Emergency Planning

  • Plans for reaction to man-made or natural disaster
  • Responsibilities spelled out
  • Responsible individuals designated
  • Organization completely staffed
  • Periodic rehearsals of all personnel
  • Mission critical features equipment at the site have been identified
  • Protected by barriers, access control and barriers now
  • Coordinated with local public safety and disaster organizations
  • Include plan for post-disaster recovery
  • Identified resources available and required

Each point will be graded on a scale from 0-10 depending on how well the countermeasures have been implemented.  The site risk level (high, medium, low) would help you determine if the security countermeasures at the site are sufficient or whether further actions are needed.  As all countermeasures require investment, you should agree with the site management on a deadline for implementation, as well as the estimated cost of mitigation. All cost, both actual and hidden, must be directly linked to a benefit to the site.  It is important to show that the benefits (risk prevention or reduction) will outweigh the cost.  

Finally be timely in presenting your final report.  Recognize that management’s priorities are first and foremost the generation of profit, thus your presentation should express the security risk assessment results in business terms. 



10 Responses to “RISK MANAGEMENT”

  1. Kenya Pomerantz Says:

    Good blog. I got a lot of effective data from it. I’ve been following this technology for awhile. It’s intriguing how it keeps changing, yet some of the core factors remain the same. For example, the info that a nanny cam can give you is priceless.

  2. Claudio Rocks Says:

    Fantastic post! This could aid lots of people find out about this matter. Do you want to incorporate video clips together with these? It could undoubtedly help out. Your reason was spot on and owing to you; I probably won’t have to describe everything to my pals. I can simply direct them here

  3. Nathanael Brunke Says:

    Though I would’ve loved it much more if you added a relevant video or at least pictures to back up the explanation, I still thought that your write-up quite helpful. It’s usually hard to make a complicated matter seem very easy. I enjoy your weblog and will sign up to your feed so I will not miss anything. Fantastic content

  4. Kartenlegen per Email Says:

    Admiring the time and effort you put into your blog and detailed information you offer! I will bookmark your blog now. Thumbs up!

  5. Esteban Lacks Says:

    The best thing about this post is that, it can convince masses. Its language is easy and conveys the theme of the article in a most appropriate way. The write is not just playing with the words but he is actually providing use full information. The content is unique and depicts the theme very well

  6. Crisis Leadership, Crisis Response and Assessing Risk | executive recruiter online Says:

    […] group has to safeguard great family with a media as great as internal authorities. The security practitioner as a predicament personality would need to supplement a brand new ability to his/her toolkit, such […]

  7. Security Strategy, 21st Century | executive recruiter online Says:

    […] security’s strongest up as great as coming corporate confidence leaders. Allow me to deliver Francisco Mateo! Security Strategy, 21st […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: