We have a vulnerability assessment. Can we use this to develop a risk-based assessment?
Yes. Most vulnerability assessments provide useful insights for our assessment team. If the vulnerabilities are not linked to threats or consequences, we will need access to staff experts who know the security arrangements and operations of the facility(s) or vessel(s) to flesh out a baseline security risk profile.
Why should we go to the expense of conducting a risk assessment and a risk management plan?
Most organizations with a range of security threats are spending resources on security measures and activities. The rationale for these may be from a series of legacy decisions that have not been subjected to a rigorous risk analysis. If your organization completes a risk assessment and analysis and develops risk management strategies you may be able to shift resources to obtain better return-on-investment. In any case, you will have the benefit of a roadmap to mitigate risk that should provide your leaders with confidence in the security program and may give your CFO a rationale to negotiate a lower rate from your insurance company!
I think we would benefit from a risk-based security risk management program. However we have multiple facilities in different locations with different operation profiles. And our leadership is reluctant to cut into the bottom line.
In this case you may want to arrange for a security risk seminar for leaders, operators and security personnel to determine the support you would get from leadership and buy-in from operations and security personnel. We have a lot of experience working with multiple facilities and vessels. We can scale the project design according to your operational profile.
We are mostly concerned with loss prevention and insider threat – say from a disgrunted employee. Can you address these threats?
Yes. Our Method relies on a clear operational definition of the threat scenarios that you face. In any engagement we will facilitate a session to clarify the threat profiles you want to address. In some cases, a threat profile will address lesser included threats. For examples, a single thief attempting to gain access to valuable property would be within the threat profile of a four-man terrorist assault team.
We operate a fairly standard water treatment facility of a large city. Should we consider your services?
Possibly, depending on a number of factors. For example do you store chlorine in rail car or storage tanks? Are you located near a population center? How effective is your access control? In your case, we could conduct a preliminary, high-level assessment in a few hours to give you a better basis to make a decision. We would usually recommend that we do this remotely to save costs.
We are in San Diego and we notice that you are located in Virginia. Can you do a Security assessment at our facility?
Yes. We can travel to any location in the US or overseas.