6 Key Points when Evaluating Safety and Security Programs

Share Your Thoughts: Facebooktwitterlinkedin

Business Continuity/ Site Assessment / Risk Assessment / Vulnerability Analysis

DownloadWPA careful assessment of building infrastructures and management systems is an important part of any overall business continuity program.

Evaluation of a site’s existing physical security structure (location, facilities, systems, and processes) and assessment of how well an organization is protecting its people and property against likely threats is a critical part of a company’s business continuity plan.

At Firestorm, we lead with a member of our team with subject matter expertise in security related issues.  We then evaluate the facility grounds, building, and existing physical security systems and processes to determine how well key assets are being protected.

We also assess the ability to determine how well prepared an organization is to detect, assess, and respond to incidents.

6 areas of systems and processes we consider key to evaluate during any safety and security program evaluation:

  1. Monitoring Access: Employee, guest, and vehicle access points (Guard gates, check-in procedures)
  2. Video Surveillance: Cameras, lighting, analytics, etc.
  3. Building Systems: Electronic access control and metal detectors
  4. Environmental Health & Safety: OSHA regulations (Hazardous materials procedures, etc.)
  5. Life/Safety Systems:Incident detection, assessment, and response (Fire protection systems, signage and specialized plans for evacuations, fire drills, etc.)
  6. Space Management: Work areas and working conditions (Lighting, ergonomics and floor layout)

Additionally, risk assessment evaluates the threats that are specific to a unique organization and environment.

The evaluation of threats should include natural/biological hazards and technological/human-induced hazards. For natural threats, historical data concerning frequency of occurrence for given natural disasters such as tornadoes, hurricanes, floods, fire, or earthquakes is used to determine the credibility of the given threat in a specific world region.

Using this information, an overall risk ranking is then be assigned to each type of threat. The overall risk rating is a subjective rating that considers each threat’s severity, likelihood, and controls, and supports ’s ability to prioritize threats and identify risk control measures.

Example: Business Continuity – Containers, Ports

  • Previous incidents are analyzed and potential threats or events identified, beginning with the obvious, and working toward the less likely.
  • A hazard vulnerability analysis tool (Hazard Impact Matrix) is used to evaluate a company’s level of preparedness.
  • Risk factors are categorized as to their disruption to the company in high,moderate, or low classification.
  • Human, property, and business impacts are evaluated and ranked from negligible to severe.
  • Prioritization of hazards is used to evaluate and determine a score below which no action is necessary.
  • The most effective triggers are identified in order to have an efficient and effective response to an incident, should one occur.

Conducting a full assessment of your organization’s site, systems and processes is simply smart business.

The sort of contemplation described above borders on the concept of Strategic Intelligence—i.e. a detailed examination of “what if” concerning your business.


  • Collection planning
  • Collection of information
  • Processing of information to create all source intelligence
  • Dissemination of the intelligence product

BGWilmotThe collection planning should be accomplished by the security officer or equivalent and the CEO. It is the CEO who needs the finished intelligence and who is familiar with all facets of the problem being examined so they must participate in the initial planning stage in order to end up with the intelligence required. They must tell the planner what their needs are and should set a deadline.

The next step is the collection of information. In the corporate world collectors can be employees, consultants or others who have access to information. They can ask questions of employees, observe operations, or involve themselves in the operation.

Firestorm Expert Council Member Brigadier General Richard Wilmot outlined this process in his paper Critical Decsion Support – World of Endless Turmoil in 2011, and it holds true today.  Download it now.

Share Your Thoughts: Facebooktwitterlinkedin