Physical Security Risk: know how to assess it

 

Many small to medium sized business (and even large enterprise businesses)  and government, have limited budgets, let alone spending a lot on risk and security.

Before you do go and spend a lot of capital on risk and security mitigation measures (aka security cameras, access control, bars and locks, lighting, training, fencing, etc.), you need to know what you’re buying for.

That is, you need to know what risks you are addressing.

Risk dial

Having a Risk Assessment completed on your municipality narrows the focus of your spending and aligns your purchasing with the specific types of risk and security mitigation measures you need.

To get a little technical…Risk assessment is the overall process of risk identification, risk analysis and risk evaluation. It involves the process of identifying internal and external threats and vulnerabilities, identifying the probability and impact of an event arising from such threats or vulnerabilities, defining critical functions necessary to continue the organization’s operations, defining the controls in place necessary to reduce exposure and evaluating the cost of such controls.

That is a mouthful. Let us break this down a bit.

If you have a threat, but there is no vulnerability, then there is no risk.

If you have a vulnerability but no threat, no risk.

Perhaps something many can relate to, you went online and purchased some products, and they are set to be delivered to your home. And no, we are not going to discuss online security…a topic for another day perhaps.

The packages are delivered to your home. But because of your daily routine, errands, off to the office, or shop, you are not always home. The shiny object is the packages just delivered. The vulnerability or sometimes referred to as a gap, is you are not home, and the packages now sit on your front step unattended. The threat, someone will take those packages right from your front step.

So, going back to the assessment. The key is once you know what your largest threats are (and yes you need to be able to determine that), it is important that you take action (implement risk and security mitigation measures) to lower your vulnerability.

Why not eliminate the vulnerability?

Great question, thanks for asking.

Eliminating the vulnerability may not always be possible.

Some business sectors and industries simply have built-in threats. But, if we focus on lowering the vulnerability, we lower the risk of a loss.

The assessment is complete, and we have identified risks. The next important step is finding the risk and security measures that are going to be the most effective in mitigating the identified risk. These measures come in all different shapes and sizes, video surveillance, locks and safes, lighting, security focused training, etc.

Where in doubt, reach out to us or find your trusted Independent Risk and Security consultant.

Yes, we highlighted Independent. That is definitely a topic for another day.

It all starts with a conversation.

We can Help.

Plan the Work. Work the Plan.

Should your Municipality need assistance, contact Michael White Group today, and we will be happy to answer your questions or provide quotations.

 

Share

Do you know what you want or need?

It is important that you know what you are asking for…so that it’s not risky.

You have asked for an Assessment. Stakeholders are concerned about security. Is the goal to look to identify your Security Risks, Threats, Consequences or Vulnerabilities? Or all of them? Collectively, there is a formula for that.

Risk = Threats + Consequences + Vulnerability

Do not be taken in by someone who says all assessments are the same.  A risk assessment, threat assessment, vulnerability assessment, security audit or even a business impact analysis are not the same as each other.

Square peg, round hole.

A Threat assessment looks to understand what entities may have an interest in creating a security concern or problem for your organization.

A Security Audit is a validation or verification that security measures that are currently in place are actually in place and doing what they intended to do. This audit focuses specifically on the effectiveness of security and determines if a known vulnerability is being addressed. It does not measure risk.

Vulnerability Assessments look to understand both consequences and vulnerabilities. Threats however within a vulnerability assessment are assumed to be at a high level. At the end of a Vulnerability assessment organizations quite often implement increased security measures to address the vulnerabilities and lower the consequences. This happens because the level of threat and the probability of an occurrence from happening is not actually analyzed.

The Consequence focused Business Impact Analysis identifies the most critical of assets to an organization and sets out to build resiliency around these identified assets, most commonly as a business continuity plan.  Business Impact Analyses do not address threats or vulnerability.

The Risk Assessment is the most effective means of determining security adequacy as it considers all three elements of risk – threat, vulnerability, and consequence.  A Risk assessment should be the methodology of choice if you are seeking to determine your security adequacy and avoid the potential pitfalls of not having all of the information.

But all is not lost. It is okay if your organization needs to only conduct one or several of the assessments mentioned above. There may be cause for you to do one assessment over another, resulting in a more intimate understanding of that particular assessments output.

We can assist your organization in determining which of these assessments is best for you given your organization’s current security risk landscape.

We can Help.

Plan the Work. Work the Plan.

Should your Municipality need assistance, contact Michael White Group today, and we will be happy to answer your questions or provide quotations.

Share

An Artist’s Eye to Risk & Security Program Success

 

 

Michelangelo famously created the sculpture David and JK Rowling famously revealed characters that already existed. Two completely different types of artists and art.

But how did Michelangelo actually approach this masterpiece? Did he take a stone and begin to carve, and David was eventually the result, or did he know that David was already in the stone and he had to carve away the waste to reveal him? JK Rowling did the latter.

Which approach applies to your organization?

Do you work to reveal the security practices that are already intuitively imbedded by hard working staff doing the right thing and expand on these, or realize that you need to start fresh and create something new?

Let us take a look. Your organization is well established. Many operational and strategic programs and processes are in place. But your now are faced with ramping up your security program. Create policies, procedures, establish the

With both approaches your personnel, all personnel, security or otherwise play the most significant part in the immediate and continued success of your Risk & Security program.

At a high level view, your Risk & Security program has 3 major components;

  1. Plans/Procedures: you need purpose, direction, and accountability
  2. Hard/Soft tools: software, hardware, technical systems…such as cameras, card access, etc.
  3. And the third piece that actually holds it all together and makes it work, people (personnel).

Of course, while the various plans/procedure, technical systems and devices assist in the assurance of security – it all ultimately boils down to personnel.

But they don’t just get there on their own.

There needs to be a commitment within your program to educate, cooperate, and involve personnel to be successful.

Not sure where to begin? We can help.

It all starts with a conversation.

Plan the Work. Work the Plan.

Should your Municipality need assistance, contact Michael White Group today, and we will be happy to answer your questions or provide quotations.

Share

Check please!

Is your security risk management, business continuity and any other resilience program you have simply to prove you have one? Check the box, so to speak? It’s perhaps stable, reliable, unchanging?

Then you have a problem. You’re doing it wrong.

You’re doing it wrong.

You’re programs should be designed to generate improvements. There should be a built-in restart, of the assessment process. The cycle should ensure improvements re-align to the overall business objectives. Your improvements should replace those areas of the program that don’t work, are unnecessary, and need revitalization.

We can help. We can help get your program from simply sustaining itself to regenerating, restarting, re-aligning, replacing, and revitalizing itself so that it works when needed; so that it works for you. We can help get your program working for you.

It starts with a conversation.

Plan the Work. Work the Plan.

Should your Municipality need assistance, contact Michael White Group today, and we will be happy to answer your questions or provide quotations.

Share

Digital Solutions for Canadian Municipalities

The past few months have been challenging for everyone as we change the way we live, play and work. Many industries have been forced to pivot and find digital solutions to continue serving their customers in the “new normal”. Canadian municipalities are no different. With many municipal offices closed to the public or working at a reduced capacity, there has never been a better time to start introducing digital solutions to work safer and work smarter. Here are some great digital solutions from Canadian muniSERV members to get you started.

Citizen Engagement/Customer Service

 AccessE11 is a Municipal 311, Citizen Issue and Relationship Management platform designed to provide small to mid-sized municipalities with a simple, cost-effective means to manage citizen issues. The platform drives simplicity, reduced administration, stronger decision making and better compliance across specific areas of focus within local government operations. Citizens can report issues and monitor the status of their issue digitally, improving customer service and operational transparency.

Smart City/IoT

 Trilliant has revolutionized how municipalities, cities, energy providers and utilities manage their mission-critical operations. Trilliant connects the world of things (IoT) and incorporates Smart City functionality to new or existing networks. Municipalities can improve the efficiency of their offerings through the implementation of things like advanced metering infrastructure for water, electricity and gas, smart street lighting, smart network sensors and so much more.

Treasury

 Clik2Pay  is a customer billing payments solution that allows citizens to receive and pay their tax bills or other municipal invoices directly from their smartphone. Municipalities benefit from quicker payments and simplified bill collection, all for less than it costs to pay by debit or credit card.

Payroll Efficiency

 Mother Clock  Inc. is a fully integrated time tracking payroll platform that is modernizing payroll technology. This tablet-based time tracking service is the solution for businesses that want to abandon paper-based processes.  Mobile employees can use their smartphones to clock-in/out with GPS time tracking, increasing accountability.

Cyber Security & Training

 RiskAware provides municipalities with an Information and Cyber Security advantage through governance, training, education and risk management. They can help you assess your digital risks before getting started.

Digital Transformation Consulting

 ArchITectAbility provides IT Advisory, Assurance, Architecture and Governance expert services as well as Business Process Re-engineering offerings. If you’re not sure where to start your digital transformation, here you go!

These are just a few of the great Canadian companies that are helping municipalities go digital. 

Search our  Find a  Consultant database by service, business name, province or city, for even more of our members’ innovative digital solutions, to help municipalities simplify processes and find efficiencies! 

Share

Immunity

 

No individual, no organization, no place is completely immune from some form of a disruptive event. Pandemics, epidemics, financial and government unrest, terrorism, on top of the myriad of natural disasters and the consequences of those events that countries, states, provinces, cities, large enterprise, and small/medium business all could experience.

With these disruptive events, all of the aforementioned entities have difficult decisions to make with regards to their investment into response (and to what level of response), what level of security, what level of operational capability do they need during and immediately after these type of events and others.

How do we reduce the impact of disruptive events?

Invest in enhancing resilience. Organizations require the ability to prepare and plan, absorb and recover for and from disruptive events.

Building resilience, maintaining resilience, staying resilient.

Being resilient, allows organizations to be better equipped to anticipate disruptive events with the expectation that losses are reduced.

Disruptive events will continue. A proactive approach to enhancing your organization’s resiliency will reduce the economic, reputational, and operational affects that disruptive events can cause.

It all starts with a conversation.

We can Help. We’ve helped organizations enhance their resiliency, and will continue to do so with a collaborative approach and transparent communication.

Plan the Work. Work the Plan.

Should your Municipality need assistance, contact Michael White Group today, and we will be happy to answer your questions or provide quotations.

Share

Risk Complacency

Why should you have a cyclical strategy to your risk and security?

Risk Complacency. You run the risk of being complacent. The one man-made hazard that is probably the easiest to avoid and the largest threat to any sized business, organization, government, event, institution, and book club. Okay, maybe not the book club.

 

So, what happened?

It was quiet. It was nice, there was a sense of security. Unfortunately, that feeling is usually supplemented with a lack of awareness. A lack of awareness of threats, dangers to your organization, those deficiencies that slowly creep up but yet can quickly hammer down all the previous work.

Plan out the work to get your organization on a cyclical strategy to address, manage and mitigate your risk and security threats.

Once planned out. Execute the plan. Do what you say you are going to do…and don’t stop.

Need help? We can Help.

It starts with a conversation.

As we say…Plan the Work. Work the Plan.

Should your Municipality need assistance, contact Michael White Group today, and we will be happy to answer your questions or provide quotations.

Share

Organizational Resiliency – What else is it good for?

What else does organizational resiliency do for the organization aside from being able to carry on during and after a disruptive event?

  • Reduces stress – it reduces stress in those managing and working prior to, during and after an event
  • Increase in trust and confidence – employees believe in the leadership, each other, and the plan to move through an event
  • Reduces absenteeism – people are comfortable and confident in the decision making of their peers and the responsibilities they have
  • Improvement in physical health and wellbeing – with strong mental health comes stronger and maintained physical health
  • Productivity increases – a happy workforce wants to produce
  • An alert workforce – reduction in accident and workplace injuries
  • Learning power – with overall personal health and wellbeing comes the drive, adaptability to learn and the willingness to be flexible in the event of change

There are other benefits to making your organization resilient that are not just about the bottom line.

We can help your organization in building your risk and security management program resiliency.

It starts with a conversation.

We can Help.

Plan the Work. Work the Plan.

Should your Municipality need assistance, contact Michael White Group today, and we will be happy to answer your questions or provide quotations.

Share

Pandemic/Epidemic Business toolKIT

We are deeply focused on keeping your employees, customers, and suppliers safe while working, visiting, or conducting business at your facilities and supporting your business operations.

The Michael White Group International and Hilt International Security have partnered together in order to create a dynamic resource that is continuously growing, developing, and being  revised to keep you informed of the latest requirements, new best practices, and procedures.

As we all continue to navigate our  ‘new normal’, we have tapped into our global resources to develop a toolKIT that lays out processes to raise awareness of new health and well-being protocols and potentially helpful practices for cross-functional teamwork, operating discipline, and training for employees.

While it is not a one-size-fits-all approach, the Pandemic/Epidemic Business toolKIT includes practical recommendations, based on guidelines from Health Canada and World Health Organization, that could be tailored for different  businesses (when required) to address various scenarios they may face when returning to work. Regular updates will be made to the toolKIT based on real-time feedback. The toolkit covers a wide range of topics, including:

•      Step-by-step guides for setting up a pandemic response team

•      Cleaning and disinfection procedures

•      Staggering shifts and lunch breaks and other physical distancing strategies

•      On-site health screening

•      Protocols for isolating employees who become ill at work

•      & more.

This has been a difficult time for everyone, and re-establishing a workplace where employees feel comfortable performing their jobs safely is a multi-faceted challenge. It is our hope that by developing and providing this resource we can help your organization accomplish and adapt to the new operating protocols in today’s still ever challenging conditions.

Should your Municipality be open to exploring the need, whilst accessing our  toolKIT to assist you during  the re-opening, and re-populating of your facilities, contact Michael White Group International today, and in partnership with Hilt International Security we will be happy to assist.

 

 

Share

Is Your Municipality Ready for a Disruptive Event? Business Continuity Planning 101

Every municipality needs an Emergency Management Program.

There are a number of components that make up a comprehensive emergency management program, (i.e. Emergency Response Plan, Business Continuity Plan, Communications Plan, Employee & Family Support Plan, Pandemic Plan, etc.).

When I was with the Office of the Fire Marshal I was responsible for emergency management and the development of these plans for the OFM. And now in these times of global uncertainty, I am once again reminded of just how important it is for organizations to have them – and particularly a Business Continuity Plan (BCP) in place.

What is a BCP?

A BCP is a plan that outlines the critical services to be delivered during a disruptive event and how full operations are going to be resumed after the event.

A good rule of thumb to keep in mind is, your BCP needs to address planning/mitigation, response, recovery and restoration.

Generally, a Business Continuity Plan outlines:

  • Who is responsible for recovery actions

  • What is needed to deliver, resume, continue, or restore the municipality’s services

  • Where to go to resume operations if necessary, and,

  • How the municipality’s critical services and operations will continue to be provided during a disruptive event (detailed procedures for provision, recovery, resumption and restoration of services)

Basic Elements of a BCP

It is important to remember that while the unique characteristics of your municipality must be reflected in the plan, the basic elements detailed below represent the foundation on which every BCP should be built.

  • Gather the necessary Baseline Information – This is used to identify municipal services, where the service is located, who uses the service, dependencies, alternate service delivery, critical infrastructure, etc.

  • Conduct a Business Services Risk Assessment Needed to help identify areas of potential vulnerabilities and to examine current and necessary control measures to mitigate threats.

  • Undertake a Business Impact Analysis – Gathers information concerning the exposure and impact on the service should the service experience significant disruptions and assesses the potential financial and non-financial impacts of a disruptive event.

  • Develop a Business Continuity Recovery Strategy – Assesses the advantages and disadvantages, estimated associated costs and determines the recommended strategy for each critical service and the resources that may be necessary for quick recovery.

  • Identify Emergency Response and Operational Protocols & Procedures – This is a checklist of protocols and procedures that help to simplify the necessary activities even further (i.e. notification protocols, call trees, etc.).

  • Create the Business Continuity Plan

Of course, once it’s completed don’t let your BCP collect dust. Keep it dynamic by updating it to reflect any changes to personnel or processes, and practice it with your team so when a disruptive event occurs, like we’re experiencing now with the COVID-19 pandemic, your organization will be ready and well prepared to resume operations.

If you’d like to receive a free Business Continuity Plan template to help you get started or information on any of the other emergency management plans mentioned, please feel free to contact me. Susan Shannon at s[email protected]

Share