Risk assessment frameworks and methodologies

Security Overview

Businesses today are faced with a range of security challenges unlike any of those that their predecessors have ever faced. Among these different challenges are the physical protection of the building and the protection of data and intellectual property. This may sound like a relatively easy mission; however, each of these two types of security has a number of different elements to it, and the interplay of these elements can make the process of keeping a company or organization secure.

For example, in terms of keeping a building physically safe, a security plan must cover the physical building itself, any equipment or supplies inside the building secure, and the staff and any visitors to the building must also be kept safe. (Moreover, the staff and visitors must feel that they are being kept safe, which appearance can be even more difficult than actually keeping individuals safe.)

In terms of keeping data safe, a security system must include everything from appropriate encryption policies, password protocols, and staff training on what information must remain within the confines of the business. This last provision must also include instructions on which members of the staff have access to what information.

The following security assessment and design has been designed for RAI, which is a for-profit kidney dialysis chain. The chain is currently expanding from three offices to eight sites (a process that should take about 18 months). As a part of this expansion, the company CEO has asked for a complete overview of its security procedures.

This review is based on the following definition of providing security, which includes serious consideration of the nuts and bolts of security while also focusing on the too-often-neglected factors of organizational structure. This definition of security can be phrased as the "intentional actions whose purpose is to provide guarantees of safety to subjects, both in the present and in the future" (Johnston & Shearing, 2003, p.15).

Current Security Design

The current security design for the firm is adequate in some area; however, other areas are not well covered and there is a lack of an overall design or integration of the various security systems. The dialysis sites are open 24 hours a day, which has prompted the company to hire guards to escort individuals from the adjacent parking lot to wherever in the building that they are to go.

The primary reasons for such a guard is that visitors to the sites are often physically frail. The clients are also frequently in possession of pain medication, which makes them easy targets for physical attack. The building itself has guards in it to protect the staff, who also have access to a range of medications. There have been a number of thefts of medication from one of the sites, although these have stopped in the last six months. The thefts were almost certainly committed by staff members, reflecting the fact that crime by employees (especially in terms of theft) is one of the costliest forms of crimes for all businesses. The thefts stopped despite the fact that there was no change in personnel. There were a number of bulletins delivered about the thefts and two company-wide workshops were presented.

The building also has an electronic alarm system. More important than this system, however, is the system through which patient records are secured. The current system is much too loosely controlled to meet HIPPA requirements for medical record keeping. This lack of a comprehensive level of integration of records is costly in terms of labor hours and client satisfaction, and may subject the company to audits and consequent sanction.

The lack of computer security procedures has lost the company a significant number of clients because they have become infuriated over the exposure of their medical information. There is no systematic attempt to limit exposure to information appropriate to each category of staff, so that clerical staff have the same access to information as do medical staff because most information is not properly password protected.

Another very important issue is that there is not sufficiently comprehensive screening of the staff before they are hired. This has to be instigated immediately as the first line of defense to keep both the physical building and equipment (including the medications) and staff and patients secure. This lack of screening is not so problematic in terms of allowing individuals with violent criminal pasts to be employed because a basic criminal background check is conducted.

However, what is not conducted is any personality assessment of how well the individual will fit into the organizational structure and indeed how much power any individual will have to shift that culture in a more profitable, more ethical direction. Matz (2010) writes succinctly about this issue, beginning with a definition of the concept of the culture of an organization, borrowing concepts from anthropology and social psychology directly rather than the versions of these ideas as they appear when filtered through the literature of business administration. "Organisational culture is a general concept, which is difficult to explain precisely & #8230; however, the concept generally describes the social dimension of an organisation."

He goes on to describe it in much greater detail:

The social dimension within a given organisation is characterized by the social behavioural patterns of the individuals populating the organisation. Staff dishonesty and workplace violence are essential elements of the behavioural patterns within the organisation, which demand the attention of security structures. In recent years theoretical concepts encompassing staff dishonesty and workplace violence have advanced to the forefront of academic interest. (Matz, 2010)

Matz is much more interested in using his understanding and modeling of social organizational to explore what can and does go wrong inside of companies, which is sensible given that he is examining security concerns:

The extensive body of empirical findings related to these particular manifestations of organisational cultural behaviour is of paramount importance in explaining organisational social behaviour. I will primarily utilize studies of staff dishonesty and workplace violence as the conceptual framework in a discussion of the cultural influences determining the nature of security structures within organisations. (Matz, 2010)

However, it should be noted that analyses of organizational structure that focus on the strong parts of that culture are also useful, and in fact can be useful in terms of improving security. As in many areas of human behavior, improving security systems combines both sticks and carrots.

Finally, a key problem in RAI's security system is that the physical security system is outsourced while the computer system is overseen by staff members. This fracturing of the security system has had the effect of minimizing the importance of the other aspect of the security system because each set of personnel feels no responsibility for the other part of keeping the organization safe.

Security Mission

One of the key problems in terms of the integration of the different aspects of the security system is that the company that runs the dialysis centers is not primarily in the healthcare business. The overall function of the company has been one of transportation, focusing on short-haul trucking. After about twenty years of focusing on trucking, the CEO at the time decided to increase the diversity of the company's business.

The company is privately held, so the CEO has definitive power to make any changes in policy that he wishes. (the current CEO is the son of the founding CEO.) the company had already begun specializing in more "difficult" forms of transportation, including transportation of medical supplies that require careful shipping methods, such as being maintained at a certain temperature for long periods of time.

With its experience with medical supply transportation, the CEO decided to buy RAI, the for-profit dialysis company. The company has expanded since this parent company has acquired RAI and the CEO is considering reducing the percentage of the company's resources that are dedicated to the trucking portion of its business and increasing the percentage of its resources that are dedicated to its dialysis centers.

The motivation for this possible shift of resources is the assessment by the CEO that dialysis is, sadly, a growing business. Short-term trucking has become increasingly less profitable and will probably become increasingly less so as fuel prices climb and regulations increase to mitigate the effects of internal combustion engines in climate change.

These specific aspects of the mission (both in terms of security questions as well as in terms of an overall business strategy) obtain for RAI. However, there are also more general concerns about security that all companies with complex operations face today. The following summarizes these concerns for any company attempting to create and maintain a comprehensive, integrated security system:

A good security policy takes into consideration the mission of the organization, the critical assets requiring protection, the threats posed and the mitigating risks against known vulnerabilities. These are all parts of a risk assessment that includes a business-impact analysis, which identifies the weaknesses, the critical assets and the effect on the company if a vulnerability were exploited. (Gartenberg, 2005)

Like all other aspects of business today, security systems often prove to be highly complex and hard (even for the participants) to identify.

The culture of an organization is like the culture of a family, a community, or a nation: Because it surrounds the people in it they often have a great deal of difficulty in recognizing to what extent policies and procedures arise from the constraints of culture and what therefore can be relatively easily changed. Matz (2010) summarizes the ways in which organizational culture both supports an organization and can blind the individuals in it to ways in which their actions may no longer be as effective as they once were:

… the essence of organisational cultures consists of a set of 'unspoken rules' that exist without conscious knowledge of the members of the organisation. Over time the invisibility of the attributes at the deepest level of the culture becomes reinforced, which further complicates access in studies or casual interviews. Values and behaviour become manifestations that reflect the essence of the culture. Accordingly, it becomes necessary to examine the functions of organisational cultures and the impact the behavioural patterns of such cultures on the organisation as a whole. (Matz, 2010).

One of the most necessary aspect of any organizational culture to examine are the security mechanisms of the culture. Because most employers feel at least some discomfort in addressing security concerns (in no small measure because they do not want to think of their own employees as possible criminals), security systems are often allowed to lag behind.

Moving Toward an Era of Total Asset Protection

Dalton (2003) argues that most firms (and this has certainly been true of RAI) move through a predictable process of creating security systems. He describes this process as follows:

Step One: Physical Security Era: The primary role is reactive loss prevention

Step Two: Corporate Security or Global Security Era: An increased integration of security into business decisions, occurring simultaneously with the emergence of employee awareness programs

Step Three: Total Asset Protection Era, characterized by 'a focus on addressing all of the corporation's assets -- tangible and intangible' (Dalton, 2003, p.23).

Dalton argues that most companies (regardless of what sector they are in) are still focussed on one of the first two steps. This is certainly the case with RAI, which must shift toward a more complete and integrated version of how to supply security.

There are two different ways of assessing how far a company has proceeding along the path to Total Asset Protection. The first is what can be considered to be a technical one, one that assesses the ways in which (for example) alarm systems are wired and connected to live personnel. This is of course important. However, even more significant is how the overall corporate or organizational structure affects the company's ability to provide total asset protection. As suggested above, an essential part of the concept of Total Asset Protection (indeed, an essential part of any well-designed security system, regardless of what one calls it) must be the acknowledgement that all of the assets of a company must be protected from assaults from both the outside as well as the inside:

[a] criminological approach should be pursued to fully encompass the conceptual framework of the relations between provision of security and organisational culture. The effectiveness of an organisation is generally exposed to both internal and external threats. Organisational cultures and security structures respond differently to these types of threats. In the following the role and structure of security will be evaluated in relation to internal threats, primarily described as employee dishonesty and workplace violence. (Matz, 2010)

While it is not essential, it is certainly in almost all cases much easier to call in an outside company to provide an assessment of a security system's faults and strengths. Precisely for the reasons outlined above when describing what an organizational structure is (that is, something that affects every aspect of how those in an organization work in such a way that they are not always aware of it), it may prove to be impossible for employees to provide sufficiently insightful reviews of the system.

Moreover, bringing in an outside security firm to assess and initiate security systems provides the advantages that such a firm is much more likely to be aware of the latest developments in hardware as well as in practice. This is hardly to be unexpected: Security firms, after all, are paid to do precisely this. And finally, in terms of the pursuit of Total Asset Protection, having an outside firm design the process of securing the company means that fewer employees will have access to the details of the security system and will therefore have less temptation.

Risk Analysis Model of Security

A risk-analysis model for instituting a security system is an older model than is that of total asset production and thus to some extent reflects the simpler security needs that companies used to try to meet. This does not mean that companies in fact had the need of simpler security systems but rather that they conceived of their security needs in simpler ways. Like the neighborhood where everyone keeps their doors locked, companies tend to follow the lead of their neighbors and institute only the same degree of security that other comparable businesses use.

Risk analysis can be broadly defined as any form of analysis that is used to, first, identify any and all possible factors that might put the success of any project into jeopardy. The term is usually applied to single projects but can also be applied to the overall goals of a company. One significant advantage of a risk analysis over other forms of security is that it can be used in a preemptive way. That is, it can be used as a way to predict what kinds of security problems may crop up and to put mechanisms into place to prevent these problems from becoming serious.

One way in which RAI can use this particular form of security strategy is to institute better screening of its employees as a way of looking ahead to prevent possible problems. Currently the company screens for past felony convictions but not for misdemeanors. This can be a distinct problem because many drug offenses are pled down to misdemeanor convictions, which has already allowed some previous drug-users to be employed at RAI.

Given that one of the most serious problems that the company faces is employee crime (as is true of other companies) and that the most valuable asset that the company has that can be stolen is medication, it would benefit the company to exclude individuals with drug conviction records from being hired. The company does not currently drug screen its employees. Instituting such screening might seem to be a good idea given the above suggestion to keep drug-users out of the employee pool, but the company CEO will not allow such testing, believing it to be a violation of employee civil rights.