Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

Caroline Ramsey-Hamilton

Wondering Which Security Controls Offer the Highest Protection for Less Money?

Security Controls can be incredibly cost effective or astronomically expensive.  And when you’re faced with a facility or a school campus, or a system that has to be secured, but you also have a budget to keep in mind – what do you do?

The simple answer is ROI – Return on Investment.  This simple calculation compares the Cost of the Proposed Control to the Protection is Provides and that creates the magic ROI Number.

Here’s an example:   A hospital near the New Jersey shore wants to create a new emergency ops center.  They have the space,
but it would cost about $250,000 to build it out.  Here’s what we look at – how often would they use an emergency ops center?

Threat data shows that they would need to use it about 3-6

Operations Center (OPS)
Operations Center (OPS)

times a year, including severe storms, thunderstorms and hurricanes.

(After Hurricane Sandy, the hospital was closed for two days because they were not able to resume service right away.  As a result, the hospital lost about $2,000,000 per day because it could not bill for any services, none could be provided.)  

So we take that lost $2,000,000 per day and say that if we could keep the facility open because we had a better operational center, we could easily save 2 days of revenue which is $4,000,000 for the 2 days, and if it cost us only $ 250,000, and saves us $ 4,000,000, that’s a Return on Investment of SIXTEEN to ONE, 16:1.

Say it saved us 3 days of revenue a year – that’s a ROI of TWENTY-FOUR to ONE, 24:1!

You can get more info by writing to me directly at caroline@riskandsecurityllc.com and requesting a webinar invitation,
or a copy of the video.

 



New App does a Workplace Violence Baseline Assessment

New Workplace Violence Prevention App helps companies do an OSHA Violence Baseline Assessment

DATELINE:    Boca Raton, Florida,  March 12, 2013

Workplace Violence in US companies is a problem that is getting worse.  Workplace violence is a serious recognized occupational hazard, ranking among the top four causes of death in workplaces during the past 15 years. More than 3,000 people died from workplace homicide between 2006 and 2010, according to the Bureau of Labor Statistics (BLS). Additional BLS data indicate that an average of more than 15,000 nonfatal workplace injury cases was reported annually during this time.

The latest figures show that high-risk organizations like hospitals, behavioral health treatment, home health workers and late night retail establishments are at a dramatically increased risk for experiencing a violent incident at work.

OSHA, and over thirty state government regs recommend that companies do an annual Workplace Violence Basement Assessment, but these are time-consuming and difficult to manage.

To solve the problem,  Risk & Security LLC has released a new web-based app, Workplace Violence Risk-Pro©, which makes security directors into Risk Professionals!

OSHA standard 3148 (Guidelines for Preventing Workplace Violence for Health Care &

Social Service Workers)and the new OSHA Inspection Directive, Enforcement Procedures for Investigating or Inspecting Incidents of Workplace Violence, from September, 2011, are both included in the new, easy-to-use application.

The program has been tested on some of the largest organizations in the US, and runs on a laptop, PC or tablet, and even on a smartphone!.  Workplace Violence Risk-Pro©  is built to be affordable and simple to use.

The web 2.0 program, includes newly compiled, updated threat databases, and automated web-surveys  based on the exact OSHA Directives.

The new program gives human services and security professionals a quick and easy way to conduct a workplace violence baseline assessment that will pass an audit!

The Risk-Pro©  model has been used for easy software applications with the Department of Defense and over hundreds of organizations, hospitals, maritime organizatons, and local, state and federal government agencies.

About Risk & Security  LLC

Risk & Security  LLC is a security risk assessment and risk analysis company with over 30 years of combined expertise in security risk.  It specializes in consulting on risk assessment projects and global application development of risk solutions.  Risk & Security partners with security companies around the world to provide state-of-the-art security expertise to analyze risk and recommend cost-effective countermeasures.

The team of risk and security experts is led Caroline Ramsey-Hamilton, who has created more than 40 software programs, and conducted more than 200 specialized security risk assessments in a variety of environments, including companies in the United States and around the world, including in Abu Dhabi, Hong Kong, Japan, South Africa and Qatar.



Why Workplace Violence is Always a Catastrophe

Workplace violence incidents are one of the most damaging events that can happen to any organization.  The good news is that workplace violence is one of the few threats that companies can actually prevent before it happens.

Unlike earthquakes, hurricanes, floods, war, and explosions, workplace violent incidents can be prevented if the organization makes a commitment to educate their employees, and give them the knowledge they need to address a potential problem with a co-worker before it gets to an explosive level, for example, making the active shooter drills part of the security program.

In many ways, workplace violence is worse than other kinds of violent incidents because it always involves a major violation of trust, and it also has a malicious component, where the perpetrator is deliberating focusing on violence against a fellow human that they know personally and may have directly worked with, sometimes for year.

According to OSHA, workplace violence is a serious recognized occupational hazard, ranking among the top four causes of death in workplaces during the past 15 years. More than 3,000 people died from workplace homicide between 2006 and 2010, according to the Bureau of Labor Statistics (BLS). Additional BLS data indicate that an average of more than 15,000 nonfatal workplace injury cases are reported every year.

As well as the violation of trust and the violence itself, the incidents usually terrorize both the victims and other employees, especially those who know violent individual and are left to wonder how they failed to recognize the danger signs.

Some organizations report that employees, even those who weren’t hurt in an incident, exhibit PTSD-type symptoms following an incident.  And the company’s reputation is often damaged, just from the publicity of the event.

One of the main controls that protect against a violent incident, is doing a Workplace Violence Assessment.  This specialized risk assessment involves interviewing employees at all levels of the organization, looking at the OSHA guidelines, such as those detailed in OSHA 3148, (www.osha.gov/Publications//osha3148.pdf).

The assessment also includes making sure that every violent, or threatening incident gets reported in a standardized way, that all the incidents are tracked, and that there is a de-escalation process that can be easily followed to prevent someone from getting to a violent stage.

There are new programs available that automate the Workplace Violence Assessment process and make it into a simple and standardized
project.  To review a standardized, data-based, Violence Assessment Report, go to:   www.riskandsecurityllc.com/.

 

 

 



How Chavez Ruined Venezuela, Up Close and Personal

My risk assessment company was contacted in 1995 to come to Caracas and work on a variety of security risk projects for
3 of the major Venezuelan companies — PDVSA (Petroleum de Venezuela, south America), and the two gas utilities, Maravan and Lagovan.

Never had been to south America, and I was worried about security so I remember buying special security devices to take with me and then one Sunday I flew down to Miami and caught the plane for Caracas!

The first thing I noticed was that I was out by the pool, and there were men with machine guns on the roof of the Caracas Intercontinental Hotel!   Later, room service delivered 7 large books, as big as encyclopedias – they were a History of Venezuela, a History of the Venezuelan Oil Industry and a few more.  I guess I was supposed to read them all by Monday.

That was the beginning of a long relationship with the people at PDVSA, many of whom became friends for life.  So I saw the downward spiral up close and personal.  First, the crime started to increase.  Places I had felt safe before, like the public square where the old men played chess at night.  Then one of the women I knew was pistol-whipped at her beach house.

Slowly, Chavez replaced the business people on the corporate Boards, and the staff, of these cash-cow companies with uneducated people with no business experience.   In a real world replay of Ayn Rand’s ATLAS SHRUGGED, these people didn’t care about maintenance, infrastructure, or security, they were the looters who wanted a total redistribution of wealth, without realizing the companies had to actually PRODUCE something to keep that cash flowing.

Within five years, as I continued to go down to Caracas, everyone I knew had left and many moved to other companies.  One married and moved to Spain, several went into other petroleum operations in the US.   An entire industry had been ruined by Chavez and his lack of understanding, or care, of the one income-producing business in Venezuela.

The currency was so devalued that I still have a six inch stack of Bolivars, the paper currency that was worth less than a few pennies apiece.

So it really is possible for one person to totally ruin a country’s economy and main industry, putting his ego and his desire for fame and power to ruin an entire country.

Fate has intervened to give Venezuela another chance – I hope they run with it.

 

 



The Active Shooter Threat and Why We Need to Stay Situationally Aware

2012 will be remembered as the Year of the Active Shooter, where terrible tragedies across our country refocused people on issues surrounding gun control.  In many ways, it’s that old argument about whether the needs of the many outweigh the needs of the few.

In many schools and hospital, it could be argued that the needs of the many to be safe, and NOT TO GET SHOT,  outweigh the needs of the few – to possess assault rifles and high capacity magazines, which allow them to kill a large number of people with almost no effort.

No matter what side of the debate you fall on,  the debate has certainly brought the debate back from and center.

And along the way, it took the Active Shooter threat from a phrase that only a few security people knew about, into a phrase that was trending on the web and Twitter.

The Department of Homeland Security made a variety of resources available to deal with the Active Shooter Threat (many can be found at  http://www.dhs.gov/active-shooter-preparedness) with tools includes a video, and booklet.

Whether you are an elementary school, like Newtown, a movie theatre, like Aurora, a regional mall, mountain resort or anything else, the number one way to counter the Active Shooter threat is to increase security awareness of the staff.

I have had teachers tell me  “my job is only to teach, I shouldn’t have to be responsible for security, too”.

Unfortunately, everyone has to be responsible for good security, or we are all at risk.  And again, there’s the trade-off (aka, the risk calculation):

Measure the inconvenience of having to keep your eyes open and be willing to report any suspicious behavior VS. being a casualty of a mass shooting, or having someone you know killed.

Looks like a pretty easy calculation to me:

Small Amount of Effort (no cost) = Big Increase in Security !!

Make sure you friends, family and staff are aware of the Active Shooter Threat!



Will the Risk of the Sequester Affect Security Budgets in 2013?

Every time the TV is on, every anchor is crying about the dreaded Sequester.

Will it have an impact on security budgets?  I have seen security budgets, especially for the facilities security departments, swing from almost unlimited budgets after 2001, to bare bones in 2009 and 2010, and thought they were trending back up for 2013.

Now, with the uncertainty about what a Sequester  actually is, (please note my use of the capital “S”), how will it affect our security departments?

Obviously, the most obvious casualty are the government contractors who’s contracts may be arbitrarily cut, and civilian managers of federal programs will see lost days and furloughs.

The trickle-down effect will probably extend to state, county and municipal governments, too.   So that means it’s even more important to start budgeting new security controls so that the most important get the funding!

One of the themes we go over in our webinar programs is how important it is to create a COST JUSTIFICATION and Return on Investment information so that you can create a business case for every control you need to improve security.

And one more thought on the Sequester – we often see an increase in crime, white collar crime and fraud when things are unsettled and people aren’t sure what’s going to happen next.

Maybe it’s a good time to do another risk assessment?  Maybe the Sequester is the next new Threat!

 

 



What Churches Need to Know About Security Risk Assessment!

the problems that churches face has changed since the 1950s.  Churches were considered “safe”, but the Sikh temple shootings in Wisconsin, shootings in Colorado Springs Churches, and the burning of black churches, have changed the security posture of churches.

Take a look at violence in churches today.  In 2008, the FBI recorded 23,547 crimes attributed to location code for “Church/ Synagogue/Temple”.  Deaths from church attacks rose 36% in 2012 according to the January 30, 2013 edition of Christianity Today.  Guns were used in nearly 60 percent of all “deadly force incidents” at churches since 1999 according to Carl Chinn who has been tracking these incidents.

Arson incidents are so widespread that the Dept. of Justice has a National Church Arson Task Force, and “Arson at churches has been a problem for a long time,” said Patrick Moreland, an executive with the Wisconsin-based Church Mutual Insurance Co., which insures 63,000 houses of worship.

No church leader, or church member wants their place of worship to become a crime scene, as the country watches it unfold on CNN.  And there’s a pro-active way to analyze a church’s security profile

And determine:

  • How Likely the Church is to have a Violence Incident
  • What Other Churches in the area are experiencing
  • What the Threat Level is in your Geographic Area
  • Exactly What Controls You Need to Add to Stay Safe

A Security Risk Assessment is a quick, easy to use model that can take streams of data and information and use these actual events to produce a simple report that can track the threat levels, and match these to potential and existing controls to see how existing controls can be implemented, what new controls need to be added, and how to do it all in a cost-effective way.

One of the key points of a security risk assessment is that it measures solutions in terms of COST-EFFECTIVENESS.  No one wants to over-spend on something and not have enough money left for a critical security element.

Out in the field, we often find that controls are not effectively implemented, or they are not 100% implemented, and if there’s even a 10% gap, it’s just like the control never existed at all.

And you don’t need to be an expert to perform a security risk assessment on your church, school, temple or summer camp.  There are new automated software applications, like Church Facilities Risk-Pro, similar to the app on your iphone, that will do the assessment for you, showing you the data you need, and even writing and formatting the reports for you.

The Control Reports become a blueprint for improving security and can become part of a 3-year plan that will protect the physical facility, the congregation, and the entire community.



A New Threat Appears – Meteor Strikes

After the meteor showers over Siberia this week, Russia put together a

Financial analysis of the damage from the meteors:

1200 injured by flying glass

             $33,000,000 in damage

4,000 building damaged

50 Acres of windows shattered

In the last twenty-five years, as the rate of climate change has increase, we have occasionally added new threats like Tsunami and ash pollution.

Now meteor showers have actually come to cause damage to companies so they are another factor to be included in risk assessments.

In evaluating threats for a risk assessment, many in the northeast would always tell me, “take out earthquakes”, we don’t have earthquakes in Virginia, Maryland, and Ohio. That changed in 2011 when the Mineral, Virginia earthquake hit during a mid-week business day.

RICHMOND, VA (WWBT) – Aug. 24, 2011. 

There was an earthquake in Central Virginia that measured 5.8 on the Richter scale centered about 5 miles south of Mineral in Louisa, depth 3.7 miles at about 1:51 p.m. The quake was centered at 38°N, 78°W.

The U.S. Geological Survey said the earthquake was centered about 38 miles northwest of Richmond, Va., about 84 miles southwest of Washington, D.C., and was felt as far north as Rhode Island and New York City. See a map of the quake from Chuck Bailey, professor of geology at the College of William and Mary.

Hospitals, government offices, dams and power generating plants,  including nuclear plants, were forced to suddenly reevaluate the long held idea that earthquakes just didn’t happen in the NorthEast.

The threat from meteor damage is the same idea.  It never happened before, but now it has happened again, if you count Tunguska as the first time.

Damage from meteor showers will now add a new category into the Threat index, even though this was the first event in my lifetime, if analyst factor in the previously known instances, such as the Tunguska Meteor Event, which did not occur thousands of years ago, like the meteor event in the Yucatan peninsula that killed off the dinosaurs, but
Tunguska occurred in 1908!   Almost in this century.

Over the next month, we’ll be looking at each different threat every week.  Sign up for my blog or access by following me on twitter at www.twitter.com/riskalert.

 



Data-Driven Security: The Best Way to Improve Security for Anything, Anywhere

How can you improve your security program?  Are we talking about a seaport?  A church?  A manufacturing facility?  A gas pipeline?  An office building?  Corporate Headquarters?   Zoo?  Hospital?  Bank?  Clinic?  City Hall?  Harbor?  Stadium?  Government Agency?

It doesn’t matter what you need to protect — if you decide it is a critical asset, it needs good, continually improving security, and
an on-going assessment program is the fastest, easiest way to get it.

If wonderful, dedicated you, (as the security pro), don’t know what’s working and what’s not, how can you improve the overall program, unless you wait for an “precipitating event”, like a THEFT, like an ASSAULT, like a FLOOD, or a HURRICANE, or a POWER LOSS, and then you immediately start working on that and making sure THAT particular disaster doesn’t happen again!
Meanwhile, everything else is slowly losing energy due to lack of constant attention.

And so let’s say you are the Super Bowl, and the power went out!  Terrible. Inexcusable.  And you’re busy getting a 2nd or 3rd backup generator to make sure THAT POWER LOSS never happens again.

This problem with this model – fixing what’s broken and ‘learning from experience’ is that it’s always a day late.  You’re always chasing after something that already happened.

Instead, you can  set up a program so that you use to continually evaluate the current condition, assess the risk, and then improve the security controls, based on THAT RISK ASSESSMENT.

Tony Robbins used to call it CANI

  • Constant And Never-ending Improvement.  You can accomplish this by setting up regular assessments and then adjusting or tweeking the security controls to adjust to the new, or more aggressive threats.
    “Regular” assessments can be monthly, quarterly, semi-annually, annually, bi-annually, whatever schedule suits you and the organization.   The idea is that by continually reassessing your last improvement,and changing the threats and risk level,
    you can create a dynamic, data-driven security program that improves the security profile dramatically, without having to
    suffer through another triggering event!
    The concept of CANI – Constant And Never-ending Improvement can breathe life into your security program, you can use it to improve your health, your fitness level, your guitar playing, your _______________________.
    You fill in the rest!

 

 



Another School Shooting Means We Learned Nothing from Newtown

Almost one month and two days since the tragic school shootings at Sandy Hook Elementary, where 20 young first-graders were shot by a crazy person with an assault rifle.

That day was one of those moments that you never forget, it’s seared in your brain and you probably know EXACTLY where you were when you heard the news start to trickle out.  I was at Toys R Us with my son and we were buying presents for his young twins.  I was checking Twitter and I saw a brief mention of another shooting.  At first it said, 3 individuals and possibly children, then 5 individuals,  then 12 children and by the time our shopping trip was over, so were the lives of 26 people, mostly innocent little first-graders. And it was only a week before Christmas.

As a security person who’s done lots of security assessments, you can’t help thinking, “What went wrong?”  “What could have prevented this atrocity?”  And there are dozens of potential solutions and who knows what might have made a difference.

Then there’s the day that President Obama signed 23 Executive Orders to tighten up background checks on potential gun owners,  keep track of who purchases guns, requiring federal agencies to make more background-check data available, requiring federal law enforcement to trace guns recovered in criminal investigations, and providing more training for police, first responders and school officials.  During his announcement, he said, “Let’s do the right thing!”.

We all want to do the right thing, but what IS the right thing, the one thing that will make a difference and significantly reduce gun violence in America?

These Executive Orders are a great start, but we all know the push-back that will come from Congress and the gun lobby, who still want to sell guns, even after they see a photo of a little girl shot, not once, but eleven times.

This was also a big wake up call for schools.  The public schools, colleges and universities seem to wake up every ten years and worry about security, and then they quickly forget and back into worry about academics instead of security and gun violence. Teachers want to TEACH.  Teachers often say, “Security is not my job, my job is to teach and I shouldn’t have to do anything else”.

But SCHOOL SECURITY has to be a process, not just a quick fix.  All security has to be a process.  The process starts with a clear policy.  There has to be an approved policy, whether that policy is a federal guidelines, like FEMA 428, “Primer to Design Safe Schools”, or whether it’s a security policy that mets a schools specific needs.  Without a policy, you have no place to start.

There have to be procedures written up, announced, handed out in 3-ring binders, and accompanied with education and training including drills.

There has to be training and education so people know what to do in an emergency, where to do, who to call, and how to respond.

There have to be annual security risk assessments to gauge the current threats, and measure the effective controls, and make the security program a process of continual improvement.

Without the foundation of policy, procedures, training, education and security assessments, it’s not a security program, it becomes just a grab bag of solutions that may or may not work.

For example – here are just a few of the point solutions we heard about today, endorsed by their own lobby groups:

  • Arming teachers with more guns.
  • Banning all guns on campuses.
  • Securing the school perimeter with chain link fences.
  • Doing more and better background checks.
  • Adding cameras which are constantly monitored.
  • Have an armed School Resource Officer on every campus.
  • Security Awareness courses for teachers.
  • Security awareness training for parents.
  • Giving teachers panic alarms.
  • Improving mental health services.
  • An assault weapons ban.
  • Banning high capacity gun clips.

If it was your children’s school or college, which of these elements would you choose?

Schools are a great leveler of our culture.  Everyone has personal experience with schools.  Everyone went to school once, and many have children in schools, or friends in schools, or know staff and teachers who work in schools, so schools are like a touchstone.  But you could also say “Hospital”, or “Train Station”, or “County Offices” or “Movie Theatre” and to protect these things, there has to be a security program in place.

We, as the security community, are the guardians of society.  We protect things of value.  And nothing has more value than our children.  Security has many other names like safety and emergency planning, and disaster recovery and loss prevention and risk management and violence prevention and information protection, just to name a few.

As a global security community, we should make our voices heard in this great debate, because we have the experience to know what works and what doesn’t and your voices are needed now, more than ever.

This is also a time where the public discussion of security breaks through the chatter and focuses attention on something that is critically important to everyone.   Security professionals have always networked and learned from each other’s experience.

Let’s talk to each other more about what works and share this with the rest of the country.

They need us.

About the Author, “Caroline Ramsey-Hamilton is a leading expert in assessing risk facilities security, workplace violence and security for hospitals, cybersecurity, nuclear security,  and also measuring compliance with security standards like FEMA 426-428, Joint Commission, HIPAA and OSHA. She has developed security programs with the National Security Agency, the U.S. Department of Defense and the National Institute of Justice, the Department of Homeland Security and many other agencies, and has developed a school security risk program with Eastern Kentucky University.

Caroline is a member of the ASIS Physical Security Council,  the ASIS Information Security Security Council, and on the Board of the South Florida chapter of  IAHSS (International Association for Hospital Safety & Security) She received the Distinguished Service award from the Maritime Security Council, and the Anti-Terrorism Accreditation Board’s  Distinguished Service award in 2011. You can reach Caroline at caroline@riskandsecurity or thru her web site at www.riskandsecurityllc.com.  She posts breaking security & risk alerts at www.twitter.com/riskalert.




top