Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

accountability

Risk Assessment: How about Giving Guns Back to Former Mental Patients

A recent New York Times article explained that a provision tucked in a bill to make it harder for people diagnosed with mental illness to possess firearms, actually restores the rights of mental health patients to get their firearms back. The legislation was passed after the massacre at Virginia Tech in 2007.

One of the main elements of risk assessment is a quantitative (meaning = real numbers) on what has happened in the past. Looking at 2 or 3 years of incident reports, for example, show how many times there has been an incident involving gun violence in a particular neighborhood, city or organization.

Another element is the history of a particular individual to see whether individuals with a diagnosed history of mental illness are MORE OR LESS likely to trigger (forgive the pun) – a violent incident.

If we run that scenario, we will find that individuals who previously had a violent incident with a firearm are MORE LIKELY than the standard population to have another incident.
And that especially holds true if other threat indicators are present, for example:

Termination from a Job
Romantic Difficulties
Foreclosure
Difficult Economy

There is a ‘risk multiplier’ effect that takes place that makes the risk higher. By combining different sets of threat categories with areas of weakness, we are create general predictions on the likelihood of repeated violent incidents.

Do the math – it doesn’t make sense for people with a history of mental illness to
get their guns back!



Lessons I Learned from little Caylee Anthony

Caylee Anthony and Lessons Learned

Everyone who has watched this case found it compelling and fascinating – like watching a cobra ready to strike.

This case caught my attention right in the beginning, and what a great job #Nancy Grace and HLN did in keeping the pressure on, assisting with the search in the beginning, and actually finding photos, etc.

My daughter-in-law wasn’t pregnant when this trial started, but now she and my son have 18-month old twins, and we are all watching this trial together.    I started out disliking the Anthony parents, but now that I’ve seen Cindy and George break down on the stand and now that I understand the critical role of grandparents, I have sympathy for them.

Here’s what my lessons learned include:

1.  If you are a grandparent and thinking something is wrong – don’t wait.  Who 
     cares if your child thinks you’re nuts, you are an advocate for a child too young to
     protect themselves.   Grandparents can save the lives of their grandchildren when
     young parents are overwhelmed.

2.  Lock up the swimming pool.   Whether it’s an in ground or above-ground pool – it’s
     too dangerous for children who can’t swim.  Take extraordinary steps to keep that pool
     out of reach of any children.

3.  Don’t tolerate lying from your children when they are young.  This must be a
     lesson that is taught when children are young.  Lying is not right, and not acceptable. 
     When you in your twenties, or even in high school, it’s too late.  This tragedy was
     compounded by the constant lies of Casey Anthony.

4.  Love and enjoy your children every day because life is uncertain and you may
     never get another chance to say how much you love them, and how much they add
     to your life!



A Message for Politicians on the Fourth of July

Another happy fourth of July barbeque, red, white and blue flags waving on porches across America.   The politicians are out in force, speaking at parks about the future of America.

But it seems to me that they no longer really put the USA first.  Instead, they put their job first, their party first, their lobbying interests first, and the USA fits in somewhere after that.

We have all seen what happens in divided countries – we learn about the US Civil War, we watch what is happening in the Sudan, we observed what happened in Bosnia and Serbia
 – and what is happening in #Tibet.  

Our country, the citizens AND the leaders, need to start working together, and make the good of the country more important than artificial party differences. 

All over the world people want exactly the same things – a safe, decent place to live, enough food, clean water, a good education for their children – AND a way to get ahead by working hard.

I hope today that someone reads this and finds a way to get this great country back on track by discussion and agreement and coming together, instead of creating artificial distinctions between Americans based on party allegiances.  Our first allegiance has to be to America!



Unsnarling political differences based on Type preferences

A key component of decision making is laying out all the options to make an informed decision.

Watching the angst of the political parties trying to solve the debt problem shows that they are both charging around saying their favorite rallying cries, which does not promote dialogue, but just inflames the other party.

Think of these two parties, Dems and Repubs, as made up of two TYPES of individuals.  The MBTI (Myers Briggs Type Indicator) personality test is made up of 16 distinct types of people and you can summarize and put them into two main groups – the Traditionalists and the Innovators.

See if this sounds familiar – Traditionalists like for things to stay the same, they always support the status quo.  They dislike change for change’s sake, so they don’t want to raise taxes.  They like to keep a strong sense of order so they
are often military, law enforcement, corporate titans, etc.
  They are often presidents of associations and organizations and they are great at keeping things running efficiently.

Innovators want to explore and try new things – in life AND in politics. They want to get out of Afghanistan and put in a new tax structure, and reinvent old institutions, instead of cherishing them, as the Traditionals do.

Both these groups have great contributions that they make to society – Traditionals keep things organized and running and Innovators find new, better ways of doing things.

Innovators are always searching for the next new thing so it’s so coincidence that
California has more than it’s statistical share of Innovators – they keep kept going west, and kept looking until stopped by the Pacific ocean.

Type preferences are set before you are 5 years old and indicate preferences for your entire life.  I am already seeing types emerge from watching toddlers under the age of 2.

When you understand the values of the other party, according to type preferences, you can have a more civil dialogue because you can now understand where the other side is coming from, so to speak. 

You can find out which type you are,  or just find out more about the MBTI at www.myersbriggs.org.



Using Risk Assessments as a Business Process

Risk assessments are increasing in utility and popularity – being used for everything from compliance to safety assessments, and used by financial institutions, healthcare organizations, manufacturers, government of the world and think tanks. 

Many regulators require formal risk assessments on everything from gauging political risk in an unstable country, to protecting consumer financial information, to assessing workplace violence potential.  

Here’s a definition of a risk assessment:   A process to determine what controls are necessary to protect sensitive or critical assets both adequately and cost-effectively. Cost effectiveness and Return On Investment (ROI) are required elements of a risk assessment.  

A risk assessment is not a democratic process where the most popular answer wins.  It is not consensus driven.  Instead, it is a business process that manages a security function.   Security is very process centered.  Because security often consists of many different elements which are critically important, such as managing network access,   it makes sense to manage it as a process.

According to the statistics, risk assessments are way up in popularity in 2011.  Maybe
it’s economics – maybe it’s result of the previous economic downturn, but the requirements for risk assessments have never been broader, and there have never been more of them than there are now.  Here’s a partial list:  

The Joint Commission
HIPAA, HITECH, NIST 800-66
FFIEC, BSA-AML,
ISO 27001 and 27000 series; NIST 800-53
Red Flags Identity Theft
NCUA Part 748
FEMA 426, FEMA 428

The exercise of doing a risk assessment affords a level of protection which is related to how many other people actually contribute to the risk assessment results.   Using an online compliance survey as a participatory measure takes the onus of absolute responsibility away from the manager/analyst and distributes it throughout the organization where it belongs.

Obviously people are a critical component of information security.  In a risk assessment, people are also important to include because they are able to report what’s going on in their workplace every day.  How can one analyst know enough to do the entire risk assessment by themselves?  They would have to be everywhere at once – in the morning, late at night, on the weekends, and also be able to channel the work of everyone from the newest tech support person to the director of the data center.   And the inclusion of a variety of individuals adds weight and power to the risk assessment.

The true value of the risk assessment is in the cost benefit analysis, which details what controls need to be implemented, how much they cost and how much they would protect the organization by either prevent threats from occurring or by mitigating the impact of the incident if it occurs. 

While the analysts may be accountable for the reporting or analysis of potential risk, the responsibility for any action that needs to be taken is up at the C level, or with the Board of Directors.  In fact, in the FFIEC IT (Federal Financial Institutions Examination Council Information Technology ) Handbook, they spell out, “The Board is responsible for holding senior management accountable”.  Often we have found that the actual President of a bank or credit union doesn’t always KNOW that he is going to be held responsible – this information is down another level in the organization.

I recommend getting management to sign off on the basic assumptions,  in writing,  in the course of completing the risk assessment – and of course, on the final reports. Areas where senior management can review and approve include: 

  • Calculation of asset values, including the value of the organization in total
  • The potential costs of implementing different controls, singly or in combination.
  • Validating which controls are currently in place and how well they are working.
  • The conclusions from the draft report, and the final report.

The analyst is just the messenger, doing the work of assembling the risk elements and calculating their potential results.  But senior management makes the final decisions on each element.   There’s nothing like a signature on a piece of paper to foster a climate of accountability. 

Risk Assessments have the potential to save corporations and governments millions of dollars by making decision-making based on real analytics, instead of just guesses – plus they are an essential element of compliance.  These are good reasons to evaluate whether it’s time for you to do a Risk Assessment!



A Short Note on Father’s Day

A Father’s Day about Remembering

My father was a teenager during the Depression.  That means there was no college for my very intelligent and very creative father.   Here are some of his best moments, commemorated in a great photo of him barbequeing on the green Weber grill, wearing only swim trucks, a big Chef’s apron and a chefs hat!

When I was sixteen, I went outside to tell my father that I didn’t believe in the Easter  Bunny anymore, so he didn’t go have to go thru the whole Easter Bunny drill which included getting up in the middle of the night and putting pieces of cotton on the underside of the chain link fence, so he could take us outside and say, “The bunny was leaving your Easter baskets and he heard you waking up and he ran out so fast, he left a little bit of tail on the fence,” and then he’s bend down to show us the Actual Easter Bunny evidence.

Finally, after an hour of discussion – he said, “OK – you win, I’m the Easter Bunny”.  I locked myself in my room and cried all day.

My dad always made the best of whatever happened, a lesson he passed on to me, the eldest child.  He always had a job – usually a great job with perks like boxes of oranges and pears at Christmas, and he taught adult Baptist Sunday school for 36 years.  What a commitment.

My dad should have been an artist, because he had the most beautiful handwriting, and could draw anything.   One of the great things he did for us was put together a whole book of photos of us for our 21st birthdays.  Mine had a Winnie-the-Pooh theme, totally illustrated, of course.  It included a list of the all the 20 songs I could sing at the age of 2!

My dad was also a fantastic grandfather to my two sons and they were only in their teens when he died, way too young, at 72.  He still swam 60 laps of the pool every day. 

Daddy, I think about you all the time, and wish you were here.



Workplace Violence Against Hospital Staff Discussed

Just got back from a regional meeting of hospital security officers in Myrtle Beach. Aside from the T’storms every night – and the college kids shooting off bottle rockets, it was a great conference.

It reinforced my feeling that violence against hospital staff is one of the biggest challenges facing healthcare professionals. Vermont passed a law this week making violence against a healthcare worker a FELONY instead of just a misdemeanor. That’s progress, similar laws are being passed in other states, too. The governor of Vermont signed the bill on May 12, 2011. Congratulations to Vermont — they were first on this important issue.



Arming the Office – What Happens When We Let Employees Bring Guns to Work

One of my colleagues wrote to me so passionately about the terrible gun violence he witnesses every day, that I wanted to share it with all of you.  You can call it a ‘Guest Blog’ from the Field — a Hospital Security Director in a Major U.S. City.

The gun lobby had several recent legal “wins” for the gun rights advocates in Texas, Indiana, and Tennessee.   Apparently lawmakers and gun rights advocates find it a sane and reasonable  policy to open up the workplace to armed employees.

It t is also clear that our lawmakers are not satisfied with our current national gun carnage. Currently, we shoot to death about a 100 people a day in the United States, including 25 children killed every three days.  And this tally accounts for only those killed by guns.

This doesn’t include all those I see on a daily basis who are shot, crippled, maimed and ruined by the daily shooting gallery in the USA.   In order to continue to make money and sell more guns, the gun rights advocates, and  the legislators they have paid off, corrupted and stripped of reason,  are intent on even greater carnage and human tragedy.

Every day I witness the extreme becoming mainstream, and even commonplace.  
Guns are now finding their way into the workplace, brought into churches, brought into our colleges and universities. They are brought to hospitals, and shot off over highway bridges.

The logic is totally missing.  We are already a nation awash in fear and loathing.  We hate people  we don’t know and don’t understand.  The answer to this problem is NOT to arm EVEN MORE people and have guns readily available to everyone.

Obviously, the recent horrors of Arizona and the slaughter of innocent people in a Safeway parking lot,  has already been forgotten by security professionals and criminologists.  There is no condemnation or follow up  about a terminally troubled young man and the ease in which he purchased a semi-automatic pistol and 30 shot clips.

There has been no rallying cry to address the ease in which tormented and troubled and dangerous individuals on the margins of our society can easily obtain weapons of human mass destruction.   These realities are not relevant and cannot be discussed. And in today’s political climate to even MENTION this makes one a pariah, or a “liberal”, or a “communist”.

 I have been in the Security and Prevention profession for over 35 years, so I can easily dismiss the attacks from gun rights advocates and zealots.  And in fairness,  I have found many gun rights people to be in fact reasoned and decent and willing to engage in reasoned discourse.

What troubles me, and why I wanted to write directly to YOU,  is that the vast majority of professionals in the Security profession totally bypass, ignore and in fact, minimize the reality and tragedy that is our national gun slaughter.   As a profession,  we have done nothing to challenge these trends,  or address them, or at the very least,  debate the current flood of laws designed to turn American work places into armed camps.  

And this in my view is nothing less than a tragedy.



Does Being on TV Make Us Better World Citizens?

Does Being on TV Make Us Better World Citizens?

To quote the character in the 1995 movie, “To Die For” — “You’re not really anybody in America unless you’re on TV… ’cause what’s the point of doing anything worthwhile if there’s nobody watching?  So when people are watching, it makes you a better person.” So if everybody was on TV all the time, everybody would be better people.

A minor statistic – that the recent tsunami in #Japan got CNN its highest ratings since Obama’s inauguration!   What can beat the reality of earthquakes and rising water, followed almost immediately by nuclear power plants with seawater cannons blasting?   And then add the airstrikes over #Libya – all delivered in breathtaking color.

Does showing these images on TV make people more sympathetic to the plight of the rest of the world?   I think it probably does – and that it does make us better people for caring.

The social media has contributed greatly to this – working hand in glove with TV – expanding coverage to new audiences and flashing breaking news around the world.  The immediacy of Twitter and email make us seem empathetic because we are sending the news out to our social circles. 

The middle east uprisings are possible not because of just the media, but because people around the world weigh in and give political support to the protesters.  They know the world is watching and because they know they are not alone anymore, they are empowered to stick with their protests. 

And look at the payoff – the rebels in Libya make their case and the world comes to their aid.  Obviously there are other critical factors at play here, but the TV makes it all possible. 

Just five years ago, people were wondering when the One World concept would finally catch hold and we would collectively realize that we’re really all people on this tiny planet – Pax Humana, aka World Peace. 

It looks like that day has come – not because of highideals or harmonic convergence, or universal values, but because we can tweet pictures to our friends about other people on the other side of the world.  This is true reality TV and it’s going to be a game changer for businesses and governments everywhere.



Not with a Bang…. The Japanese Nuclear Disaster

Too late to run a formal risk assessment on the dismal situation at the Japanese nuclear plants.  Obviously, the switch has been turned to ‘survival mode’.  But risk decisions are still being made, individually and collectively.

The bravery of the nuclear plant workers who stayed to continue at their posts and try to avert a full catastrophe reflects 50 individual risk decisions  by people risking their own lives for the elusive greater good. 

One of the U.S. TV morning shows talked about the risk calculation being made about whether to continue to build nuclear plants when “stuff happens”, as this double play of earthquake-tsunami proves.  

The assets which are generated by nuclear energy are large amounts of relatively ‘clean’ energy.  The risks have been underwritten by governments which support the growth of these plants by sharing the risk with the electric companies to encourage them to build. 

The threats to these plants have been addressed dozens of times and right at the top of the list are both international and domestic terrorists; followed by natural disasters, including earthquakes, tsunamis (we added tsunamis into our threat matrix in 2002),  tornados and hurricanes; followed by sabotage by insiders who work in the plants themselves. 

Personnel working in these plants are heavily investigated and also undergo continuing scrutiny of their lifestyles, checking accounts, etc., because of the sensitivity of the work they do.    US National Public Radio (NPR) reported yesterday that U.S. nuke plants have a failure rate of 40% on security inspections – and that’s when they get TWO WEEKS ADVANCE NOTICE of the inspections.  What if they got no notice?  What kind of results would we see?

One of the major risk correlations in formal risk assessment is the Threat-Asset ratio, which means, for example,  don’t build a nuclear plant on an earthquake fault line.  If the threat is too high, it increases the probability that the asset (the plant) will be compromised and could experience a loss, based on a threat occurring.

The standard list of controls are also analyzed and these can range from specific security controls to having multiple backup power sources (that DO NOT DEPEND on electricity).    Obviously, when this control was no longer viable due to the natural disasters, that’s when things started to go rapidly downhill.

Without electricity to keep the cooling activities running, you have to start to look at the possible losses that could result from the event.   The nuclear power equation is especially worrisome because radioactivity is not only instantly fatal, but it can be blown around, and it is FOREVER.  It doesn’t burn itself out in a few days like a fire, or dry up like a flood when the sun comes out.

The risks/potential losses can include:

Loss of life of plant employees
Loss of life of the surrounding population – to 5 miles, 50 miles, 100 miles, farther?
Loss of the electricity that cannot be generated and what that means to a country.
Loss of the plant itself – as a replacement cost of billions of dollars.

The problem with the nuclear power risk equation is that the biggest potential loss is the contamination of one, two or multiple countries, possible permanent radioactive contamination of the ocean, or, in a very worst case, loss of the planet.

As this latest disaster proves, the potential loss is so high, that even twenty years of extra electricity don’t seem worth the risk, especially if the calculation includes plants built-in areas susceptible to the list of potential threats exactly like earthquakes.

We’re running a set of scenarios that will continue to evolve as the situation stabilizes or possibly gets even worse. It seems that Mother Nature is controlling events now.




top