Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

risk assessment

Using Risk Assessments as a Business Process

Risk assessments are increasing in utility and popularity – being used for everything from compliance to safety assessments, and used by financial institutions, healthcare organizations, manufacturers, government of the world and think tanks. 

Many regulators require formal risk assessments on everything from gauging political risk in an unstable country, to protecting consumer financial information, to assessing workplace violence potential.  

Here’s a definition of a risk assessment:   A process to determine what controls are necessary to protect sensitive or critical assets both adequately and cost-effectively. Cost effectiveness and Return On Investment (ROI) are required elements of a risk assessment.  

A risk assessment is not a democratic process where the most popular answer wins.  It is not consensus driven.  Instead, it is a business process that manages a security function.   Security is very process centered.  Because security often consists of many different elements which are critically important, such as managing network access,   it makes sense to manage it as a process.

According to the statistics, risk assessments are way up in popularity in 2011.  Maybe
it’s economics – maybe it’s result of the previous economic downturn, but the requirements for risk assessments have never been broader, and there have never been more of them than there are now.  Here’s a partial list:  

The Joint Commission
HIPAA, HITECH, NIST 800-66
FFIEC, BSA-AML,
ISO 27001 and 27000 series; NIST 800-53
Red Flags Identity Theft
NCUA Part 748
FEMA 426, FEMA 428

The exercise of doing a risk assessment affords a level of protection which is related to how many other people actually contribute to the risk assessment results.   Using an online compliance survey as a participatory measure takes the onus of absolute responsibility away from the manager/analyst and distributes it throughout the organization where it belongs.

Obviously people are a critical component of information security.  In a risk assessment, people are also important to include because they are able to report what’s going on in their workplace every day.  How can one analyst know enough to do the entire risk assessment by themselves?  They would have to be everywhere at once – in the morning, late at night, on the weekends, and also be able to channel the work of everyone from the newest tech support person to the director of the data center.   And the inclusion of a variety of individuals adds weight and power to the risk assessment.

The true value of the risk assessment is in the cost benefit analysis, which details what controls need to be implemented, how much they cost and how much they would protect the organization by either prevent threats from occurring or by mitigating the impact of the incident if it occurs. 

While the analysts may be accountable for the reporting or analysis of potential risk, the responsibility for any action that needs to be taken is up at the C level, or with the Board of Directors.  In fact, in the FFIEC IT (Federal Financial Institutions Examination Council Information Technology ) Handbook, they spell out, “The Board is responsible for holding senior management accountable”.  Often we have found that the actual President of a bank or credit union doesn’t always KNOW that he is going to be held responsible – this information is down another level in the organization.

I recommend getting management to sign off on the basic assumptions,  in writing,  in the course of completing the risk assessment – and of course, on the final reports. Areas where senior management can review and approve include: 

  • Calculation of asset values, including the value of the organization in total
  • The potential costs of implementing different controls, singly or in combination.
  • Validating which controls are currently in place and how well they are working.
  • The conclusions from the draft report, and the final report.

The analyst is just the messenger, doing the work of assembling the risk elements and calculating their potential results.  But senior management makes the final decisions on each element.   There’s nothing like a signature on a piece of paper to foster a climate of accountability. 

Risk Assessments have the potential to save corporations and governments millions of dollars by making decision-making based on real analytics, instead of just guesses – plus they are an essential element of compliance.  These are good reasons to evaluate whether it’s time for you to do a Risk Assessment!



Using a Project Plan for your HIPAA Risk Analysis

When HIPAA first became a law, at the end of 1997, most healthcare organizations were so sure that it would be repealed or rescinded when Bush came into office, that they never quite got around to doing that first risk analysis.

Later, the risk analysis requirement got harder and tougher, when the Office of Civil Rights (OCR) added their guidance document in May 2010, and suggested that in addition to HIPAA Security and HIPAA Privacy, and the HITECH ACT, that organizations should also use NIST Special Publication 800-66 as a reference guide for the risk analysis and the protection of electronic Protected Health Information (ePHI).

The risk analysis has gotten more complicated, by the tightening of requirements, and by the need to include business associates, third party vendors, and an all-hazards threat approach.

Using a detailed project plan as you start the risk analysis is a good way to not only deal with the technical requirements, but also to inform management and stakeholders in the organization what a risk analysis includes, and to outline their potential participation.

There are different roles including IT users who will answer questions related to HIPAA control standards, management who will provide financial data and approve different values, and department managers, who will supervise their own staff and make sure they answer the surveys and cooperate with the analyst in a timely manner.

After the roles have been assigned, the data gathered, the reports approved, the project plan can be used to create the mitigation activites, a corrective action plan, and used to manage and track the new controls that are implemented.

If you’d like to see a HIPAA Project Plan, just email me at chamilton@riskwatch.com

 

 

 

 

 

 

 

 



Arming the Office – What Happens When We Let Employees Bring Guns to Work

One of my colleagues wrote to me so passionately about the terrible gun violence he witnesses every day, that I wanted to share it with all of you.  You can call it a ‘Guest Blog’ from the Field — a Hospital Security Director in a Major U.S. City.

The gun lobby had several recent legal “wins” for the gun rights advocates in Texas, Indiana, and Tennessee.   Apparently lawmakers and gun rights advocates find it a sane and reasonable  policy to open up the workplace to armed employees.

It t is also clear that our lawmakers are not satisfied with our current national gun carnage. Currently, we shoot to death about a 100 people a day in the United States, including 25 children killed every three days.  And this tally accounts for only those killed by guns.

This doesn’t include all those I see on a daily basis who are shot, crippled, maimed and ruined by the daily shooting gallery in the USA.   In order to continue to make money and sell more guns, the gun rights advocates, and  the legislators they have paid off, corrupted and stripped of reason,  are intent on even greater carnage and human tragedy.

Every day I witness the extreme becoming mainstream, and even commonplace.  
Guns are now finding their way into the workplace, brought into churches, brought into our colleges and universities. They are brought to hospitals, and shot off over highway bridges.

The logic is totally missing.  We are already a nation awash in fear and loathing.  We hate people  we don’t know and don’t understand.  The answer to this problem is NOT to arm EVEN MORE people and have guns readily available to everyone.

Obviously, the recent horrors of Arizona and the slaughter of innocent people in a Safeway parking lot,  has already been forgotten by security professionals and criminologists.  There is no condemnation or follow up  about a terminally troubled young man and the ease in which he purchased a semi-automatic pistol and 30 shot clips.

There has been no rallying cry to address the ease in which tormented and troubled and dangerous individuals on the margins of our society can easily obtain weapons of human mass destruction.   These realities are not relevant and cannot be discussed. And in today’s political climate to even MENTION this makes one a pariah, or a “liberal”, or a “communist”.

 I have been in the Security and Prevention profession for over 35 years, so I can easily dismiss the attacks from gun rights advocates and zealots.  And in fairness,  I have found many gun rights people to be in fact reasoned and decent and willing to engage in reasoned discourse.

What troubles me, and why I wanted to write directly to YOU,  is that the vast majority of professionals in the Security profession totally bypass, ignore and in fact, minimize the reality and tragedy that is our national gun slaughter.   As a profession,  we have done nothing to challenge these trends,  or address them, or at the very least,  debate the current flood of laws designed to turn American work places into armed camps.  

And this in my view is nothing less than a tragedy.



Does Being on TV Make Us Better World Citizens?

Does Being on TV Make Us Better World Citizens?

To quote the character in the 1995 movie, “To Die For” — “You’re not really anybody in America unless you’re on TV… ’cause what’s the point of doing anything worthwhile if there’s nobody watching?  So when people are watching, it makes you a better person.” So if everybody was on TV all the time, everybody would be better people.

A minor statistic – that the recent tsunami in #Japan got CNN its highest ratings since Obama’s inauguration!   What can beat the reality of earthquakes and rising water, followed almost immediately by nuclear power plants with seawater cannons blasting?   And then add the airstrikes over #Libya – all delivered in breathtaking color.

Does showing these images on TV make people more sympathetic to the plight of the rest of the world?   I think it probably does – and that it does make us better people for caring.

The social media has contributed greatly to this – working hand in glove with TV – expanding coverage to new audiences and flashing breaking news around the world.  The immediacy of Twitter and email make us seem empathetic because we are sending the news out to our social circles. 

The middle east uprisings are possible not because of just the media, but because people around the world weigh in and give political support to the protesters.  They know the world is watching and because they know they are not alone anymore, they are empowered to stick with their protests. 

And look at the payoff – the rebels in Libya make their case and the world comes to their aid.  Obviously there are other critical factors at play here, but the TV makes it all possible. 

Just five years ago, people were wondering when the One World concept would finally catch hold and we would collectively realize that we’re really all people on this tiny planet – Pax Humana, aka World Peace. 

It looks like that day has come – not because of highideals or harmonic convergence, or universal values, but because we can tweet pictures to our friends about other people on the other side of the world.  This is true reality TV and it’s going to be a game changer for businesses and governments everywhere.



Not with a Bang…. The Japanese Nuclear Disaster

Too late to run a formal risk assessment on the dismal situation at the Japanese nuclear plants.  Obviously, the switch has been turned to ‘survival mode’.  But risk decisions are still being made, individually and collectively.

The bravery of the nuclear plant workers who stayed to continue at their posts and try to avert a full catastrophe reflects 50 individual risk decisions  by people risking their own lives for the elusive greater good. 

One of the U.S. TV morning shows talked about the risk calculation being made about whether to continue to build nuclear plants when “stuff happens”, as this double play of earthquake-tsunami proves.  

The assets which are generated by nuclear energy are large amounts of relatively ‘clean’ energy.  The risks have been underwritten by governments which support the growth of these plants by sharing the risk with the electric companies to encourage them to build. 

The threats to these plants have been addressed dozens of times and right at the top of the list are both international and domestic terrorists; followed by natural disasters, including earthquakes, tsunamis (we added tsunamis into our threat matrix in 2002),  tornados and hurricanes; followed by sabotage by insiders who work in the plants themselves. 

Personnel working in these plants are heavily investigated and also undergo continuing scrutiny of their lifestyles, checking accounts, etc., because of the sensitivity of the work they do.    US National Public Radio (NPR) reported yesterday that U.S. nuke plants have a failure rate of 40% on security inspections – and that’s when they get TWO WEEKS ADVANCE NOTICE of the inspections.  What if they got no notice?  What kind of results would we see?

One of the major risk correlations in formal risk assessment is the Threat-Asset ratio, which means, for example,  don’t build a nuclear plant on an earthquake fault line.  If the threat is too high, it increases the probability that the asset (the plant) will be compromised and could experience a loss, based on a threat occurring.

The standard list of controls are also analyzed and these can range from specific security controls to having multiple backup power sources (that DO NOT DEPEND on electricity).    Obviously, when this control was no longer viable due to the natural disasters, that’s when things started to go rapidly downhill.

Without electricity to keep the cooling activities running, you have to start to look at the possible losses that could result from the event.   The nuclear power equation is especially worrisome because radioactivity is not only instantly fatal, but it can be blown around, and it is FOREVER.  It doesn’t burn itself out in a few days like a fire, or dry up like a flood when the sun comes out.

The risks/potential losses can include:

Loss of life of plant employees
Loss of life of the surrounding population – to 5 miles, 50 miles, 100 miles, farther?
Loss of the electricity that cannot be generated and what that means to a country.
Loss of the plant itself – as a replacement cost of billions of dollars.

The problem with the nuclear power risk equation is that the biggest potential loss is the contamination of one, two or multiple countries, possible permanent radioactive contamination of the ocean, or, in a very worst case, loss of the planet.

As this latest disaster proves, the potential loss is so high, that even twenty years of extra electricity don’t seem worth the risk, especially if the calculation includes plants built-in areas susceptible to the list of potential threats exactly like earthquakes.

We’re running a set of scenarios that will continue to evolve as the situation stabilizes or possibly gets even worse. It seems that Mother Nature is controlling events now.



After Arizona, Does Congress Need Gun Legislation, or Just More Effective Security Risk Assessments?

The terrible shooting in Tucson this week was widely seen as a wake-up call for members of Congress who probably spent at least part of the weekend wondering if their security was enough.

 I can answer their question – it is probably NOT enough.  The morphing of politicians into celebrities (call them Pol-ebrities??) is great as long as you get lots of TV time and the cameras are flashing and the contributions are rolling in.   The downside is the same one that led to John Lennon’s death – Celebrities draw the crazies.  Now that elected officials are becoming Pol-ebrities – they are becoming targets.

With proposals rolling in from all quarters, including putting a giant Plexiglas shield around the House floor, limiting the distance a constituent can stand in relation to a congressperson or senator, and many other ideas, it is clear me that what is missing is the use of standardized Threat/Risk Assessments.

 Security is always a trade-off.  How much money to spend to protect a public servant and legislator?  Is it worth an extra $25,000 per year per person, or should it be $100,000 per person per year – or should it be a million dollars?

Ask the potential target and I guarantee they are voting for the $100,000 solution.  Ask a beleagured taxpayer and they would think maybe $5000.00.  The problem is that it is impossible for an individual to do a true cost benefit analysis and decide how much money is enough?

Enough to provide ‘adequate” and ‘reasonable’ protection. 

Enough for a ‘normal event’?  What about a high-profile event?

Can you analyze it based on the numbers of people who attend a certain event?

All these questions are about 1/15th of a security risk assessment. 

Like the Department of Homeland Security – the executive protection should move to a more quantitative, risk-based model.  Traditional executive protection checklists are no longer enough.

There are so many elements that go into a threat risk assessment of an public, or private event.  We can look at the Tucson shooting and see that if the usual checklists were used, someone might have:

Checked the crime rate around the location (which turned out not to be at all relevant.)

Checked to see if any other congressperson had ever been attacked
at a town hall meeting in the last twelve months (perhaps more relevant).

These are just a few of the many checks that would have been performed prior to the event, but whether these were done partially, completely, or not at all, they are not risk-based, instead, the classic protection model is more threat-based than risk-based, when what you need is a combination of the two.

If we can create a standardized risk-based scenario for protection of these high profile Pol-ebrities, it would include all the basic information, plus data on the number of phone threats received by that individual legislator; and also, an aggregate of threats received by all legislators.  It would include blog and web searches to see how many times a particular name was mentioned or cited in a negative way.  (And yes, finding a web site that includes a rifle target signal over your district counts).

In addition, it’s interesting to get a historical perspective to see how many government representatives have been threatened, shot, stabbed or murdered in the last five years, and to see whether that trend is increasing or decreasing.

The shooting in Tucson was a workplace violence incident by a totally deranged person who had total access to his victims.   There was no advance screening, no physical barriers, no bodyguards waiting in the wings in case something went wrong.

Many of these missing elements, along with others, can be used to create useful threat risk assessments that can be standardized,   and automatically generated for all our high profile public servants to provide much more effective security for the people who need it most.  

Instead of treating each of these violent incidents as a completely isolated event, society needs to recognize these patterns that are emerging as legislators become celebrities, and that there is an increasing acceptance of violent solutions to individual problems.  These patterns need to be watched, tracked, and applied to each individual’s protection profile to improve personal security and prevent future violent attacks.



TSA – Why pat-downs are ridiculous and after 9 years – they still can’t spell R*I*S*K management. Follow the money.

Every fifteen minutes, the media is full of images of children being patted down at the airports. The media is stirring up the porridge on this story.  But think for a moment – TSA is spending 90% of it’s budget, resources and energy on passengers who are not and will never be a threat.  And that leaves only 10% to spend on legitimate and potentially dangerous travelers.  This raises several questions.

First – why?  When the DHS espouses it’s emphasis on RISK MANAGEMENT – it’s clear that they don’t follow it.  The private company that runs the screening programs makes substantially more money by screening everyone, if they only had to screen real suspects – their income (which is over $8 Billion per year) could be cut in half!

By applying the risk management principles that are in their charter – they would be able to spare the poor traveling public and spend more time and more resources on checking and double-checking the potential terrorists. 

Most rational people can watch an airport scanner line for two hours and realize it is an enormous waste of resources for very little results and testers can routinely smuggle in knives, lighters and whatever else they want.

The inability of TSA to adopt a rational approach to airport screening – and remember – they still don’t’ screen the cargo riding on the same plane – is just lining pockets including the lobbyists who have been pushing the extra-expensive full body scanners.

The justification for this big expenditure is that is avoids the dreaded “profiling”.  We should be profiling – we should be checking people who like to visit Yemen for Easter.  We should be doing intense screening of young men between the ages of 18 and 30 who have recently traveled in or out of Pakistan.

 Here’s a partial list of who we shouldn’t waste time and resources screening:

 Children under 10
Active and Retired Military
Civilian Federal Employees
Civilian Federal Partners
Members of a ‘Preferred Traveler Program’
Individuals who opt for an intensive background check
Senior Citizens over 70

But you know what they say – Money Talks… and it’s talking to me this Thanksgiving week.



The Risk Assessment – Live – and Cross-Cultural

I just got back from a great trip to the Middle East.  I spoke at a State Department conference (ISAC) Conference in Doha, Qatar and then did a full risk assessment of a large hospital in Abu Dhabi.   Besides that I loved the food, and loved the people, and came home with lots of beautiful earrings and bangles and perfume.

The great insight I got on this trip was that security problems are exactly the same everywhere… they are not based on sex, race, nationality, gender, religion, hair color, height,  politics, or anything else.   Maybe this is why the TV show “The Office” is a worldwide hit.   Organizations work the same way all over the world.  As a person who got her degree in cultural anthropology of all things — I am amazed less at the differences than I am in the similarities between organizations.

This is my 17th country that I have visited to do a security risk assessment and they all come down to these basic steps: 

1.  Identify what you want to assess.   Many times you need to cut down the proposed assessment, it doesn’t need to include things that are 10 miles away.

 2.  Write up a Project Plan to show other people what you’re doing to do – and give management a time line to work with.  (It keeps me focused – a value add).

3.  Find the dollar VALUE for whatever you are assessing, for example — How much is the facility worth?   What’s the value of one patient record – two dollars or two thousand dollars?

4.  Come up with a realistic threat profile that includes the local crime rate, some historical data for crime, cyber crime, natural disasters, fire, etc.

 5.   Ask other people in the organization how they handle security.   I like using our automated surveys because it captures more immediate data from individuals.  You can use a translator if you don’t speak the language and I guarantee you’ll be amazed at the results.  The more people you interview – the more amazing the results will be.

6.   Examine all the existing controls and see how they are being used in other areas of the organization,  are they 100% implemented?   80%?   50?  Even less?

7.  Analyze the results with good math.  This is commonly done by software, but you can also use a regression analysis model with a database program like Access –   don’t guess.    Let the numbers do the talking.

8.   Write up a simple report, illustrated with lots of color graphs and photos, so someone  can just page through the report and understand what the assessment revealed.

The best risk assessment report in the world is a waste unless it comes up with actionable results — the list of what the organization needs to do NEXT.  Some people call them After Action Reports, maybe they are called Corrective Action Reports, maybe they are called a Task List.  The name doesn’t matter, but the results matter.

The report should cover the basics of what you did, what areas you reviewed, who you talked to (or got answers from with a survey), and what you recommend should be done, based exactly on the risk assessment.  In banking and financial companies, the regulators already get the last risk assessment and ask the organization to show “where in the risk assessment did it say you should add a stronger firewall?  add a better camera system to the Emergency Department?  do background checks when you hire new people?

These are just examples,  any improved control could be used – but you will need to show the regulator exactly WHERE in the risk assessment it said you should do this or that.     In the follow up Blog – I’ll talk about how to present your findings to your management.



JOHNS HOPKINS HOSPITAL MURDER/SUICIDE IS TOO CLOSE THOME!

My summer vacation is over so I jumped right back into work by doing four webinars on workplace violence in the last four days.   I have been very concerned about the trend toward violence toward healthcare and hospital workers.

Having just researched and presented on this subject two days ago, I was greatly saddened to see it AGAIN, 30 miles from my home, at the prestigious Johns Hopkins Hospital.   Local media and CNN covered it extensively because the man shot his mother’s doctor in the stomach, apparently after his mother was paralyzed as a result of spinal surgery.  He then barricaded himself into his mother’s hospital room and eventually shot and killed her and then shot himself.

With a staff of over 30,000,  this was a major incident.  I would love to calculate how much the hospital might have lost from having the staff vacate the building for at least two hours.

This incident once again opens the debate about how to ‘secure’ hospitals, or at least to have a better way to ensure the safety and security of both the staff and the patients.  Hospital administrators continue to maintain an ‘open environment’, and don’t seem to understand that this problem will continue to increase, if there is not way to better manage access in hospitals.

On the radio today, I heard that Baltimore City Council President Bernard C. “Jack” Young said that John Hopkins security is adequate and that using metal detectors would create a hazardous situation for patients entering the building.   “Why would they want metal detectors going into the hospital?” Young said. “People go to the hospital because they got shot. People wouldn’t go to the hospital because of the metal detectors. They would stay away and die rather go through metal detectors.”  He also mentioned during the same interview that the hospital has over 80 entrances.

This exact problem is raging at hospitals all over the country, because violence is dramatically increasing in healthcare.  The NIOSH study from 2004 reported that  violence in hospitals was over four times the national average for non-healthcare workplaces.  Of course, it is now 2010 and that is a long way from 2004 – AND – we have had a terrible recession raging since 2008….

The results of an Emergency Nurses Association survey released in 2009 found that more than 50% of ER nurses had experienced violence by patients on the job and more than 25% had experienced 20 or more violent incidents in the past three years. Research showed long wait times, a shortage of nurses, drug and alcohol use by patients, and treatment of psychiatric patients all contributed to violence in the ER. 

There has been only sporadic interest in this phenomenon and no standard has emerged.  For example, a NIOSH (National Institute for Occupational Safety and Health) Publication in 2004 is called Guidelines for Preventing Workplace Violence for Health Care and Social Services . OSHA Publication 3148-01R (2004). This guide describes the special considerations surrounding workplace violence in the environments of health care and social services.

After my last column on Workplace Violence issues in healthcare, I got a few angry letters from associations and organizations saying they had been working on creating standards for this – FOR THE LAST FOUR YEARS… but amazing, they have not been published.  

There is NO standard or requirement for preventing workplace violence, only the vague requirement for employers to maintain a safe workplace.   Twenty-seven states have come up with their own ‘guidelines’.  Remember – standards are Required, guidelines are only recommended.  That means if the incident happens, the management has no liability because they did not disregard a requirement.

My regular readers will remember that I recently visited a hospital that had a murder about two years ago and even two years later, it was still having a traumatic impact on the staff who witnessed the incident. 

I am a big believer in risk assessments and I think having a workplace violence assessment REQUIRED of every hospital, and having that information aggregated nationwide and studied, would be a big step that improve our knowledge of why this continues to increase, and would also point to more effective solutions to safeguarding our hospitals.

Maybe people will start to press hospitals on this issue – after all – they may end up in a hospital some day, and probably would like to be safe and secure during their visit.

Maybe the aging baby boomers will finally demand more security in their hospitals.  I hope so.



Thinking about a Model for Workplace Violence Prevention

Since I posted my blog yesterday – I got a big reaction, which ranged from those who thought there was no need for any standards on workplace violence prevention and believes that people will should help each other.  “Work place violence cannot be stopped by legislation! Good feelings cannot be legislated!  They are stopped by a community who cares!”, one reader commented.  

Obviously, people like Omar up in Manchester, Connecticut might have been treated in a more caring manner, with as much dignity as you can give to someone stealing beer on camera, but I could not disagree more with this statement.   I’m hot on standards – and these days, more than ever, people need lots of direction on how to do their job and how to apply security-related concepts.

Have you done any hiring lately?  Some people we’ve interviewed need to have every part of their job written down for them.  There seems to be less incentive to solve a problem that is not directly in the job description.   That’s one argument for setting some kind of minimum standard for companies, to assist them in dealing with the workplace violence increase. 

Standards make life easier for everyone because you don’t have to constantly reinvent the wheel – wheels now come in standard sizes, too.   

One of the reasons it is an attractive idea to create a standardized program for WV is because it is usually totally preventable.  Many of these people leave an enormous trail of clues that they are considering something drastic – including detailed plans in writing on Facebook.   Another reader pointed out that California does have a workplace violence prevention standard.  I checked and found it here:  http://www.dir.ca.gov/dosh/dosh_publications/worksecurity.html

The Cal/OSHA policy includes this little nugget, “The demographic profile of victims of fatal workplace assaults indicate that the majority are male. However, even though the overall fatal workplace injury rate for women is substantially lower than it is for men, homicides represent the leading cause of death for women in the workplace.”  WOW.

Cal/OSHA also offers a resource guide – The Model Injury and Illness Prevention Program for Workplace Security (a nice term).     Like everything else related to security, the actual workplace violence incident is usually a slow escalation over time.  That’s exactly why it is possible to deter, or prevent it – because there are signs everywhere, and lots of coping strategies you can learn.

I worked on a project in Thailand where a manager from a big box store had been fired and humiliated.  His revenge was to call in bomb threats – FOR A YEAR.  Only when those were totally ignored did he actually bring a bomb into the facility and yes, it went off, and yes, it killed a young security guard.

But, they had ONE YEAR to take him seriously and get help for him.  Many of these incidents also have a long wind up before the actual incident is triggered.

WHY SHOULD WE CARE?  I totally buy the argument that more people are killed from industrial injuries and lightning and car accidents, than in a WV incident, but these things are usually hard to predict or detect in advance.  Think about it – the fall off the ladder, the accidental electrocution, the surprise car crash — all more random and UN-preventable.

Workplace violence IS usually preventable, in all the stages.  From the first stage when the employee starts to feel that they have been unfairly treated, right through to how to handle an insanely angry person who happens to be packing.

That’s why training is so important, because it can prepared employees to deal with an incident, and it may even help them recognize and deal with their own issues.  Here’s another note from Cal/OSHA,The cornerstone of an effective workplace security plan is appropriate training of all employees, supervisors and managers. Employers with employees at risk for workplace violence must educate them about the risk factors associated with the various types of workplace violence and provide appropriate training in crime awareness, assault and rape prevention and defusing hostile situations. Also, employers must instruct their employees about what steps to take during an emergency incident.”

Who wants to write me and help develop a National Standard for Workplace Violence Prevention?   Let me know at caroline.r.hamilton@gmail.com.




top