Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

Workplace Violence Prevention

New App does a Workplace Violence Baseline Assessment

New Workplace Violence Prevention App helps companies do an OSHA Violence Baseline Assessment

DATELINE:    Boca Raton, Florida,  March 12, 2013

Workplace Violence in US companies is a problem that is getting worse.  Workplace violence is a serious recognized occupational hazard, ranking among the top four causes of death in workplaces during the past 15 years. More than 3,000 people died from workplace homicide between 2006 and 2010, according to the Bureau of Labor Statistics (BLS). Additional BLS data indicate that an average of more than 15,000 nonfatal workplace injury cases was reported annually during this time.

The latest figures show that high-risk organizations like hospitals, behavioral health treatment, home health workers and late night retail establishments are at a dramatically increased risk for experiencing a violent incident at work.

OSHA, and over thirty state government regs recommend that companies do an annual Workplace Violence Basement Assessment, but these are time-consuming and difficult to manage.

To solve the problem,  Risk & Security LLC has released a new web-based app, Workplace Violence Risk-Pro©, which makes security directors into Risk Professionals!

OSHA standard 3148 (Guidelines for Preventing Workplace Violence for Health Care &

Social Service Workers)and the new OSHA Inspection Directive, Enforcement Procedures for Investigating or Inspecting Incidents of Workplace Violence, from September, 2011, are both included in the new, easy-to-use application.

The program has been tested on some of the largest organizations in the US, and runs on a laptop, PC or tablet, and even on a smartphone!.  Workplace Violence Risk-Pro©  is built to be affordable and simple to use.

The web 2.0 program, includes newly compiled, updated threat databases, and automated web-surveys  based on the exact OSHA Directives.

The new program gives human services and security professionals a quick and easy way to conduct a workplace violence baseline assessment that will pass an audit!

The Risk-Pro©  model has been used for easy software applications with the Department of Defense and over hundreds of organizations, hospitals, maritime organizatons, and local, state and federal government agencies.

About Risk & Security  LLC

Risk & Security  LLC is a security risk assessment and risk analysis company with over 30 years of combined expertise in security risk.  It specializes in consulting on risk assessment projects and global application development of risk solutions.  Risk & Security partners with security companies around the world to provide state-of-the-art security expertise to analyze risk and recommend cost-effective countermeasures.

The team of risk and security experts is led Caroline Ramsey-Hamilton, who has created more than 40 software programs, and conducted more than 200 specialized security risk assessments in a variety of environments, including companies in the United States and around the world, including in Abu Dhabi, Hong Kong, Japan, South Africa and Qatar.



Why Workplace Violence is Always a Catastrophe

Workplace violence incidents are one of the most damaging events that can happen to any organization.  The good news is that workplace violence is one of the few threats that companies can actually prevent before it happens.

Unlike earthquakes, hurricanes, floods, war, and explosions, workplace violent incidents can be prevented if the organization makes a commitment to educate their employees, and give them the knowledge they need to address a potential problem with a co-worker before it gets to an explosive level, for example, making the active shooter drills part of the security program.

In many ways, workplace violence is worse than other kinds of violent incidents because it always involves a major violation of trust, and it also has a malicious component, where the perpetrator is deliberating focusing on violence against a fellow human that they know personally and may have directly worked with, sometimes for year.

According to OSHA, workplace violence is a serious recognized occupational hazard, ranking among the top four causes of death in workplaces during the past 15 years. More than 3,000 people died from workplace homicide between 2006 and 2010, according to the Bureau of Labor Statistics (BLS). Additional BLS data indicate that an average of more than 15,000 nonfatal workplace injury cases are reported every year.

As well as the violation of trust and the violence itself, the incidents usually terrorize both the victims and other employees, especially those who know violent individual and are left to wonder how they failed to recognize the danger signs.

Some organizations report that employees, even those who weren’t hurt in an incident, exhibit PTSD-type symptoms following an incident.  And the company’s reputation is often damaged, just from the publicity of the event.

One of the main controls that protect against a violent incident, is doing a Workplace Violence Assessment.  This specialized risk assessment involves interviewing employees at all levels of the organization, looking at the OSHA guidelines, such as those detailed in OSHA 3148, (www.osha.gov/Publications//osha3148.pdf).

The assessment also includes making sure that every violent, or threatening incident gets reported in a standardized way, that all the incidents are tracked, and that there is a de-escalation process that can be easily followed to prevent someone from getting to a violent stage.

There are new programs available that automate the Workplace Violence Assessment process and make it into a simple and standardized
project.  To review a standardized, data-based, Violence Assessment Report, go to:   www.riskandsecurityllc.com/.

 

 

 



A Terrible Day in Colorado – Terrorism by Twenty-Something

Just saw that now 71 people were shot at the Aurora, Colorado theatre, and 12 have died, including children.

This is exactly the kind of incident that I used to think would wake everyone up to the dangers of NOT doing annual security reviews, and  NOT allowing everyone on the planet to stock their attic with automatic assault rifles, and instead, we are at an intersection in the national dialogue where talking about assault rifles, OR security controls, is something people would rather ignore.

Whether it’s the hospital security administrator who thinks posting a simple “NO WEAPONS” sign is too much security, to the facilities who deny the security officers any weapons bigger than a purse-size pepper spray, they are actually ENABLING security incidents of this type.

I heard these officials in CNN saying, “It’s not terrorism”!   It certainly IS terrorism.  It’s just domestic terrorism, but it shows you how easy it would be for a terrorist to walk into the US, buy some AK-47s and walk into a regional mall, a batting cage, a mega-church, a hospital, a sports arena, and proceed to kill dozens of innocent people in just a few minutes.

With 71 shot, and 12 dead, it is more deadly than your typical IED in Afghanistan!  It’s more deadly because their is human ‘intelligence’ (and I use the word loosely) behind the attack.  Instead of a simple detenation event, the shooter can choose victims, look them in the eyes and then kill them.

This is an intentional event by someone so lost that he didn’t even put up any resistance to police.  Why should he, he’s already made his statement and now has his 15 minutes of fame.   That is 5.5 people killed or injured for each 1 minute of fame.

If you are reading this today, you should do a quick risk assessment of your organization and make sure your staff are developing situational awareness, watching and evaluating what is going on around them.  It may make the difference between life and death someday.



How long does it take for OSHA to develop standards – like for Workplace Violence?

Why OSHA standards take so long to develop

The Government Accountability office reports to Congress on items of interest to Congress and their constituents.  One area that was recently examined was how long it takes OSHA to update standards, or develop new standards.  Here’s a look at the results:

By:         David LaHoda  April 30th, 2012

A report by the U.S. Government Accountability Office (GAO) on why OSHA standards take, on average, more than seven years to complete found that “increased procedural requirements, shifting priorities, and a rigorous standard of judicial review” contributed to the lengthy time frame.

In responding the GAO report, Randy Rabinowitz, OMB Watch’s director of regulatory policy said: “In the years since its creation, OSHA’s charge to protect workers from harm has been undermined by Kafkaesque demands for additional reviews of existing rules mandated by new statutes and executive orders,” according to The Hill. While OSHA’s internal inability to remain focused on priorities and regulatory follow-through was the counter argument presented by the U.S. Chamber of Commerce.

“While some of the changes, such as improving coordination with other agencies to leverage expertise, are within OSHA’s authority, others call for significant procedural changes that would require amending existing laws,” according tot he GAO report.

The GAO report recommended that that OSHA and NIOSH improve collaboration on researching occupational hazards. In that way OSHA could better “leverage NIOSH expertise in determining the needs for new standards and developing them.”

To access the entire 55-page report, go to: http://www.gao.gov/products/GAO-12-330



April is Workplace Violence Awareness Month

The American Association of Workplace Violence Prevention (www.aawvp.org) has designated April 2012 as official Workplace Violence Awareness Month!

You can celebrate in your office by suggesting ways to reduce workplace violence in your own environment.  At AAWVP, they stress that workplace violence also happens to you, not just at work, but at the late-night grocery store or convenience store, in the hospital where you’re visiting your father, and even in your own home.

As part of the awareness raising event, the Association has invited me to participate in a special webinars about workplace violence at 2:00 pm Eastern Time, on April 18th.

You can join us by registering at http://tinyurl.com/85e33h8



Preview of the Webinar on Workplace Violence Prevention

Companies often don’t think about preventing workplace violence until there is an incident that affects them, or a company similar to them, or geographically close.  As soon as something happens close to home, they want to get serious and do something about it right away.

Workplace violence prevention is actually a process that, like in quantum physics, when we talked about the observed particle, just putting management’s attention on the potential problem will start the prevention process.

A good place to start is with adjusting and updating your policies.  Perhaps your policy is outdated, or hasn’t been publicized in your organization.   Time to dust it off and make sure it includes these critical elements:

1.  It says:  We have a total no-weapons policy in this company.

2.  Employees are REQUIRED to report any potential, or even suspected workplace violence situations or incidents.

3.  There is an approved company form which every employee has electronically, to use
if necessary.

4.   Every employee has to attend a violence prevention training course, or active shooter drill, or both, annually.

The policy is the first step.  Next, the policy has to be approved by the management or by the Board, and then sent to every employee, along with an affirmation agreement that they sign saying they read the policy and understand it.

More tomorrow… or attend our special workplace violence webinar.  You can sign up at:

http://t.co/rKBuoDgt



Man Wants to Commit Suicide at Hospital to Donate his Organs!

Suicidal Man Triggers an Evacuation in Denton, Texas.

The emergency department at Texas Health Presbyterian Hospital was evacuated after an armed man threatened to shoot himself in the hospital’s parking lot, as reported in a newspaper article. The man had sent suicidal messages to his ex-wife. She contacted police, who in turn began tracking the man’s cell phone. He was found in his vehicle, which was parked in front of the hospital’s ED. Police cleared the ED while they negotiated with him for about 45 minutes. The man told police he chose the hospital because he wanted to donate his organs after he killed himsel



Use A Data-Driven Security Program to Transform Organization Security

Data-Driven Security

How to Target, Focus and Prioritize
The Security Program

  by Caroline Ramsey-Hamilton

Management has to have Metrics

Management of a security program is no different than management of cash flow, employee productiveness, profitability, or any other set of metrics that organizations use to measure how well something is being done, and how it could be improved. Historically, however, security has been run by a few unique professionals, perhaps with a military or law enforcement background and the security program has existed in a vacuum, with few ways to measure it’s effectiveness and value to the organization, except to list what hasn’t happened!

Security officers may complain that management is not listening to their complaints, including not making enough money available to implement new technology, or to fix a loophole that has the potential to create havoc in the organization. Many security conferences feature sessions with titles like “How to Sell Security to Management” and try to address this disconnect between senior management and their security programs.

Peter Drucker, the world famous management consultant, said “If you can’t measure it, you can’t manage it.”

Very recent improvements in security technology, camera technology and its integration with computer networks and information security has allowed a massive amount of data to be collected.  Everything from digital images, to incident reporting and tracking, and even internet-based reporting of technical vulnerabilities, allow management metrics to be applied to the management of the security program to target the program to be maximally effective, to focus the available dollars in the areas which would provide the most protection for the least amount of money, and to prioritize the controls that need to be improved or implemented, based on their return on investment.

Security has never been more important to the organization. Many court cases recently have been decided on the basis of whether the organization was using ‘due care’ and utilizing every ‘reasonable’ security precaution. Existence of adequate security has become very important in premises liability cases and will likely become equally important in future litigation.

Risk assessments are the foundation of a data-driven security program. Through the process of risk assessment, managers can measure the effectiveness of the organization’s total security program, including analyzing the value of the organizational assets, the threat level (based on the mission of the organization), the existing vulnerabilities, and the effectiveness of existing controls. Basing the risk assessment on the concept of data-driven security means that real numbers are used in the following areas:

1. Determining the value of the assets of the organization, including the facilities, the personnel, products, production facilities, raw materials, transportation, vehicles, information technology equipment, data and information. In additional to quantifying present day replacement value, the sensitivity of various information assets and a determination of their criticality to the main mission of the organization must be determined.

2. Analyzing the Threat Level affecting the organization, including analyzing of incident report logs which would indicate how many potential intrusions have been attempted, as well as an analysis of physical intrusion indicators, such as missing badges, any security incidents, and any indications of industrial espionage which have been reported, either at the facility under review, or at any of the organization’s other facilities. Industry data on intrusions in similar companies or analogous agencies is also very helpful in determining threat level.

Many companies now use reports which quantify threat data, including statistics on criminal activity by exact location, by zip code (such as the Uniform Crime Index) as well as many information sources of weather data, such as NOAA (U.S. National Oceanographic and Atmospheric Administration, various international associations and government agencies.

3. Identifying vulnerabilities in the organization, including surveying individuals at every level of the organization, from the receptionist to the CEO.  To ascertain the weaknesses in the way the employees comply with security, there are new electronic survey tools,( like Risk Watch®)  which measures security compliance against published standards such as FEMA 426, (How to Protect Buildings Against Terrorist Attacks). control standards.  New regulations, like Joint Commission, Behavioral Health and Workplace Violence (OSHA 3148) require such compliance-based
baseline assessment surveys.

4. Identifying potential categories of loss, which would include components like direct losses (damage/destruction), injury or death to either staff or patients/customers/vendors; theft of property or product,  theft of data/information,  and loss of an organization’s reputation. These loss categories are used to quantify the effect of threats on the organization because you can estimate the loss impact on various functions of the organization.

5. Safeguards (Controls) include all the possible controls that could protect an organization either by reducing the likely of a threat occurring, or reducing the amount of damage that the organization sustains from a threat that materializes. Controls are quantified by:

a. Life Cycle of the Control – How Long They are Good for.

b. Cost to Implement the Control to 100% in the organization

c. Indication of the percentage that the control is already implemented in the organization

By accumulating data in these 5 categories, it becomes possible to run scenarios that pair the threat and vulnerability, match it to organizational assets, analyze the loss potential, and evaluate the cost effectiveness of a variety of different controls.

Advantages of a Data-Driven Security Program

The primary advantage of a data driven security program is that it provides support for the security function within the organization by being able to illustrate directly how security not only protects the organizational assets, but also, how the security profile changes over time.

In addition, it becomes possible to benchmark the various plants and facilities against themselves, and against both domestic and international standards, including military standards for the Defense Industrial Base. For example, if a multinational company with facilities and networks around the world can analyze their security based on the principle of a data-driven security program, then they can instantly identify the areas or facilities that have problems and address them much more quickly and effectively than they could if they were depending on a fuzzy, quantitative assessment method. When an organization makes the decision to adopted a more disciplined approach to analyzing security risk, they must also use all the other typical management functions such as planning, development of a budget and incorporation of the plan into the organization’s overall planning.

After the initial baseline risk assessment, and using the input from the analysis, the organization can began to develop implementation strategies to address the vulnerabilities identified in the assessment. As each vulnerability is addressed, cost-effective mitigation strategies can be put in place.

At the same time,  the security plans and policies can be measured so that policy changes can be made, if necessary, or training and awareness programs can focus in the areas that need reinforcement with the organization.

The Security director, using his already established budget and implementation timelines for each safeguard, can then manage the improvements, using either internal staff or he can make the decision to outsource the additional controls (or their implementation).

These improvements can be tracked themselves, to establish how effective they are in their individual tasks, and also can be periodically re-assessed to see how the organization’s total security profile has improved.

The first benefits from a data driven security program emerge during this implementation phase because not only can you measure how much more effective the new security configurations are, but there is an additional value-added component of
re-acquainting the employees with the security program and increasing awareness across the organization.

To ensure continued value in the program, collection mechanisms such as automated incident response, threat reporting and vulnerability reviews must be automated. There are new security software programs that evaluate and analyze these types of data and can dramatically increase the effectiveness of a data-driven security program.

This type of data-driven security program creates a security program that becomes a baseline for management to quickly assess the security profile of the entire organization.  It makes it easier to provide a safe, and secure workplace for both management and employees, and may decrease the possibility of a workplace violence incident, theft or domestic or international terrorist attack.

This data-based concept of risk management creates a bridge between executive management and the security professionals in the organization who now have an avenue for open communication, discussion and consideration of the role of security throughout the organization.

 

About the Author

Caroline Ramsey-Hamilton is the founder of Risk Watch International, and a leading security risk assessment expert.  She was a Charter member of the National Institute of Standards and Technology’s Risk Management Model Builders Workshop from 1988 to 1995.  From 1996-1998, she served on the working group to create a Defensive Information Warfare Risk Management Model,  (DIWRM2) under the auspices of the Office of the Secretary of Defense.  She was also a member of the National Security Agency’s Risk Rating Workshop and the IBM Data Governance Working Group to create a Data Governance model for the nation’s largest banks.

She has developed specialized risk assessment programs for HIPAA, Information Security, FFIEC, GLBA, Sarbanes Oxley, and corporate security programs including working with The Clearinghouse, large investment banks, the Federal Reserve and a variety of other Federal agencies on Risk Assessment guidelines.   In addition, she is a member of the ASIS Physical Security Council, SARMA( the Security Risk Management Association) based inWashington, D.C.  Ms. Ramsey-Hamilton is certified in Homeland Security and Anti-Terrorism and recently received a lifetime achievement award from the Anti-Terrorism Accreditation Board and the Maritime Security Council.

Hamilton works around the world on critical risk issues including a new set of risk assessment guidelines for the Nuclear Regulatory Commission, a risk model for airport security and a risk model for medication error with Philadelphia Children’s Hospital.

She has completed Risk Assessments for over twenty-five U.S. government agencies including the Department of Defense, the Technical Support Working Group, and the Nuclear Regulatory Commission, and many healthcare organizations including Cleveland Clinic, HCA, Sheikh Khalifa Medical City, the University of Miami Medical Center and many more.  She has written several books and articles over twenty-five different publications.

www.caroline-hamilton.com

caroline.r.hamilton@gmail.com

 

 

TWEET: http://twitter.com/riskalert



Data-Driven Security – Using Metrics to Focus & Target Security Programs

Security programs can be dramatically improved by using a metrics-based assessment to focus them on the areas of greatest threat, and to use metrics as a management tool to keep the security program targeted on the areas that need the most attention.

Using a data-driven approach – that is, using real numbers to measure
and quantify security, always results in tangible improvements.

Management of a security program is no different than management of any other department, whether it’s human resources, cash flow, employee productiveness, profitability, or any other set of metrics that organizations use to measure how well something is being done, and how it could be improved.

Security officers may complain that management is not listening to their complaints, including not making enough money available to implement new technology, or to fix a loophole that has the potential to create havoc in the organization.

Most security conferences feature sessions with titles like “How to Sell Security to Management” and try to address this disconnect between senior management and their security programs. Peter Drucker, the world famous management consultant, said “If you can’t measure it, you can’t manage it.”

Fortunately, recent improvements in security technology and in development of wider reporting of threats and vulnerabilities, allow management metrics to be applied to the management of the security program to target the program to be maximally effective, to focus the available dollars in the areas which would provide the most protection for the least amount of money, and to prioritize the controls that need to be implemented,  based on their return on investment.

Risk assessments are the foundation of a data-driven security program. Through the process of risk assessment, managers can measure the effectiveness of the organization’s total security program, including analyzing the value of the organizational assets, the threat level (based on the mission of the organization), the existing vulnerabilities, and the effectiveness of existing controls.

Basing the risk assessment on the concept of data-driven security means that real numbers are used in the following areas:

1.  Determining the value of the assets of the organization, including the facilities, the personnel, the security systems and the current controls.

2.  Analyzing the Threat Level, based on either internal incident reports, or industry data, including the Uniform Crime reports. 

3. Identifying vulnerabilities in the organization, including surveying individuals at every level of the organization, from the local facility manager to the CEO to find out how they are implementing security in their workplace.

4. Identifying potential categories of loss, which help focus the security program on the problem areas.

5. Analyzing current Controls that are currently in place, or that could be added to protect an organization.

By gathering data in these 5 categories, it becomes possible to run scenarios that pair the threat and vulnerability, match it to organizational assets, analyze the loss potential, and evaluate the cost effectiveness of a variety of different controls and prioritize security controls by “bang for the buck”.

Using data-based security builds a bridge between executive management and the security professionals in the organization who now have an avenue for open communication and consideration of the role of security throughout the organization.

 

 

 



Another Look at OSHA & Workplace Violence

I just finished reading a new book called HALT THE VIOLENCE, written and edited by Patricia Biles and her Alliance Against Workplace Violence group.  Here are some of my thoughts on it, if your organization has been evaluating workplace violence issues:

Here’s my review and why I think you should get it (Amazon) and take a look – it’s a short read — less than 150 pages.

I like the insider perspective on how to prevent violence in the workplace. Patricia Biles was a former OSHA (U.S Occupational Safety and Health Administration) employee and their guru on violence issues.  Her work with industry groups and individuals has given her rare insight on the subject of stopping the epidemic of violence, and she gives practical solutions that employers and individuals can use to halt the violence.

The book covers the escalation of violence in the workplace and how OSHA reacted to the problem, which came to the forefront in 1989.  She identifies the groups most affected by violent events at work, including nurses, healthcare workers, taxi drivers, convenience stores, and late night retail establishments in particular.

As well as covering a complete history of the issue, she also weaves together input from other experts who specialize in aspects of the overall workplace violence problem, including the problem of violence in hospitals,  the increased incidents of bullying in the workplace, the importance of early intervention and practical strategies for diffusing angy, aggressive individuals.

The important of risk management procedures, such as performing regular threat assessments is identified as one of the few ways to identify individuals who may pose a threat, although the authors point out that both the Virginia Tech shooter and Jared Loughner, the diagnosed schizophrenic who shot Gabby Giffords, her staff, and innocent bystanders in Tucson, were both examined, and had psychological profiles which stated they were ‘unlikely’ to be a threat to others.

Specific violence-prone workplaces are also identified and specific recommendations given for hospitals, home health and social workers, and educational institutions such as schools, colleges and universities.

In some ways, this is an insider’s book because it gives you the behind-the-headlines details, not only of major workplace violence incidents, but also a look at what it takes to create new laws and encourage congress and federal agencies to recognize the problem and take concrete steps to ‘halt the violence’!

All in all, this is a very insightful and practical look at a problem that affects every workplace and every person who goes to work and counts on returning home in the same condition.  Employers will want to implement the suggestions in the book on how to reduce violence in individual organizations, and it also offers a valuable perspective on how to comply with new OSHA standards and they continue to evolve their approach to this critical issue.

 




top