7 things you don’t know about scenario-based assessments

Flood. Fire. A disgruntled former employee walking in the door with a gun.

All of the above incidents are foreseeable for a business. They may not be likely, but each scenario could happen, causing major harm.

But do you know how likely each one of these situations is at your own organization? Do you know what the impact of each would be? Do you know how your organization would respond to each scenario? If not, it’s time for your organization to start conducting scenario-based assessments.

How can you prepare for an active shooter? 5 best practices

What is a scenario-based risk assessment?

A scenario-based assessment is a risk assessment that’s directed toward a specific threat, concern, or hazard. Rather than using one general checklist to assess the vulnerability of an entire site, a scenario-based assessment evaluates the risk of one specific scenario happening at each site.

Why focus on assessing the risk of specific scenarios?

Every risk is different, as is every site. Certain controls are more effective when it comes to mitigating one risk while they do nothing to mitigate another. An employee who is considering stealing from the cash register might be deterred from theft by a camera, for example. However, that camera is useless in a weather event, like a tornado.

By calculating the risk of all foreseeable scenarios, you can decide which countermeasures need to be invested in and which protocols need to be strengthened.

How do you determine a site’s risk of a scenario?

To calculate risk, you must assess both the probability of an event happening, and the severity of its impact, should it occur. Some events (like a tornado) might be unlikely, but if they actually happen and you’re unprepared, those events could be catastrophic. Other events (like petty theft) might be very likely, but not have much impact.

By determining the risk and impact of each possible scenario, you can begin to prepare for the most likely events with the greatest impact.

Take an active shooter situation, for example. An active shooter may never target your company, but if one does, the impact will be extreme — people may be injured or lose their lives, your brand and reputation can be affected, you can suffer significant workforce loss due to fear, you can have a period of loss of production, and many other impacts. Because the severity is so high, it makes sense for every organization to assess the risk of an active shooter, and to create a response plan.

Your employees won’t stop an assault at work: Why not?

7 best practices for scenario-based assessments

1. If you can foresee it, you should have a plan for it. When planning for scenario-based assessments, there is one important thing to remember: scenario-based assessments aren’t something you do just once. You should constantly be assessing the risk of various scenarios, because new risks appear often and old risks evolve. Basically, if you can foresee it happening, it should be assessed.

2. Know which scenarios are most important. Make a list of all your scenarios and assign them each a probability and severity score of some kind. Then you’ll have a ranking. Start by assessing the scenarios with the highest probability and highest severity, and work your way down.

3. Perform your assessments. Know what countermeasures each calls for to reduce the probability. And then find the best way to respond, adapt, and recover from each scenario to reduce the severity.

4. Understand your gaps. What countermeasures do you have in place right now? What do you need to implement, and how much will that cost? Prioritize your deficiencies and your remediations. Then create a schedule that tells you when to implement additional countermeasures.

5. Have an assessment schedule. Don’t try to do every assessment at once. Instead create a full year schedule of assessments, starting with the most risky scenarios and cycling through every foreseeable risk.

6. Monitor continuously. Risk is dynamic and changes everyday. When a new threat becomes more probable, immediately assess and evaluate for that specific scenario.

7. Respond to actual threats. Your organization may have a plan for active shooters, but what happens when someone actually threatens an attack? Make sure you respond and reassess when there’s a plausible incident.

Emergency planning: 10 organizations to build relationships before a crisis

Still have questions about scenario-based assessments?

Assessing individual scenarios may seem like a lot of work, but it’s important work, especially if you want to change the culture of risk at your organization. Often companies don’t believe those incidents will ever happen, so they ignore them. That type of risk culture is both impractical and dangerous; organizations have to start believing incidents will happen. Once they believe risks will happen, businesses can take the first step toward both preventing and responding to those incidents.

Still wondering about scenario-based assessment? Contact us to talk to an expert about your risk today.

About the Author

Daniel Young

Founder & Chief Innovation Officer

Daniel has been a security and risk advisor for more than 10 years, and is passionate about helping companies to better understand their risks to undesirable events on a daily basis. Dan previously served as the Regional Bioterrorism Coordinator for District 1 in Michigan, where he was instrumental in preparing communities for catastrophic incidents. He has also acted as the Private Security Liaison for the City of Lansing’s Critical Infrastructure Team, which identified and documented deficiencies in the city’s critical infrastructure.

He is a Co-Founder of the CSO Risk Council, a think tank of seasoned security professionals and thought leaders with extensive experience in managing the physical security and risks of large enterprises consisting of multiple sites and whose mission is to create a better process to develop and share innovative solutions and pertinent information with organizations to improve safety and security risk by providing a forum to discuss best practices and recommendations for specific risk scenarios and to network with other enterprise security professionals.