3820 W Happy Valley Rd, Glendale, AZ 85310
(888) 689-2290

MHA Consulting

Blog

blog-full

Forming the Business Continuity Management Team

By No Comments

This post has been updated. It was originally published in September, 2013. 

The size and makeup of an organization’s Business Continuity Management (BCM) team depends on how you plan to roll out the project. It is best to start out small in the beginning and then progress in size. The initial team will lay the groundwork for the project by setting up oversight, coordinating training, building disaster plans, and helping to sharpen the focus of what each plan should contain. This core team should consist of the following:

  • Sponsor:  The senior management individual with overall responsibility and accountability for the Business Continuity Program.
  • The Business Continuity Manager:  The individual with direct responsibility for the Business Continuity Program.
  • Assistant Continuity Manager:  The backup to the Business Continuity Manager. This could be a titled position or an assigned position.
  • Administrative Assistant:  The individual responsible for supporting the BCM team. This is often an administrative assistant working in the Business Continuity office, if it exists, or one of the individuals on the administrative assistant team.  

This group will prepare standards, training, and processes to make the project flow smoother. Eventually, several key people will need to join the BCM team as they are needed. This may include the following people:

  • Building Maintenance or Facilities Manager:  This individual can provide information on what mitigation steps are already in place for the facility, such as fire suppression, electrical service, etc.
  • Facility Safety and Security:  This individual should already have parts of the disaster plan in place in terms of fire, safety, limited building and room access, theft prevention, etc.
  • Human Resources:  HR people have ready access to up-to-date information about the individuals who are important to the plan.
  • Line Management:  These individuals tend to know the most about what is critical for getting work done in their areas of responsibility.
  • Community Relations:  A disaster may affect more than just your operations. This individual will act as a liaison between your organization and your community to coordinate any community assistance that you may need while recovering from a disaster.
  • Public Information Officer:  This is your voice to the outside world. This role is crucial in getting accurate information out to customers and vendors.
  • Sales and Marketing:  This team knows the organization’s customers the best and can provide insight on what level of service is required.
  • Finance and Purchasing:  This team knows your vendors the best and can provide insight on what kind of support the organization can expect while recovering.
  • Legal:  The legal team can provide important insight on the legal ramifications of activities performed in response to an emergency.

In today’s regulated and compliance-focused environment, communication between senior management and the BCM team is essential. Management requires information related to strategic direction, integrating needs between functional teams, risk profiles, priorities, funding, and status.  The Business Continuity Management team will oversee the program and ensure that senior management is provided with timely and accurate information.

 

Risk Transference – Let Someone Else Handle the Heavy Lifting

By No Comments

Depending on your organization’s resources and size, using risk transference to mitigate your risk may be a good option.  

In a recent blog we discussed the acceptance of risk. When accepting risk is not appropriate, the strategies for risk mitigation include: developing and implementing strategies in house; using third parties to develop and implement the solutions, with in-house maintenance; or turning the entire solution over to a third party. For most organizations, some use of risk transference is appropriate.

Risk Transference: Risk transference is handing risk off to a willing third party.

The most frequently used and easiest method of risk transference is insurance. Insurance is the financial transfer of risk. When using insurance for risk mitigation, it is important to remember:

  1. Insurance does not address brand/image impact. While the insurance may pay for financial losses, the loss of customer or public confidence may severely impact the organization. Think about organizations that lose customer data or restaurants where customers get sick.
  2. Insurance has conditions that must be met before the payout occurs. Ensure that you understand any conditions, notifications, documentation, etc.
  3. All situations may not be covered, depending on the cause. There may need to be additional riders on the policy or other mitigation solutions.

Physical security is another risk transference function that can be performed by third party companies. Economies of scale often make external security a better choice than using an internal solution.

Third parties are often used for cost containment or to allow for more focus on core competencies. These same justifications can be used in the risk transference mitigation strategy. Rather than implementing risk mitigation solutions for business functions or processes, organizations may consider using third parties to accept the risk. For example, certain business functions with operational risk – such as customer service, call center, or payroll services – can easily be performed by third parties.

Technical functions such as network and data security monitoring, first level technical support, and server administration and monitoring are also candidates for third party use. As these functions become more impactful to overall risk, and the integration of technology more complex, the use of experts who can focus on those specific items often makes the most technical and financial sense.

The use of Software as a Service (SaaS) is analogous to using third party providers. The technical risk and recovery risk is moved to the SaaS provider along with the business risk it may mitigate.

For all third party vendor engagements, understanding the services, recovery commitment, service level agreements, change procedures, and risk mitigation strategies is critical to ensuring that your risk is mitigated appropriately.

Consider your current service providers and how they might fit in to your risk mitigation strategy. They may provide services that your organization can or should move to allow for more focus on competencies that are strategic and grow the business.

By Richard Long, Senior Advisory Consultant, MHA Consulting

When A Good Recovery Strategy is Better than a Perfect Recovery Strategy

By No Comments

Your recovery strategy does not have to be perfect, but it does need to be good enough. Remember, perfect is the enemy of good.

When I worked in the IT department at a large retail company, we would strive to get the requirements exact and ensure our designs were perfect – no issues or gaps. This often caused some frustration with our business partners. They wanted it done faster, and we wanted it done right the first time to prevent rework. This is when I first heard two things that changed my perception:

  • Perfect is the enemy of good
  • 80% is good enough

When I asked, are you sure, the response was, “Yes – we are going to want it changed in 3 – 6 months anyway because we will learn something new or need to adjust based on the market.” This response can be especially true for our recovery strategies.

This does not imply that you can just throw together a solution or not perform due diligence. It does imply that you should work to get a strategy and implementation in place that allows for recovery, even if that strategy is not perfect or may not meet all your RTO/RPO requirements.

When we look at strategies for organizations, we look at the current state. If there is something in place that is functional, then we might take more time to craft a more perfect solution. But, as is most often the case, the recovery strategy is not functional and there are significant gaps to be addressed to ensure that, at a minimum, all the critical applications would be recovered.

What is better – an imperfect recovery of all necessary applications within a reasonable timeframe, followed by the remaining environments, or a “perfect” recovery that is within the RTO/RPO of only one or two critical apps, with no certainty that anything else can be recovered at all?

The “good enough” recovery strategy depends on your environment:

  • What is your virtualization position?
  • What are your data privacy requirements?
  • What is your legacy application position?

For example, we have clients with critical applications running on unsupported operating systems, with hardware for which it is almost impossible to get replacement parts. The recovery strategy for these environments might be to virtualize a recovery environment that “sort of” works. It may take manual effort; it might be slow and impact productivity. It is not a perfect solution, but it will work if necessary. What is better – having something that is painful to use, or just hoping an event will never occur? One of my favorite sayings is “Hope is not a strategy.”

If possible, your strategy should include those technologies that will provide your environment flexibility and growth. This allows for adjustment and modifications as environments and business requirements change. Also, along with the strategy, a roadmap to move from current state to good, from good to better, and from better to best will be helpful in communication and planning.

We want to develop the best strategy possible, but sometimes good enough is the best strategy.

by Richard Long, Senior Advisory Consultant, MHA Consulting

Risk Acceptance – Conscious Decision or Ignorance?

By 1 Comment

Risk Acceptance must be a conscious decision, not a default action due to lack of information or desire to act.

Risk Assessments and Risk Mitigation remain important topics in many association groups and business discussions. We are often asked to assist with formal risk assessments, as well as with individual components of an overall risk assessment. Over the last several months we have discussed different risk topics on our blog (Real Risks to an Organization, Maximize Compliance & Minimize Risk). These topics discuss how to prepare for or mitigate risks. One of the most used risk mitigation strategies is “do nothing – accept the risk.” Even if it is not thought of as one, it is a mitigation strategy and is often the most appropriate.

Several questions regarding Risk Acceptance:

  1. Is insurance in place for those areas which would be impacted and are the risk categories covered?
  2. Is the actual impact understood?
  3. Is the true probability of an occurrence known?
  4. Are the risks which are accepted truly known or understood?

Risk Acceptance – Due to lack of execution

We find that there are many risks that are defaulted to “do nothing” – not because of a conscious decision, but because after a risk has been identified, there is no plan for mitigation, or the execution of the plan is not scheduled. In a majority of the Threat & Risk Assessments we perform, there is at least one risk identified for mitigation that is not scheduled and remains a risk for a year or more. Without a plan or schedule of execution, you have defaulted to the Risk Acceptance strategy.

Risk Acceptance – Due to lack of information

There are two reasons for this situation.

  • The risk or impacts are not communicated to the decision makers.
    • Not communicating the risks may be because the risk is not known, but is often due to an unwillingness to share bad news.
  • The risk or impacts are unknown.
    • If risks are not known, it is typically because a risk assessment was not done, was not sufficient, or the appropriate people were not included in the assessment and/or did not share information.

A quote I like is appropriate here – “Bad news does not get better with time.” An example of the lack of information: an IT Department told their business and management team that a recovery solution was in place and the technology could be recovered. In actuality, they had only done a proof of concept on the technology and there was only enough capacity to recovery 1 or 2 applications.

Risk Acceptance – Conscious Decision

Accepting the risk is an appropriate choice in many cases. Often the impact of an event and/or the likelihood of occurrence do not justify the high cost of mitigation. Acceptance of risk does not mean that organizations are not prepared or that there are no actions to be taken. There may not be any technology or process changes, but insurance needs, changes to corporate or local policies, and changes to recovery plans and communication plans are all considerations that must be addressed.

When addressing risk mitigation, remember Risk Acceptance is an option. “Do Nothing” can be the right solution. Due diligence should occur ensuring that the decision is not based on a lack of information or execution, but rather on a conscious and carefully considered plan.

By Richard Long, Senior Advisory Consultant, MHA Consulting

Do You Know the Current Business Climate?

By No Comments

Understanding how the business climate is changing  will allow to you start looking at how you may need to change your recovery and resiliency strategies.

I was recently talking with my father who was in the convenience store and gasoline distribution business his entire career. We were talking about planning and how the business climate changes over time. He mentioned that when pay-at-the-pump devices first came to stations, his company resisted implementing them. Their convenience store model was to get customers to walk into the store to pay so they would purchase additional items. Their money was not made on gas sales, but on the sale of store items (beverages, candy, etc.). My father was an advocate of putting the new pumps in. He saw it as being more important than just having customers walk into the store, but instead making sure that customers were comfortable using the store for both gas purchases and quick stops for other items. If they got in the habit of using a different store to get gas because of pay-at-the-pump, they would likely stop at that store for drinks and other items as well. The result: a lost customer.

Do you know how your business climate may be evolving? Do your current processes or paradigms still meet customer needs and desires? In previous blogs and presentations, we have encouraged those in continuity planning to learn about their business processes. Understanding how the business climate is changing – and how business processes and functions may be changing along with that – will allow to you start looking at how you may need to change your recovery and resiliency strategies.

Consider the items below as you identify how your business may be changing.

Technology/Data

As your technology strategy evolves to meet the needs of the business climate, you need to re-assess the impacts of an event on IT recovery. What is the network impact? Network traffic, availability, and additional devices need to be addressed. Will the need for increased bandwidth impact other areas? What about change in the number of transactions? How might that impact data requirements? Will you need to look at a more resilient architecture rather than a recovery architecture?

How has data changed? What are the HIPAA or PII impacts? How will you ensure that this information is protected during an emergency event or when processing at a recovery location? Will there be changes to your online or social presence; has that changed the recovery/availability requirement?

People

People’s roles and responsibilities may have changed over time. Have these changes created a need for a different maintenance schedule or cycle? How will that impact staffing and shifts? What about potential natural events that may impact personnel availability or access? Will your staffing strategies during events need to change?

Locations

With the change in business processes, does the importance of the physical location change? Are people in the locations at different hours? Will security have to change? While the risks to the locations may remain constant, the impact of any given event may evolve over time.

Documentation

You should also consider how you may need to adjust your recovery plans over time. Will you need to readjust the relocation strategy or workaround procedures to address the changing environment? Will the dependencies between departments impact the continuity strategy? Contact lists and notification processes may have to be modified.

Unsure of where to start? Understanding your current business climate should be an important factor in all your planning efforts. A good place to start your assessment is with a current BIA (Business impact analysis). You can use the BIA information to see how changes may impact the entire organization and what business units may need to be addressed.

by Richard Long, Senior Advisory Consultant, MHA Consulting

Are You Improving and Evolving?

By No Comments

Richard Long, Senior Advisory Consultant, MHA Consulting

Our most recent blogs have been on how to improve your organization. But what about self-improvement? People are often the most important resource to an organization, though it is rare that a single individual will make or break the organization or is so important that the organization will fail without them. As an important resource to the organization you work for, what are you doing to improve yourself, whether personally or professionally? In today’s budget conscious environment, often training or personal development dollars are limited, or time is simply not available. As with many things in our lives, individuals should take ownership of this and not rely on others. Even if your organization does not provide development opportunities, this quote from Jeff Bezos, CEO of Amazon, is appropriate – “What’s dangerous is not to evolve.”

How might we go about our own personal evolution? Here are several ideas. None of them are directly related to our work, but by improving other areas of our lives, we will be more effective as employees or resources for the organization.

Goals

Choose one or two goals outside of your work. Make the goals a challenge, but not impossible. Do not make too many goals or you will not meet any of them. I am a member of an organization that provides 10+ goals each year to its members. During the year, any one of these may get priority and see progress, but then another gets priority and the first stops progressing. We don’t have time to put appropriate effort into 10 goals along with all our other responsibilities.

Physical

Our physical health should also be a primary focus. Without good health we cannot work effectively or support our family and friends. It is a critical dependency, using BCP language. Identify a way to improve your eating or exercise habits. Use a calorie counting app to help or just identify what is important for your diet; maybe increase your water intake by decreasing or eliminating soft drinks. Increase your physical activity. Make the time to take a 10 – 15 minute walk each day or use a 7-minute exercise program (there are multiple apps). The 7-minute exercise program is 14 exercises done for 20 seconds each, with 10 seconds rest between. Get your family or friends involved.

Mental/Emotional

Consider meditation or just ponder a specific topic each day – maybe five minutes before going to work or before going to bed. There are multiple free sites on the Internet on meditation or concentration exercises. Taking a few minutes of time alone to just relax, breath and decompress can reduce stress and lower blood pressure. Talk to a friend or loved one (I mean talk with your voice – face to face or by phone, not through written messages exchanged on social media). Again these conversations do not have to be long or occur every day.

Intellectual

Learn a new skill or just learn a new word. Remember learning vocabulary in school? Why not try it again? Maybe choose a language from a culture you want to know more about or from the home country of one of your clients. Learn some of the vocabulary using a word of the day approach. Take an online course (I plan on taking an online history class). Often there are free courses – and they are much more productive than spending time on social media reading about kittens, political diatribes, or just insignificant life actions. That being said, there are wonderful topics to discuss over social media and opportunities for learning, so SM can be used as well.

As you improve different aspects of your life, just a little at a time, you will also become a better employee. You may be able to use the new experiences in relation to your job. More importantly, you will become the example Dr. Seuss wrote about – “Will you succeed? Yes, you will indeed! Nine-eight and three-quarters percent guaranteed.”

Understanding Actual Risks to Your Organization

By 1 Comment

Richard Long, Senior Advisory Consultant, MHA Consulting

There is an ongoing national conversation around the relationship between law enforcement and various civilian populations. In talking to friends of diverse ethnic backgrounds, it has become clear to me that my perceptions and how I go about my daily activities are different from some of my friends and acquaintances. This blog is not to comment on that, but rather to relate it to our business risk assessment.

There is not a single risk profile. Depending on the type of business, facility location, public perceptions, etc., the same event may be more or less likely to occur or may have a different impact. This may be an obvious statement, but how many of us in the risk or business continuity area evaluate the actual risks to our organization rather than looking at risk in the same old way or with the same bias? The following are items or areas to consider. While not necessarily complete, this list may prompt thoughts specific to your organization.

When I work with clients, I find that they almost always use natural events for disaster scenarios. Interestingly, those are typically the areas for which preparations are more mature and mitigations are in place – at least from a technology or facilities perspective. Data centers are hardened and relocation and evacuation plans are in place. However, the impact to people has often not been evaluated. Will employees’ homes be impacted? What if employees are unavailable? Is remote access sufficient? Remote access may be available, but that may not be the issue. I know of a company that was dealing with flooding in the area. The data center and business location were not impacted, but a significant number of peoples’ homes were flooded – those people were either not available to work or had to drop off unexpectedly during calls because their sump pumps could not keep up with the flow of water into their homes.

Staffing. What is the nature of your organization’s staffing? Are there multiple areas with only one person responsible for tasks? As an example: an organization has dual coverage for a certain function. This is a specialized function that would require resources from other locations to assist if needed. Each person takes their 6 – 8 weeks of vacation annually, often in a single vacation. So, for up to 16 weeks a year, there is only 1 person available to perform the functions, often for weeks at a time.

Risk Profile. It is not enough to simply know what your unmitigated risks are, or to know when your risk mitigation is not sufficient. A risk that most companies acknowledge, but for which they may or may not be prepared, is the potential for security breaches. Unfortunately, what we hear is true: it is not if, but when a breach will occur. Organizations must have a well thought out, tested, and comprehensive plan. You must recognize the risk of a data breach to your organization. Identify any proprietary, personal, or sensitive data. What would the impact be if any or all of these data stores were compromised?

Organization Profile. Has your organization grown, decreased or changed its product or service suite? How have acquisitions impacted your risk profile?

Physical security. How much of a risk is there? Is the show of security enough – think of a security sign outside a house, but no actual security system? Criminals may not take the chance. What are the security issues? Should you place more emphasis on keeping your employees safe or on the risk of theft (internal or external)? Is your organization in a location that could have collateral damage due to protests (even though your business is exceedingly innocuous)? Has the neighborhood changed over the years? Is there a need for different security from years past?

Insurance. We often hear “insurance will cover any losses.” There are typically specific notification and documentation requirements, along with preventative measures that are part of the insurance policy. Have those clauses been reviewed? Are you in compliance, or are you prepared to comply during an event? Are the notification and documentation requirements included in the appropriate crisis and recovery plans? As part of the risk review and mitigation process, you should review and update your insurance needs as well.

Risk management and mitigation are an important part of our role in continuity planning, but we must understand the actual risks, especially those that will have the largest impact and those with the highest probability of occurring. It is critical to put the appropriate mitigation strategies in place. Possibly the most important aspect of Risk Management is bringing the risk and impacts to light; ignore them at your own peril.

Internet of Things or Pervasive Connectivity

By No Comments

Richard Long, Senior Advisory Consultant, MHA Consulting

The Internet of Things (IoT) gets a lot of attention in blogs and podcasts. Tracking our fitness with an app is convenient; connecting our refrigerators to the Internet so we can access it with our smart phones seems exciting; and “answering” the doorbell while on vacation gives us an increased feeling of security. But how might the increase in devices connected to the Internet or within our networks affect us as planning professionals?

I recently heard an interesting term that gives a better idea of what IoT is: Pervasive Connectivity. We are getting to a stage where “everything” will be connected in some form or fashion. Devices may not be connected to the Internet directly, but over our home or corporate networks instead.

Here a few items to consider:

  • Security
  • Long-term viability
  • Unintended consequences
  • Interpersonal interactions
  • Supportability
  • Number of applications now critical to an organization
  • Configuration management

Security: While you may not have any IoT devices in your organization, how many employees are using them at home? How secure are the applications on their phones that are connected to your network? Can you segregate access from handheld devices? If you have IoT devices in your organization, how secure is that connectivity? Remember, the least secure portion of your network will be where malicious attacks occur. Would it not be ironic to have your Internet-connected refrigerator be the conduit for losing personally identifiable or proprietary information?

Long-Term Viability: Many pervasive connected devices rely on SaaS/PaaS/IaaS providers. What happens if those providers decide to stop the service? This has just occurred, impacting consumers of the Revolv smart-home hub. Google announced the shutdown of the Revolv service; after May 15 the smart-home hub will no longer work as the service will be shutdown. This is a concern for all *aaS offerings, and is something that should be considered.

Unintended Consequences: What are the power/battery needs of the devices? Items that were not a concern previously now must be considered. What are the access requirements – both onsite and remote? Will your organization need the development of new manual processes? How will the functions being supported by the IoT devices be performed if connectivity is lost? Are there legal/regulatory impacts that did not exist before?

Interpersonal interactions: A recent study suggests that people’s feeling of being ignored given the use of handheld devices has decreased. However, the question in my mind is – is that because the use of handheld devices has decreased during interpersonal interactions or are people just becoming conditioned to being ignored? With the increase of pervasive connected devices, will the need, or feeling of need, increase because there is now more information flowing to smart devices (alerts, monitoring, etc.)?

Take time to consider how your organization is being impacted by IoT devices; what you should be prepared to consider as they are introduced to your organization; and how your BCP program may be impacted.

BC Program Capability – Objective or Not?

By No Comments

Richard Long, Senior Advisory Consultant, MHA Consulting

We may not want to admit it, but we are a biased species – whether in the positive or negative. I know some beautiful young people who only see their faults and some mature adults who can’t see their faults at all. We become accustomed to the current state. I live in the Phoenix metro area. What friends and family in other parts of the country think is hot is a nice day to me. Temps in the 100s are normal and expected for us in the summer months – we are used to it. Last week it was hot – and not just hot through my Phoenix filter (it was in the 110s, with a high of 117). But, no matter what I am accustomed to, I recognize that a temperature in the 100s is hot, even though those of us in Phoenix look at the low 100s as a cooling trend in June and July.

When it comes to our business continuity programs, we can often get used to the current state and lose our objectivity. When you look at the current state of your business continuity program, are you, your auditors and your management looking at it objectively or with a filter or bias?

Possibly the best tool to use is a set of objective metrics. Identifying and using the proper metrics will assist in keeping the assessment of the BC program in your organization valid. There are commercial tools for doing this – MHA has one that we think is easy and useful (see www.mha-it.com/bcmmetrics). Even basic self-generated spreadsheets can be helpful. The question is, what are the correct metrics to use? Here are a few we think are important.

  • What percentage of BC and DR plans have been updated in the past year?
  • Do you have a Crisis Management Plan?
  • Do you have an identified Crisis Management Team?
    • Are they trained?
  • When was your last DR exercise?
    • Did it demonstrate actual functional recovery?
    • Were the DR Plans used?
  • When was your last Crisis Management exercise?
    • Did you perform tasks from the plan or just talk about performing tasks?
  • Have you performed a BIA in the past two years?
  • Have you performed a Threat and Risk Assessment in the past two years?
    • What is the state of the findings?
    • If you perform another TRA, will the findings be the same?
  • Do you have a process for updating/reviewing documentation and strategies to ensure they are current?
  • Is there a formal Program Oversight Committee or Program Steering Committee with Management representation?

These metrics can be given values that provide an overall readiness or functional score. With metrics like these, you can generate reports that quickly show the state of the various components of your program.

Screen Shot 2016-06-28 at 2.10.37 PM

Good and objective information will:

  • Help you identify both the areas that are working well and those which need more attention
  • Help management make appropriate risk and funding decisions
  • Assist auditors in their assessment

The reason for business continuity is to reduce risk to the organization. It is wonderful if the program is mature and running optimally. However, if there are issues, it is important to remember that “bad news does not get better with age.” You must have some understanding of what will happen if you actually have to use the plans and strategies during a crisis or emergency event. Metrics allow you to be confident when communicating the state of your program and to make appropriate plans. For more information and examples of metrics and the use of them in your organization, see visit mha-it.com/bcmmetrics.

 

 

How Secure is your Facility?

By No Comments

Richard Long, Senior Advisory Consultant, MHA Consulting

On a walk with my toddler grandson the other day we waved to everyone (and every animal, including the birds) we came across. Like many young children, he is oblivious to the dangers of taking a walk around the neighborhood. He will take off across the street, run up to any dog or person, run out in the street when he sees a vehicle. I feel bad pulling him back, making sure all is safe as he looks up at me questioning, “Why are you taking this joy away?” As the adult, wanting to keep him safe, it is necessary for me to restrict some of his actions to ensure he stays safe. Now, I do let him fall, play in the dirt, walk through the water and plants. What is life without some dirt and scars? But it is my job to make sure he is not seriously harmed (along with making sure he has ice cream for breakfast).

For most of us, we go about our lives like my grandson, not worrying about our safety (other than the normal precautions we take each day, like looking both ways when crossing the street and making sure we don’t run into the person texting while walking). What a blessing that is. So how does this relate to the title of this blog?

Most of us recognize the various security precautions or technologies present at our place of business, such as badges to gain access to the building, access restricted by need to some areas, parking barriers, security guards at entrances, sign in sheets, etc.

In a recent blog we discussed weapons and facilities. That includes some items that are pertinent to consider here.

  • What barriers are in place in your facilities that prevent unauthorized access to critical equipment or areas?
  • What measures are in place in your facilities to keep people safe?
  • What are your evacuation procedures for a workplace violence situation? Are they the same as those for a fire? Should they be different? For example, in a workplace violence incident you may want to use both the elevators and the stairs.
  • Do all staff members understand and follow the procedures for visitor access?
  • Have you ever seen someone who does not belong in your building? What did you do?
  • What is your weapons policy? Does that include knives? Should it?
  • Is workplace violence prevention/reaction part of your overall training for all employees?
  • Do you have plans for uncontrolled person(s)?

We recommend that you look at the various measures in place at your facility and determine any weaknesses. For example, you may have access barriers in place or require that a badge be displayed upon entering the building. Can those measures stop anyone who wants to get in? Are they intended to do so?

Do you have any ingresses/egresses that allow entry outside of policy or design? For example, at Company A, there was a gate that did not close without manual effort. This gate was often left open and was accessible from the sidewalk of a main thoroughfare. Anyone could gain access to a courtyard and wait for a door to open to have access to a secure area.

What is your visitor policy and how easy is it to get beyond the main entrance? One of the most important aspects of safety is understanding what is a normal state and what is not. Training staff to be alert to surroundings and what may be out of place will allow individuals to raise potential issues or risks. As someone who visits many client sites and often is allowed to move about with some independence, I am actually comfortable when individuals ask if I need help when they do not recognize me. Far from being offended, it puts me at ease knowing there are some who recognize when there are people or conditions that may not belong.

Reviewing and identifying the policies, procedures and physical/technology items will make your facility more functionally secure without the feel of overbearing security.