APPENDIX I: Qualitative Approach 

 

Each step of the following seven-step practice advisory includes examples and other relevant information to guide the 
practitioner in developing a better understanding of the underlying principles to be applied in the assessment. 

PRACTICE ADVISORY #1 

Understand the organization and identify the people and assets at risk. 

 

COMMENTARY - “Understand the organization” 

 

The first task of the security practitioner is to develop an understanding of the organization to be assessed. This does 
not mean that the practitioner must become an expert in the operation of the enterprise to be evaluated, but must 
acquire enough of an understanding of how the organization operates to appreciate its complexities and nuances. 

Consideration should be of factors such as hours of operation; types of clients served; nature of the business activity; 
types of services provided or products produced, manufactured, stored, or otherwise supplied; the competitive nature of 
the industry; the sensitivity of information; the corporate culture; the perception of risk tolerance; and so on. 

 

The types of information that the practitioner should ascertain: 

• The hours of operation for each department 
• Staffing levels during each shift 
• Types of services provided and/or goods produced, stored, manufactured, etc. 
• Type of clientele served (e.g., wealthy, children, foreigners, etc.) 
• The competitive nature of the enterprise 
• Any special issues raised by the manufacturing process (e.g., environmental waste, disposal of defective goods, 
etc.) 
• Type of labor (e.g., labor union, unskilled, use of temporary workers, use of immigrants, etc.) 


 

COMMENTARY - “Identify the people and assets at risk” 

 

The second step in the process is to identify the assets of the organization that are at risk to a variety of hazards. 

People 

People include employees, customers, visitors, vendors, patients, guests, passengers, tenants, contract employees, and 
any other persons who are lawfully present on the property being assessed. In very limited circumstances, people who 
are considered trespassers also may be at risk for open and obvious hazards on a property or where an attractive 
nuisance exists (e.g., abandoned warehouse, vacant building, a “cut through” or path routinely used by people to pass 
across property as a short cut). In most states, trespassers need only be warned by the posting of signs of a known 
dangerous or hazardous condition. 

Property 

Property includes real estate, land and buildings, facilities; tangible property such as cash, precious metals, and stones; 
dangerous instruments (e.g., explosive materials, weapons, etc.); high theft items (e.g., drugs, securities, cash, etc.); as well 
as almost anything that can be stolen, damaged, or otherwise adversely affected by a risk event. 


Property also includes the “goodwill” or reputation of an enterprise that could be harmed by a loss risk event. For 
example, the ability of an enterprise to attract customers could be adversely affected by a reputation as being unsafe or 
crime ridden. 

 

The third subset of property is information. Information includes proprietary data, such as trade secrets, marketing 
plans, business expansion plans, plant closings, confidential personal information about employees, customer lists, and 
other data that if stolen, altered, or destroyed could cause harm to the organization. 

PRACTICE ADVISORY #2 

Specify loss risk events/vulnerabilities. 

 

COMMENTARY 

The second major step in the security risk assessment methodology is to identify the types of events or incidents which 
could occur at a site based on the history of previous events/incidents at that site; events at similarly situated sites; the 
occurrence of events (e.g., crimes) that may be common to that type of business; natural disasters peculiar to a certain 
geographical location; or other circumstances, recent developments, or trends. 

 

Loss risk events can fall into three distinct categories: crimes, non-criminal events such as human-made or natural 
disasters, and consequential events caused by an enterprise’s relationship with another organization, when the latter 
organization’s poor or negative reputation adversely affects the enterprise. 

 

SOURCES OF DATA AND INFORMATION 

Crime-Related Events 

There are numerous sources for information/data about crime-related events that may impact an enterprise. The security 
practitioner may consider any of the following sources in aiding the determination of risk at a given location. 

• Local police crime statistics and calls for service at the site and the immediate vicinity for a three-to-five year 
period 
• Uniform Crime Reports published by the U.S. Department of Justice for the municipality 
• The enterprise’s internal records of prior reported criminal activity 
• Demographic/social condition data providing information about economic conditions, population densities, 
transience of the population, unemployment rates, etc. 
• Prior criminal and civil complaints brought against the enterprise 
• Intelligence from local, state, or federal law enforcement agencies regarding threats or conditions that may 
affect the enterprise 
• Professional groups and associations that share data and other information about industry-specific problems or 
trends in criminal activity 
• Other environmental factors such as climate, site accessibility, and presence of “crime magnets” 


Non-Criminal Events 

The practitioners should consider two subcategories of non-crime-related events: natural and “human-made” disasters. 
Natural disasters are such events as hurricanes, tornadoes, major storms, earthquakes, tidal waves, lightning strikes, and 
fires caused by natural disasters. “Human-made” disasters or events could include labor strikes, airplane crashes, vessel 
collisions, nuclear power plant leaks, terrorist acts (which also may be criminal-related events), electrical power failures, 
and depletion of essential resources. 


Consequential Events 

A “consequential” event is one where, through a relationship between events or between an enterprise and another 
organization, the enterprise suffers some type of loss as a consequence of that event or affiliation, or when the event or 
the activities of one organization damage the reputation of the other. For example, if one organization engages in illegal 
activity or produces a harmful product, the so-called innocent enterprise may find its reputation tainted by virtue of the 
affiliation alone, without any separate wrongdoing on the part of the latter organization. 

PRACTICE ADVISORY # 3 

Establish the probability of loss risk and frequency of events. 

 

COMMENTARY - Probability of Loss Risk 

 

Probability of loss is not based upon mathematical certainty; it is consideration of the likelihood that a loss risk event 
may occur in the future, based upon historical data at the site, the history of like events at similar enterprises, the nature 
of the neighborhood, immediate vicinity, overall geographical location, political and social conditions, and changes in the 
economy, as well as other factors that may affect probability. 

 

For example, an enterprise located in a flood zone or coastal area may have a higher probability for flooding and 
hurricanes than an enterprise located inland and away from water. Even if a flood or hurricane has not occurred 
previously, the risks are higher when the location lends itself to the potential for this type of a loss risk event. 

 

In another example, a business that has a history of criminal activity both at and around its property will likely have a 
greater probability of future crime if no steps are taken to improve security measures and all other factors remain 
relatively constant (e.g., economic, social, political issues). 

 

The degree of probability will affect the decision-making process in determining the appropriate solution to be applied 
to the potential exposure. 

 

COMMENTARY - Frequency of events 

 

When looked at from the “event” perspective, the practitioner may want to query how often an exposure exists per 
event type. For example, if the event is robbery of customers in the parking lot, then the relevant inquiry may be how 
often customers are in the lot and for how long when walking to and from their vehicles. If the event is the rape of a 
resident in an apartment building, then the inquiry may focus on how often the vulnerable population is at risk. If the 
event were a natural disaster such as a hurricane, the practitioner certainly would want to know when hurricane season 
takes place. 


 

PRACTICE ADVISORY #4 

Determine the impact of the event. 

 

COMMENTARY 

The security practitioner should consider all the potential costs, direct and indirect, financial, psychological, and 
other hidden or less obvious ways in which a loss risk event impacts an enterprise. Even if the probability of 
loss is low, but the impact costs are high, security solutions still are necessary to manage the risk. 

 

Direct costs may include: 

• Financial losses associated with the event, such as the value of goods lost or stolen 
• Increased insurance premiums for several years after a major loss 
• Deductible expenses on insurance coverage 
• Lost business from an immediate post-risk event (e.g., stolen goods cannot be sold to consumers) 
• Labor expenses incurred as a result of the event (e.g., increase in security coverage post event) 
• Management time dealing with the disaster/event (e.g., dealing with the media) 
• Punitive damages awards not covered by ordinary insurance 


 

Indirect costs may include: 

• Negative media coverage 
• Long-term negative consumer perception (e.g., that a certain business location is unsafe) 
• Additional public relations costs to overcome poor image problems 
• Lack of insurance coverage due to a higher risk category 
• Higher wages needed to attract future employees because of negative perceptions about the enterprise 
• Shareholder derivative suits for mismanagement 
• Poor employee morale, leading to work stoppages, higher turnover, etc. 


PRACTICE ADVISORY # 5 

Develop options to mitigate risks. 

 

COMMENTARY 

The security practitioner will have a range of options available, at least in theory, to address the types of loss 
risk events faced by an enterprise. “In theory” alludes to the fact that some options may not be available either 
because they are not feasible (discussed in Practice Advisory #6) or are too costly, financially or otherwise. 

 

Options include security measures available to reduce the risk of the event. Equipment or hardware, policies 
and procedures, management practices, and staffing are the general categories of security-related options. 
However, there are other options, including transferring the financial risk of loss through insurance coverage or 
contract terms (e.g., indemnification clauses in security services contracts), or simply accepting the risk as a cost 
of doing business. 

 

Any strategy or option chosen still must be evaluated in terms of availability, affordability, and feasibility of 
application to the enterprise’s operation. 


PRACTICE ADVISORY #6 

Study the feasibility of implementation of options. 

 

COMMENTARY 

The practical considerations of each option or strategy should be taken into account at this stage of the security 
risk assessment. While financial cost is often a factor, one of the more common considerations is whether the 
strategy will interfere substantially with the operation of the enterprise. For example, retail stores suffer varying 
degrees of loss from the shoplifting of goods. One possible “strategy” could be to close the store and keep out 
the shoplifters. In this simple example, such a solution is not feasible because the store also would be keeping 
out legitimate customers and would go out of business. 

 

In a less obvious example, an enterprise that is open to the public increases its access control policies and 
procedures so severely that a negative environment is created by effectively discouraging people from going to 
that facility as potential customers and hence, loses business. 

 

The challenge for the security practitioner is to find that balance between a sound security strategy and 
consideration of the operational needs of the enterprise, as well as the psychological impact on the people 
affected by the security program. 

PRACTICE ADVISORY # 7 

Perform a cost/benefit analysis. 

 

COMMENTARY 

The final step in conducting a security risk analysis is consideration of the cost versus benefit of a given security 
strategy. The security practitioner should determine what the actual costs are of the implementation of a 
program and weigh those costs against the impact of the loss, financially or otherwise. For example, it would 
make no sense to spend $100,000 on security equipment to prevent the theft of a $1,000 item, especially when 
it may make more sense to purchase insurance or remove the item to a more secure location.