Truth – Challenge: Risk assessment and most commonly identified problems in companies

Risk assessment in the protection of persons, property, and business is the first and essential building step in a security system within organizations.  Although each risk assessment project is unique and has its own context relative to the company, there are still risks common to most organizations regardless of business operations. Some problems repeatedly arise from assessment to assessment.

REMINDER!

The assessment is carried out according to the requirements and in the manner stipulated by the applicable Serbian standard SRPS A.L2.003 (Company Safety and Resilience – Risk Assessment) and processes the following risk categories:

• General business operation risks;
• Occupational safety and health risks;
• Legal risks;
• Risks of unlawful action/crimes;
• Fire risks;
• Natural disasters and other emergencies risks;
• Explosion risks;
• Non-compliance risks;
• Environmental risks;
• HR management risks;
• IKT risks.

The Risk Assessment Act in Protection of Persons, Property, and Business is a strategic document that provides a comprehensive corporate infrastructure analysis where a security strategy is built. The Act implements a Security Plan that requires the recruitment of all necessary organizational and external resources.

The law mandates companies to implement a risk assessment to develop and implement the Security Plan and Technical protection plan; design, performance, supervision, servicing, and maintenance of technical protection equipment.

In this regard, there is a list of the most common problems that organizations literally struggle with without even realizing it. Here are the most common risks in your business:

LIST OF MOST COMMONLY IDENTIFIED RISKS

1. There is no security support in the company organized by Management initiated by a Risk Assessment process that identifies all risks. Consequently, there is no determined security program or organization-level security team lineup to respond to the actual problem. Still, if implemented, some measures are automatically applied without considering specifics that are different in each organization. Top Management does not know nor respect security procedures, giving a bad example to other employees.
2. CCTV is installed individually, without professional tech support. There is no Risk Assessment Act nor agreement with licensed contractors.
3. Employees are not adequately trained on security risks and are unaware of the company’s safety policies and procedures because companies typically do not have them. Employees are not sufficiently trained to deal with various challenging events in the workplace.
4. Fire protection and first aid training exist only on paper, without simulation training, and employees do not know how to use the appliance and extinguish the fire when a fire occurs. Ignorance of incident procedures leads to general panic, damage, and destruction of corporate property, endangering the lives of employees and third parties.

5. Company’s „security procedures,“ if they are defined and if implemented, very often delegate tasks to employees that are in the description and scope of physical security duty, accustoming them to the wrong protection strategy, disrupting their primary responsibilities, and very often leading to legal violations in related areas.
6. Offices with confidential corporate resources often remain unlocked, and assets remain unprotected.
7. In this regard, the main danger is a confidential information leak, resulting in a decline in market ratings and loss of competitive advantage.
8. There are poor access control procedures: visitors/ clients are not obliged to show their identification documents for authentication, but only to the security guard or police officer on request if there is a defined reason – routine control, violation, or criminal offense – employees are not entitled to access to third party ID unless required by the nature of the company’s operations.
9. Regular use of side/fire evacuation paths instead of the main entrance.
10. Improper implementation of perimeter control and persons within perimeter limits.
11. Many employees do not carry their identification tags or wear them in the wrong place where they are not visible.
12. There are gaps in implementing the history of security incidents.
13. There is mismanagement of keys given to employees for business purposes. There is no record of who and when received the keys, no procedures for dealing with lost or missing keys, and no procedure for keys and equipment return when the employee leaves the company.
14. There is no record of theft, damage, or destruction of property or other relevant company resources, nor data on other security incidents. Many cases have not been reported, and there is no systematic control of company resources. Quarterly or annual reports are not maintained.
15. Generally, there are no at all, or there are inferior procedures for managing classified information: sensitive documents are not qualified as sensitive – and business secrets are not arranged by the Law on Business Secrets; data is usually in unsafe areas, and personal file cabinets have inadequate locks. Old, classified documents are placed in regular trash cans instead of shredders.
16. There is no or is inadequate protection against industrial espionage.
17. There is a confidential and classified information leak.
18. Entrance doors are not adequately secured, do not close properly, or remain unlocked. There is no form of protection – alarm, CCTV, access control, etc.
19. If there is access control (codes, cards) there are no adequate procedures and education for employees, and the risk is relatively high if there is no protection.
20. Perimeter control is usually insufficient, with an inadequate fence that is generally not high enough, breached, and damaged. Lighting exists only in some parts of the perimeter. Engagement of a guard who does not have proper training and a license to work in physical and technical security. Insufficient lighting in the company parking lot and along external roads to the building.
21. There is insufficient control of the loading area and docks. For example, doors remain open unsupervised, valuable goods remain unprotected at the dock or warehouse, and truck drivers are allowed to roam anywhere in the building without supervision or control.
22. Employees who manage and monitor the company’s electronic security systems don’t know how to use them. Only a tiny fraction of the capabilities of these systems have been utilized. You need professionals!
23. Electronic security systems are not maintained by the law but are set up once and so on until an incident occurs.
24. There is no established IKT infrastructure; in the worst case, organizations are not even aware of what that is and how important it is for business operations.

You cannot conduct a Risk Assessment on your own! Per Law on private security, Risk Assessment is carried out by a licensed and qualified professional.

Also, the Law foresaw a fine for legal entities ranging from RSD 500,000 to RSD 2,000,000 for performing private security activities without a license.