Facility Criticality and Mitigations Option Tool

Return to Program Best Practices
Created by the Security Executive Council

Publicly held companies are required by the Securities and Exchange Commission to file an annual 10-K report complete with an examination of risk factors. While it would seem that the security organization ought to play a role in developing the enterprise risk assessment (ERA) to meet this requirement, companies' boards often hire outside consultants or task Audit or Finance with this responsibility. Security leaders do not always have a voice in the process.

Because of this, the CSO's classification of security risk areas, such as facilities (see table below), by criticality and risk mitigation options may not correspond with classifications identified in the ERA. A more holistic view of risk would better serve the organization.

The Criticality/Mitigation Options tool was developed to help security leaders bridge this gap by providing them with an organized, visual format for communicating the security organization's perception of risk levels and mitigation options.

This outcome of this process can be presented to the board or the ERA team as the starting point of a conversation about how to align facility classification criteria so that it considers not only financial or legal risk but also business continuity and crisis management concerns.

Using facilities as an example, the sample below provides potential options for security risk mitigation related to criticality level. The options should be adjusted to your organization based on industry, facility type, location, corporate culture, etc. While the example below discusses facility security, the same process of classification of criticality and identifying mitigation options should be applied to other risk areas such as employees, travelers, and expats.

Facility Security Options Comments
Level 5 Criticality
Targeted or Collateral Risk Sites
Review & ensure all actions at lower levels are occurring
Announce severe threat condition and explain expected actions
Deploy security personnel, emergency response teams, or assigned personnel according to plan
Prepare or begin total site shut down
Restrict or close all building access. Restrict access/parking to critical areas
Close or restrict entry to site to designated persons and emergency responders
Reduce site workforce to required critical people only.
Keep on-site sheltered personnel up to date on local/national events
Begin periodic briefings to law enforcement and Sr. Management
Inspect /search all incoming boxes, packages.
Restrict or suspend deliveries, mail, and shipments except emergency supplies if necessary
Level 4 Criticality
Mission Critical Sites
Review & ensure all actions at lower levels are occurring
Notify all staff of threat level and brief them on assignment & expected actions
Ensure access control audit trails in place & functional
Prepare to search incoming individuals & vehicles
Restrict on site parking, deliveries, & inbound shipments
Place critical staff and emergency responders on notice to be available & appoint a "Security Team"
Compile & review daily reports on all unusual activities & occurrences
Review emergency operations center & establish communication with emergency management officials
Monitor world & local events closely including a daily review of the Corporate Security Website & links to key sites
Enact random time security guard shift changes
Ensure the facility manager and other members of leadership can be contacted 24 hours a day
Increase physical security and protection measures
If possible, have law enforcement vehicles park around the sight or facility
Provide all contractors, vendors and temps with identification & require they wear on company property
Employees must wear identification while on company property
Level 3 Criticality
Key Facility Sites
Notify all staff of threat level and brief them on assignment & expected actions
Review & ensure all actions at lower levels are occurring
Test gates, security doors/locks, cameras, monitors, recording, & communication equipment
Establish or verify law enforcement communications
Review specific site or business unit security requirements
Monitor government information & notification sources
Review and communicate reminder on bomb threats, unauthorized people, reporting & lockdown procedures
Full time security person for site or business
Level 2 Criticality
Enhanced Security Sites
Review & ensure all actions at lower levels are occurring
Maintain security levels and periodic validate the effectiveness of key measures via testing or drills
Identify and maintain restricted access areas
Utilize enhanced access controls such as security officers, electronic access, etc.
Maintain fenced areas to reduce liability or hazard risks
Review & update as necessary operational plans & procedures
Review security, threat, emergency, & recovery plans
Review supplies and necessity inventories
Develop or strengthen liaison program with security & law enforcement personnel from surrounding sites & communities
Baseline Level Criticality
Baseline Security for all Sites
All sites operate at this level of security or are making progress towards it
Appoint a facility security coordinator
Site management & security coordinator are briefed & accept responsible for site security
Complete risk assessment of site security risks
Develop a site security plan, obtain site management concurrence & submit annual letter to Head of Corp. Security
Educate employees on security risks and responsibilities
Post security signs & warnings
Issue identification & control access to the site
Meet lighting minimums
Establish program for Protecting Business Information
Report and investigate security incidents
Complete, maintain & test emergency response plan
Budget for added security measures

Return to Program Best Practices