Strong security is essential for businesses of all sizes. And while digital security is increasingly important—and for a good reason—businesses shouldn’t neglect their physical security plans. 

A physical security risk assessment is one of the best tools any business can use to improve its security practices. So whether you’re developing a new business security plan or updating an existing one, the first step is to conduct one of these assessments. 

What is a Physical Security Risk Assessment? 

A physical security risk assessment is a top-to-bottom analysis of your organization, facilities, and physical security practices. Some security professionals have the expertise to carry out these assessments in-house. However, many organizations hire contractors or an entire security firm to conduct an assessment. 

A good assessment will examine your day-to-day operations and high-level strategic security plan. A physical security risk assessment aims to help you better understand how each security process benefits your organization and how each fits into your wider security plan.

Who Needs Physical Security Risk Assessments?   

If your organization has any type of facility, personnel, or physical assets, you will benefit from conducting one. That may not seem relevant in an increasingly digital workplace, but the future of business isn’t purely digital. 

Physical and digital business practices are converging. The uptick in hybrid working is just one recent example of this trend. Hybrid working seamlessly blends remote and on-premise working thanks to a combination of physical and digital tools and practices. 

The benefits of these arrangements are clear, and lingering resistance to hybridizing—or converging—other parts of the business will soon fade away. Companies looking to stay competitive will need to converge their own security practices. That means ensuring physical security gets appropriate attention. 

Risk assessments are mandatory in some regulated industries  

Some compliance standards enforce physical security risk assessments. If your organization has to work under any of the following standards, and you don’t already have a risk assessment process, then you need to develop one. 

  1. International Organization for Standardization (ISO) 27001 —This is a comprehensive set of guidelines for Information Security Management. ISO 27001 includes provisions for both digital and physical security assessments.   
  2. The Health Insurance Portability and Accountability Act (HIPAA) —this is a US body of law mandating the secure handling of patient records. Under HIPAA, you can’t plead ignorance and claim you didn’t know about security vulnerabilities. Instead, organizations are expected to know when patient data is at risk when exposed and to document how they secure patient data with both physical and digital safeguards. 
  3. Payment Card Industry Data Security Standards (PCI-DSS) —This is an information and physical security standard for businesses processing credit card payments. This is perhaps the most widely enforced standard of the three listed here.   
 

  

Protect your facilities and assets with a robust key management system.

Maintain complete control over your keys, and know who is accessing them and when. 

Simple 5-Step Physical Security Risk Assessment 

While a comprehensive physical security risk assessment is best carried out by a professional, there is plenty of value in conducting one yourself in-house. Follow this five-step process to evaluate your organization’s physical security readiness. 

1. Audit your physical site or facility

Your first step is to audit the physical environment in and around your facility. Note specific strengths and vulnerabilities, for example, good sight lines to all entry and exit points or poor lighting in your parking lot. Next, consider how functional and up-to-date different features within your facility are. Out-of-date infrastructure can be a security risk, like faulty wiring that might be a fire hazard. 

2. Audit your operating procedures  

Next, review the security and operating procedures your personnel follow in their day-to-day routines. For example, are critical assets left unattended during key operations? What asset protection do you have? Are security guards covering all critical areas during patrols? 

Consider procedures during all times of the day. You may maintain high security during operating hours, but what about overnight? Do you lock your facility after operating hours? Do essential personnel have a way to access your facility for emergencies securely? Are these procedures documented, so everyone knows what access is and isn’t permitted? 

Ensure your procedures cover temporary or contract employees too—for example, overnight cleaning staff. If you need cleaning staff to enter high-risk areas, make sure you have clear procedures to ensure their safety and protect your organization’s property. 

Lastly, review your emergency plans. It is essential to secure your facility for day-to-day operations, but don’t neglect planning for low-probability, high-risk “black swan” events like a four-alarm fire, terrorist attack, or natural disaster. 

3. Audit your physical security systems   

The final review to conduct is of your physical security systems, including surveillance cameras, access control systems, key management systems, and asset lockers. They should be able to automatically monitor every point where someone accesses your facility or your property. Do these systems have any blind spots? Are there any windows of time where assets are left unmonitored? Do you rely on manual or electronic key control? 

4. Identify your risk factors 

Every business faces different risks and levels of severity. Many factors contribute to your unique risk profile, and the first step in assessing your organization’s security is to understand all of those factors. 

Crime is one obvious risk every business is exposed to, to some degree. But there are many other factors you need to consider. 

  1. Location—Urban vs. rural, northern vs. southern, coastal vs. inland, location significantly impacts the type of risks you might face, like crime or natural disasters. 
  2. Facility size 
  3. Workforce size 
  4. Staffing level—Are you fully staffed or chronically understaffed? If many locations within your buildings are lightly staffed or vacant, your risk levels can significantly increase.
  5. Number and location of entry points 
  6. Surveillance levels 
  7. Other security system presence 

5. Assess your specific threats 

Identifying risk factors simply sets the background. Next, you need to identify the specific physical security threats you face. Also, identify how likely each is to occur. 

For example, you might suffer petty theft three times a year, but it will have a relatively low impact on your business. On the other end are low-probability high-risk events, like a chemical fire that devastates your entire facility. 

Assess the threat to each physical asset within your organization, from the building down to office equipment. Next, identify the costs incurred were that asset lost completely. You’ll want to consider the following: 

  1. Material Cost —The replacement cost of the asset itself.
  2. Operational Cost —The lost revenue and cost in staff hours working without the asset. 
  3. Indirect Costs —The potential damage to people, property, or reputations if the lost asset is misused.

 

Example: Securing Handheld Radios  

Conducting a physical security risk assessment for an entire organization is well worth the effort, but it does take time. So let’s walk through one small example where we assess whether a particular asset locker solution is cost-effective for a customer looking to secure radios. 

The risk 

Radios are portable and targets of thieves, both external and internal, as they have resale value. If you don’t have an asset locker system for securing them when idle, they can be very easy to steal.

 

 

 

Material cost 

This is the easiest factor to consider since it’s already quantified. But, unfortunately, it’s also usually the least important. Many radio models are available today, from $50 off-the-shelf consumer models to hardened APCO-25 police radios costing thousands. So the impact of this asset loss can range anywhere from inconvenient to mission-critical. 

For keys, rekeying costs can range from pennies up to hundreds of dollars for high-security master keys. 

At the upper end of that range, an organization with only a handful of P25 radios could justify the purchase of an electronic asset locker system on the replacement cost of the radios alone. But for many organizations using more standard commercial radios, this isn’t the case. 

Operational cost  

The more integral an asset is to your operations, the greater you will feel its loss. And often, the labor cost in staff hours spent managing its loss will be greater than the direct replacement cost. For example, searching for it, reordering, configuring, and so on. 

Let’s consider an example. A hotel or other organization in the hospitality industry may use radios only to help coordinate periodic conferences. Not mission-critical. However, a large, multi-building corrections facility may rely on radios constantly. Very mission-critical and often regulated. 

Quantifying the operational impact of lost radios in the second scenario very likely makes electronic asset lockers cost-effective for that corrections facility. Lost facilities keys slow down every workflow in which they’re used. 

 

Indirect costs  

Then there’s the risk of further damage to the organization if the asset is lost or stolen. Let’s take radios in corrections facilities. There’s also a need to control inmate access to institutional assets like radios. If you’re not protecting assets, their theft could create a public safety risk beyond the immediate risk to the facility. 

At this point, if there’s a quantifiable risk to the public, an organization’s intellectual property, or other intangible, beyond the direct replacement cost and operational impact, in most cases, it immediately becomes cost-effective to deploy a high-end security solution for asset management. 

This three-point analysis is a good back-of-the-envelope way to evaluate the cost-effectiveness of any security system. Rather than comparing product features, the key is to focus on the value delivered to your organization and the unique demands they can meet. It’s not about technology. It’s about your business. 

For an even deeper dive into security ROI check out our 6-Step Purchasing Guide, which gives more details on quantifying risks and calculating the Total Cost of Ownership for higher-end security solutions.