In What the Defendant Can Do Wrong, security management and risk management expert witness Ira Somerson, BCFE, CPP, CSC, writes that “failing to preface your security plan with a risk assessment would violate standard security industry practices. If your risk assessment lacks sufficient qualitative (unscientific) or quantitative (scientific) analysis, it probably will be below a standard security industry practice.”
Standard Security Practice
The variety and causes of security risks are considerable. For that reason, some formal process must precede any security program implementation. A security program’s design needs to be based upon deterring, detecting, delaying, denying, responding to, and/or recovering from reasonably foreseeable events. The fact that anomalous events do occur should not excuse or rationalize a property owner from not first performing adequate planning. It is inevitable that a property owner will fail to recognize every risk or that an event will not occur in spite of adequate planning. But the fact that an adequate process was not used to identify the levels of risk places a property owner’s security plan in a far more egregious posture. Failing to preface your security plan with a risk assessment would violate standard security industry practices (standard of care). If your risk assessment lacks sufficient qualitative (unscientific) or quantitative (scientific) analysis, it probably will be below a standard security industry practice.