We need a risk glossary. This is because many of the words we use to describe risk, and specifically, how it relates to corporate security and building management, can be confusing. Although we frequently hear terms like criminal threat, risk assessment, or acceptable risk, many people don’t have a clear understanding of what they really mean.
Because risk is inherent in all aspects of life, we need to be able to discuss it openly so we can address it. That means we need to understand the terminology. Our goal for this risk glossary is to accomplish this.
Among the most frequently used words and phrases that need further clarification are the following:
We might as well start with our key word in the risk glossary: risk. The possibility of loss resulting from a threat, a security breach, or an event, whether from human-made or natural causes.
Example: Natural causes of risk may include an earthquake, fire, or flood occurring near a facility. Theft or vandalism is a human-made risk.
An estimate of the potential losses associated with certain types of risk.
Example: A housing development was built near an earthquake fault in California. Before construction, the developer and local authorities conducted a risk assessment to determine if there would be casualties—and if so, how many —should an earthquake of a certain magnitude happen.
A direct, indirect, or veiled (implied) statement of intention to undertake an action to harm someone or something. Threats may be verbal or in writing. The goal of a threat is to create a sense of fear or to change someone’s behavior in some way. Legal definitions of a threat vary by state.
Example: To save his job, a disgruntled employee threatened to release sensitive information about the company if he were fired.
A threat against someone’s life, suggesting bodily harm to one or more people. In most states, a criminal threat must be directly communicated and cannot be vague or veiled.
Example: Dan sent a text message to his old girlfriend informing her that he was coming over to her house to kill her after she cheated on him
A detailed examination of one or more facilities intended to identify vulnerabilities that could allow people or property to be harmed. A thorough and professionally conducted risk assessment helps identify these risks and then suggests ways to minimize or eliminate them in a systematic and prioritized way.
A risk assessment is normally a three-step process:
- Hazard identification where we list all potential hazards.
- Hazard analysis where we analyze the risks posed by each and prioritize them.
- Impact analysis where we determine the potential effect of each hazard on the organization.
Example: A major airport was concerned that someone might find a way to get on their runways, blocking air traffic. A professional risk assessment was conducted, which concluded that their runways were not secure (an incident could shut down the airport) and offered suggestions to prevent this and safeguard the runways from intruders.
Actions that can be taken to reduce risk or mitigate the consequences of risk, such as a security breach, a shooting or attack, or another unexpected event after it happens. One of the key goals of a professional risk assessment is risk management.
A level of risk deemed acceptable to an individual, an organization, a business, or even a country.
Examples: A jet engine has a failure rate of 0.4 per million departures. Regulators and customers view this as an acceptable risk. It does not deter anyone from flying.
Risk = Consequence x Probability
There are a number of variations on the terms used in the risk formula, but they all agree on the same concept: that risk is a function of the impact or consequences of the event and the frequency of occurrence.
Example: The risk of dying from COVID-19 is 14 times higher for unvaccinated people than for vaccinated people.
Low Risk. The risk of dying from COVID decreases for those who are vaccinated.
High Risk. The risk of dying from COVID increases for those who are not vaccinated.
A function of the severity of the event and the vulnerability of the organization; reduce vulnerability and you mitigate risk.
The potential of being harmed through a security weakness or a deficiency in how a facility is designed or operated.
Example: A risk assessment for a warehouse suggested the facility was vulnerable to an intruder or an attack if it did not secure its parking lot. The unsecured parking lot is a vulnerability.
Hazard and Hazard Analysis
A hazard is simply something that can occur, normally divided into natural, technological, and human-caused hazards. Hazard analysis is the process by which we examine potential hazards based on frequency and severity to prioritize those most likely to have the greatest impact on an organization.
Example: While we might have a blizzard in San Francisco, the frequency and impact are so low as to be negligible; on the other hand, earthquake hazards in San Francisco have an extremely high potential impact on the city, although the frequency is still low. This is why we plan for earthquakes and not for blizzards.
More to the Risk Glossary
There certainly are more risk-related terms we could add to the risk glossary. Building and business owners, college administrators, and facility managers should be aware of these terms and others that may be included in a risk glossary. Especially now with the current crime wave, we are in a high-risk environment.
Lu Canton has over thirty years of experience in hazard and risk analysis, loss mitigation, and emergency planning. Lu joined the Federal Emergency Management Agency (FEMA) in 1990, where he assisted in the development of disaster planning responses. He was later appointed Director of the Department of Emergency Services for the City of San Francisco. Today, he is a member of the TAL Global Team.
More information about Lu may be found here.