Security and Risk Management for Churches
By: Don Knox
Security and risk management are areas that every church must address in order to properly protect their members, staff, and facilities. For the purposes of this article, we are going to define risk management from an all hazards approach that includes all aspects of security, safety, fire protection, and emergency management.
In order to do this, you must establish a high-level, strategic risk management strategy and process that will in turn drive the implementation of tactical policies and procedures related to the previously mentioned areas of security, safety, fire protection, and emergency management.
The first step in this strategic risk management process is to identify the threats, vulnerabilities, and risks. These terms are often used interchangeably. Before we go through the process, we must first define these terms. A risk is the chance that loss, damage, injury, or something hazardous will occur and what the impact of it will be. A threat is something likely to cause harm. It can be intentional and deliberate or a veiled sign of what might happen. A vulnerability is something that is exposed to possible loss or damage. It can be exploited and compromised.
Next, we must go through the process of risk assessment and risk analysis. The terms assessment and analysis are also often used interchangeably. At a high level, you can consider an analysis as an explanation or description of something after careful evaluation and judgment. It is based on an understanding of the sum of its parts and how they all come together. An assessment is an examination of something in detail in order to understand it better or draw conclusions from it. It is the separation of something into its elements in order to find out what it contains and then examine its individual parts to see how they relate to each other. In other words, an assessment is something that you do or perform. An analysis is something that you produce such as a final report.
There are basically three types of assessments that must be performed to in order complete a comprehensive risk analysis: the threat assessment, the vulnerability assessment, and the risk assessment. For maximum effectiveness, these assessments should be performed in that order.
A threat assessment evaluates the potential incidents and types of tactics that someone is most likely to employ. A threat assessment should consider the complete spectrum of possible threats, including natural, such as tornados, hurricanes, floods, earthquakes and wildfires, as well as man-made, such as active shooter, burglary, bomb, and arson.
A vulnerability assessment quantifies the potential impact from a specific threat based on existing or planned conditions. A vulnerability assessment should evaluate potential damage and injury to people from each type of identified threat. This provides a baseline for determining the potential benefits from various security mitigation strategies.
A risk assessment incorporates both a threat assessment and a vulnerability assessment to evaluate the potential vulnerability associated with each threat. The objective of the risk assessment is to quantify the existing risks and to make recommendations to reduce high and or moderate risk ratings.
A risk assessment can be further defined as an evaluation of risk in which assumptions and uncertainties are considered and presented. You must measure and evaluate the potential or possibility for a loss occurring (threat) as well as the impact of the loss if it does occur (vulnerability). The assessment occurs once you start reviewing physical and environmental design as well as policies and procedures.
When performing an assessment, there are two different approaches you can use. A quantitative approach requires the measurement of a specific unit or number. A qualitative approach uses a high degree of subjectivity. For a security-related risk assessment, you could use the simple qualitative approach that involves assigning a small numeric values range such as 1 to 5 to identified threats and vulnerabilities. If you choose to use the qualitative approach, then you might assign something that is non-numeric values driven such and high, medium, or low. Thus, you would conduct an assessment and then perform an analysis on the data collected during the assessment to produce an analysis report. Once the assessment is complete, you move on to the analysis phase.
Now that the risks have been identified and assessed, it is time to decide what method of risk management to apply to each risk. There are several primary ways to manage risk: risk avoidance, risk transfer, risk reduction, and risk retention. There are pros and cons to each method. You will have to choose the right approach for each potential threat or vulnerability that you assess for your church.
Risk avoidance typically involves eliminating the risk. It includes not performing an activity that could carry or increase risk. An example could by a pastor choosing not to speak at or attend an event that has a high risk of religious or political protest. Another example is a church choosing not to move to or build a new location in an area that has a high crime rate or know to be near gang or drug activity. On the surface, risk avoidance may seem like the best method of risk management to apply. However, avoiding the risk also eliminates the possible positive that may be available. Positives such as the ability to be a better witnesses or disciples and have more change on the unsaved if you are more closely geographically located to those in the higher risk areas.
Risk reduction typically involves mitigating the risk. This included methods that allow you to reduce the severity of a loss or reduce the likelihood of the loss occurring at all. A lot of physical and electronic security applications are considered as part of this risk management strategy. For example, physical locks and electronic access control are installed at your facility to mitigate the possibility of unauthorized access.
Another item that falls into the area of risk reduction is Crime Prevention Through Environmental Design (CPTED). There are many environmental things that can be done to help reduce risk in this area, such are parking lot engineering, adequate lighting, properly trimmed and marinated landscaping, window placement and lobby entrance and common area design.
Risk transfer typically involves insuring the risk through the purchase of insurance. This includes items that will help reduce safety and security liability as well as help with compensation after a loss has occurred. A good example would be an insured church vehicle that gets broken into while in the insured church parking lot. In this example, the church is compensated for the loss based on their insurance policy and coverage.
Some areas of managing risk fall into multiple categories. For example, hiring security officers have some elements of risk transfer by placing some responsibility upon the security company. However, hiring security officers can also be part of a risk reduction strategy.
Risk retention typically involves accepting the risk. True self insurance falls into this category. It includes determining that it may not be cost-effective to put a mitigation strategy in place or provide coverage under an insurance policy. An example to consider here might be to not lock a certain area within the church. It may cost more to purchase, install, and maintain locks and keys for this area than the contents of what is in the area that you are trying to protect.
Overall, there are many different components to a comprehensive risk management program and plan. You must first know what your risks are and how they relate to your threats and your vulnerabilities. You must also understand that there is both an art and a science to performing a risk assessment and applying the results to via a risk analysis. Lastly, you must determine the best strategy and methodology to address each risk. In some cases, you may choose to either eliminate the risk or avoid it while in others you may chose to try and transfer it or accept it. These items may initially seem like a daunting task. Just remember that there are some free resources available to help get you started, but you should also consider retaining a professional security consultant to help you complete your entire program.
Don Knox, CPP, CITRMS, is a security consultant for Church Security Solutions.