Two Must-Do Readiness Assessments

Two Must-Do Readiness Assessments

Print Friendly

Readiness: the state of being fully prepared for something.

Recently I suggested that a prospective client conduct a readiness assessment on a technology project that was planned to start within two months. He quickly performed a web search on readiness assessment, obtaining more than a half-million relevant search results. “Wow”, he said, “I hadn’t heard of that term. It looks like I’ve been missing out on something.”

Digging deeper, however, we found that his organization actually had performed readiness assessments a few times. They called them mock audits: exercises to determine how well prepared they were to pass an external 3rd party audit.

However, the full set of readiness requirements of an organization form a much bigger picture. And most of that picture was not being addressed.

In many security functions the readiness requirements have not been fully identified and responsibility for creating and maintaining readiness conditions has not been formally assigned.

Reviews of organizational conditions by RBCS personnel over more than two decades of security and technical assessments revealed these common contributors to low readiness states:

  • The concept of readiness was not a part of the business culture (and so current states of readiness and readiness evaluations were not a part of planning and preparations activities)
  • Preparations were insufficient to be fully ready in the first place (often due to poor readiness criteria and/or poor readiness evaluation and testing)
  • Failure to refresh or maintain initially-established readiness conditions (for example, people forget things; batteries discharge; phone numbers change, and tools and supplies get used, misplaced or relocated)
  • Readiness preparations had been nullified by organizational changes (states of readiness were disestablished—in most cases unknowingly—by planned actions such as personnel changes or restructuring)

States of Readiness for Your Security Program

Does your security program documentation identify the states of readiness that you must maintain, and what their requirements are?

Sometimes the operational response requirements are known or assumed, but not documented or validated.

For each type of response there should be a targeted level of response (optimal response) as well as the minimum acceptable response. Readiness preparations should be based upon the optimal response, with the objective in mind that unforeseen circumstances may hinder response somewhat but not push it below the level that is acceptable.

CASE STUDY

The Four-Minute Fire Response Requirement

Not long ago a Fortune 100 company did a review of its fire response globally.

They discovered that when the building’s fire warden (an employee role) was in the lobby ready to greet the first-responders within four minutes of the fire alarm, there were no serious consequences. But in each incident where the fire warden did not respond to the lobby within four minutes, there were serious consequences to people and property. They also studied what happened in the time between the first minute and the four-minute mark in the buildings that responded well, and found comparative response shortcomings in the buildings with the longer response times.

By improving their readiness to respond in ways that mattered, they drastically reduced the consequences of fire incidents. A two-minute response was optimal, with a four-minute response being acceptable.

A Readiness Plan lists the states of readiness that must be established, defines their requirements, and identifies the response capabilities that must be maintained along with what is required to maintain them. The plan should have a readiness validation schedule, which typically includes inspections of equipment (from flashlights to vehicle inspections) and materials (evacuation maps, signage, awareness posters, call lists, and so on), verification of training and certification status, and exercise drills to gauge performance and help maintain acceptable performance levels.

A good readiness validation checklist will include people, process, technology and performance elements.

A well-defined Readiness Plan can keep you from spending needless time and money on over-preparation, as well as help prevent under-preparedness.

Two Must-Do Readiness Assessments

Different situations require different levels of readiness. The consequences of not being ready vary significantly depending upon the context and purpose of the preparations. For example, the quality of fire and life-safety incident response is critical due to the potential for catastrophic personal injury and severe property damage. Other situations do not require the same level of response. For instance, a pedestrian trespasser taking a short-cut across a parking lot may simply require security officer observation, while a group of excited gang members entering the property requires a very different response.

Recently we performed a review of RBCS assessment project findings to identify two different high-consequence readiness situations where organizations were more commonly not ready than ready. These are just a couple of the many readiness capabilities that any security function needs to develop. They are presented here as a call to action in general to improve security readiness.

Evacuation and Shelter-in-Place Readiness Assessment

In response to a threat or hazard condition, personnel within a facility may need to evacuate or move to internal shelter locations. “Fire drill” is the exercise most commonly associated with building evacuation. Not all facilities have a specific fire drill requirement even though many jurisdictions have expanded their drill requirements over the past decade. Often if the fire department or corporate policy does not require facility fire drills, none are performed.

Although the U.S. Department of Labor’s Occupational Safety & Health Administration (OSHA) does not have an evacuation drill requirement, its standards of safety state that businesses must provide all employees with emergency action plans. Such plans provide guidelines on how to respond and react to an emergency. Included in the plan is a list of designated individuals who are responsible for making sure all people have exited the building. Additionally, the plan includes a list of what first aid will be provided and who will be responsible for providing it.

Typically over time, the Evacuation and Shelter-in-Place readiness state of a facility declines unless specific measures are taken to maintain an appropriate state of readiness.

Assessing Evacuation and Shelter-in-Place Readiness

If your organization’s evacuation and shelter-in-place materials are lacking or outdated, you (or the individual who has organizational responsibility) should be able to easily correct that situation. For each type of facility you have, locate applicable guidance or sample materials, identify what is relevant for the facility and its occupants, and perform a gap analysis to determine what needs to be done to establish full readiness. Involve the appropriate stakeholders. Write a simple evacuation and shelter-in-place readiness plan, including how to test readiness preparations, and execute the plan. Review the state of readiness annually (emergency plan roles and responsibilities may need to change) and make improvements as needed.

It is surprising how many security practitioners can’t quickly put their hands on facility emergency plans even though they may exist. Often this is the result of a different department (such as Facilities or Real Estate) having responsibility for creating and implementing the plans. When that is the case, Security should closely partner with the other department regarding emergency planning because there are security threats that could require the activation of emergency procedures, and some security threats (such as active shooter scenarios) require very specific responses that can be significantly different than those that apply for fire or hazardous chemical incidents.

Evacuation and Shelter-in-Place Guidance Materials

A web search on this subject will provide nearly a million responses, including Shelter-in-Place Procedures documents for many different types of facilities. The Centers for Disease Control and Prevention have shelter-in-place has a basic guidance page. Ready.gov has excellent materials on its website in a section called Preparedness Planning for Your Business, which of course goes well beyond evac and shelter-in-place planning. The National Institutes of Health (NIH) website has comprehensive workplace Evacuation and Shelter in Place materials including a training PowerPoint® presentation, an evacuation drill Excel® Worksheet for conducting and rating evacuation exercises, plus a training video. Additionally, NIH has placed its Policy Manual’s Occupant Evacuation Plan online, which includes example worksheets, instructions, and other materials for planning and managing Evac and SIP responses. OSHA has comprehensive guidance materials on Evacuation Plans and Procedures including an eTool to help small, low-hazard service or retail businesses implement an emergency action plan, and comply with OSHA’s emergency standards.

Technology Deployment Readiness Assessment

Outside of a very few Y2K security technology upgrade projects in the late 1990’s, RBCS has yet to encounter a significant security technology deployment that was on-time, within budget, and accomplished all of its important requirements. Contrary to what one might expect, usually the bigger the budget, the worse the project track record.

With any new technology project or significant upgrade project, it is important to take the time to conduct a project readiness assessment.

“Organizations that do not conduct a thorough assessment are not creating the conditions needed for a successful project. Often the perceived current condition is not reality and therefore the entire journey for the project is based on false conclusions.”

—Celwyn Evans, Founding Partner, Greencastle Associates Consulting

In Greencastle’s white paper titled “Project Readiness Assessment”, written for healthcare organizations considering critical business or clinical IT initiatives, Evans presents key insights about project success factors that typically do not get attention during project planning and execution. Electronic physical security systems technology projects are IT projects, which is why so much of Greencastle’s white paper is applicable to them.

Many important security system projects tend take on a life of their own, dragging the project leader and the project stakeholders along for the ride. A good project readiness assessment enables the project leader to get firmly in the driver’s seat and stay there, because nothing is left to chance.

In the experience of RBCS, most significant projects pay little to no attention to at least two of the five key areas of complex projects illustrated in Greencastle’s white paper and shown in Figure 1 below.

Figure 1. Five Dimensions of Complex Projects (click image to enlarge in new window)

Illustration: Five Dimensions of Complex Projects

Assessing Security Technology Project Readiness

A very good way to get examine the state of security tech project readiness is to use the RBCS online Security Tech Project Survival Test to rate your project’s status on the key project success factors. You can use the test to help determine your state of readiness for project execution, and re-test at each project major milestone to catch any success factors that are backsliding and address them before they create serious problems.

Budget Approval Readiness Assessment?

Whether addressing an annual budget, or a budget for a specific initiative or project, what is most important is not the set of facts and figures in the budget documentation—it’s getting the budget approved.

This article does not include information on Budget Approval Readiness Assessment. However, if you would like to see budget approval material added to this page in the future, submit your vote below and we’ll be sure to let you know when we add it.