The 18th century Irish statesman and author Edmund Burke is credited with saying, “”The only thing necessary for the triumph of evil is for good men to do nothing.”
Actually, the attributed quote was a paraphrase of what Burke wrote about the public man’s duty to do the right thing.
“That duty demands and requires that what is right should not only be made known, but made prevalent; that what is evil should not only be detected, but defeated. When the public man omits to put himself in a situation of doing his duty, with effect it is an omission that frustrates his trust almost as much as if he had formally betrayed it.”
In Biblical terms, doing nothing is the sin of omission. In legal terms, it’s a violation of the General Duty Clause, i.e. the duty of care.
Detecting and defeating evil is the purpose and goal of risk management, a complex but doable task that requires assessment of risk and vulnerability to detect the risk, and action solutions to defeat the threat.
Some situations are easier to assess than others.
For example, if your business involves injecting toxic chemicals in the eyes of newborn kittens to test a formula for women’s mascara, it’s likely that you already know the names of the animal rights groups that will be in touch.
At the other end of the spectrum, an all-hazards assessment may be incomplete, flawed, or considered so over-the-top and unrealistic that it is ignored.
In 2008, Tokyo Electric Power Company was given a study that mentioned the possibility of tsunami-waves up to 33 feet. Believing that prediction unrealistic, TEPCO executives opted for a less expensive 20-foot high seawall to protect its Fukushima Daiichi nuclear power plant. The 2011 tsunami wave that destroyed the plant was over 30 feet high.
Assessing the risk of a natural disaster is a fairly straightforward process because the range of possibilities is narrow and somewhat predictable compared to the unpredictable, unknown, and unimaginable evil acts of people.
All 658 Cantor Fitzgerald LP employees – more than two-thirds of its total workforce – who reported for work on floors 101 through 105 of One World Trade Center died on September 11, 2001. Is that type of loss something you would reasonably prepare for? However, would knowledge of the 1993 World Trade Center bombing be noteworthy when preparing a vulnerability assessment?
The good news is that even though you may be exposed to attack, it doesn’t mean that you are defenseless. A vulnerability assessment shapes your comprehensive safety and security policies and procedures, and results in effective protective procedures.
In their white paper, Vulnerability Assessments: A Cornerstone of Effective Security Planning, veteran security practitioners, Dave Johnson and Gale Erickson, CPP, make the case and discuss the steps for conducting a vulnerability assessment that includes:
- Evaluation of risk and threat factors.
- Evaluation of policies, procedures, and people.
- Physical site inspection.
- Identification of critical asset vulnerability.
- Mitigation solutions.
This paper is a good primer for CEO’s who need to know what a vulnerability assessment is, what it covers, what it will produce, and why it should be done. It’s also useful to Chief Risk Officers and Chief Security Officers tasked with managing an assessment or making the case to the C-suite.
Whether it’s done in-house or outsourced, a vulnerability assessment is best performed by skilled and experienced people who can conduct it with an objective and unbiased perspective; unencumbered by organization bureaucracy, culture, and politics.
Given the risk and potential cost of an inadequate defense, conducting a vulnerability assessment is not a “check box” activity. Moreover, it is not a one size fits all solution. Best done it is meticulous, methodical, thorough, and specific. It is an investment in prevention.
Or, as Burke admonishes, it is our duty.
Michael Nossaman is the founder of the PSC
Tsunami image courtesy of Danilo Rizzuti @ FreeDigitalPhotos.net
Sign image courtesy of FreeImages.com/Enrico Corno