In dealing with security for a large building or campus, it is advisable to enlist a trained security professional (e.g., a Certified Protection Professional) to work with a team of individuals from the facility to develop a security risk assessment and action plan. The team should include the on-site security manager and representatives of the stakeholder organizations at the facility, including operations, human resources, engineering, information technology, finance, public relations, and executive management. With the security professional acting as the facilitator, the team should use the following 12-step security risk assessment process, which is an adaptation of a method used extensively in the military and civilian government agencies to address security risks:Identify and quantify assets. Assets can take the form of facilities, personnel, property, or information. Name the specific assets to be protected and estimate their value in dollars. While it is obviously difficult to quantify a human life, actuaries generally set insurance values at about $2.5 million per person. The loss of an asset due to a malevolent act represents a consequence. For each type of asset identified, assign a consequence rating of “not serious,” “serious,” “very serious,” or “catastrophic,” depending on the total dollar value of the loss of the listed assets. Remember that the loss of an asset might be mitigated by the existence of a redundant capability.Identify the threat events and existing protective measures. These events would address the assets identified in the first step. Because most facilities already have a baseline of security, identify the security measures already in place that contribute to protection against those threat events.Evaluate the likelihood of occurrence. Rank the likelihood of the threat events identified as “highly probable,” “probable,” or “improbable,” (i.e., the likelihood of a computer theft at the average commercial office building is highly probable, but an attack by a vehicle bomb might be rated improbable).Identify the risk level of each threat event. The “Consequence vs. Likelihood” chart (below) will help determine the risk rating for each asset/threat combination. The risk rating would run from a low of 4-D, to a high of 1-A. Note the three bands of risk interpretation in the second graphic. You may wish to modify the interpretations of the three risk bands to better reflect your institution’s risk policies.List the threat events in descending order by risk. This will prioritize the threat events you are to address.Identify measures that could mitigate the threat events. Identify security enhancements that would reduce the likelihood of the threat event occurring, such as increased access control, new surveillance equipment, or new security procedures. Also identify measures that could lessen the consequences of an event, such as an alternate office space or backup equipment.Reassess the risks, assuming that each identified upgrade is implemented. Now you can see how effective the security improvements and consequence-reduction measures are.List the proposed upgrades in descending order. This will prioritize the upgrades in which you are most interested.Gather information on the costs of upgrades. Your security professional and your facility engineering staff can assist in this task. Be sure to take into account life-cycle costs.Perform a cost-benefit analysis. Use a simple cost-to-benefit ratio where costs are stated in dollars, and benefits are ranked on a numeric scale of 1-5, or 1-10.Rank the upgrades by cost benefit level. This will prioritize the upgrades you will pursue, given the availability of funds.Compare the prioritized upgrades against the available budget, and proceed with the highest rated upgrades until the budget is exhausted.The process is now complete, and you have developed a sound, defensible plan for addressing your security concerns, while achieving the maximum return on your investment.Tom Allen is vice president at Milwaukee, WI-based Johnson Controls Security Systems LLC (www.johnsoncontrols.com), and located in the Gaithersburg, MD, office.To view the Consequence vs. Likelihood table, courtesy of Johnson Controls Security Systems LLC, click here.