Developing an Asset Approach to Risk Management

Rethinking a Key Function Within Facilities – By Arnie Wohlgemut

Over the past 30 years, the facilities management industry has experienced building science innovations, more complex codes and the integration of technology into everyday operations. One key function that hasn’t seen much improvement is risk management programs, which are now of utmost importance.

Risk assessment is a foundational service for a facilities management team to deliver. With boots on the ground, these teams have functional insight into the entire organization.

Unfortunately, it is all too common for a company to conduct a business impact analysis (BIA) and omit a site and facility risk assessment. When a business creates a continuity plan by elevating one function such as IT or finance above other departments, believing the business cannot function without it, this may bring additional risk to the whole organization. This single-silo approach does not address the reality that site and function are uniquely linked.

“Despite all the talk about the importance of the risk assessments being the foundation for the development of a facility’s security program, it has been my experience that, relatively speaking, very few are actually done,” writes security professional Dr. Glen Kitteringham.

Why are there few risk assessments?

One reason might be that every facility manager faces a whirlwind of daily and sometimes hourly events that require their attention, from emergencies and reports to customer concerns. In order to handle these situations, exceptional management skills are required.

Secondly, the task appears to be quite daunting. To complete a full assessment and address the concerns found could potentially take up to five years, depending on the complexity of the business, changes in business operations and, most importantly, will power. Facility managers thrive on quick problem solving and thinking on a dime. There are very few key performance indicators that could be used to measure the effectiveness of the work and program at hand.

First Things First!

In order to be able to complete a risk assessment, a facility manager should have senior management’s full support—both financial support and also a commitment to see the assessment as part of the BIA and reinforce the business continuity strategy.

The facility manager must also be willing to carve out time and resources towards meaningful progress. Having a set of goals that can help to track advancement is imperative. What is important to understand though, is not all the steps are needed at the beginning.

Where to Start?

A facility manager needs to build internal relationships with:

  • Human resources to support facilities expansion concurrent with company growth;
  • The IT department for technology integration;
  • Finance to assist with the implementation of capital planning and funding;
  • Purchasing for vendor management and procurement services; and
  • Production department to support the creation of the final product.

A facility manager needs to build external relationships with:

  • Engineering consultants to provide advice and services related to facility operations and improvements;
  • Maintenance contractors to provide services in support of the business continuity program;
  • Suppliers of materials and products for daily operations; and
  • Regulators and inspection services to remain in code and regulation compliance.

Identification and Elimination.

When approaching the risk assessment, use the three most valuable asset categories of every business. In each of the three categories, ask: what are the primary threats you believe need to be addressed and what is the effect on the business if the threat is realized? This will help identify the first steps or areas to evaluate and the level of importance.

People

People deliver services and bring ideas and creative energy to all elements of a business. They need to feel safe in and around the facility. For example, they expect a manager to have control over who and what enters the building. This control, to a varying degree, might be needed to protect the production environment and to secure inventory and intellectual property.

Data

This is information about what the business does, how it is operated and what future plans may arise, either in digital or physical form

Information is becoming increasingly more difficult to protect and preserve. A facility manager may not have the responsibility to protect against an outside cyber attack; however, they can protect the space in which this data is housed. From physical access control, protection from natural disasters, to climate-controlled server and data processing rooms, these all are part of the risks that require reviewing in order to implement the right resolution.

Facilities

This is where the business is conducted, where people and data are woven together to form the tapestry of the business, and risk within the facility can extend to the suppliers.

The challenge for facility managers is to look past typical building elements, such as roofing and windows, or services such as power, HVAC, and water. The risk could be caused by a natural hazard, but also a poor thought-out design.