Menu Close

Why Are Security Vulnerability Assessments (SVA) Important for Architects and Their Clients?

Architects and their clients first and foremost want their buildings to be safe and secure, providing an adequate level of protection to the occupants, visitors, building maintenance and management staff, contractors and all legitimate persons associated with that building.

The building not only has to meet safety and construction codes, but in today’s global environment, may have to meet increasing security regulations in the form of new existing and pending security legislation.

With Security being only one of the many costs associated with the construction of a new building, or building renovation, and whether it be an industrial, commercial, educational, healthcare, distribution, entertainment, or other form of structure, it is also important that all security systems and measures fit within a budget and not exceed reasonable levels.

Of equal importance, whatever security is deployed, it should also incorporate appropriate up-to-date security technology, be practical and ensure that the architect and client (owner) are at minimum risk in the event of a security incident and not facing Negligent Liability.

The application of a Security Vulnerability Assessment (SVA) and involvement of security professionals at the early stages of a project will achieve all of the above.

It is also why virtually all physical and electronic security legislation to date and pending commences with an SVA as the first stage of such legislation.

What is an SVA?

Prior to “9/11” an SVA was more commonly known as a Risk Assessment, but today’s SVA is much more than simply assessing a risk factor for a facility.

A professional SVA will generally commence with a Threat Assessment to identify the Credible Threat Level for a specific facility governed by such factors as industry classification, local environment, existing physical and electronic security measures, safety procedures, type of product or service, etc.

It is particularly important in any security environment to know the level of
threat that a facility or organization is facing before considering the various security options available, or in simple terms the who, or what that the facility should be protecting against.

There is a significant difference, both financially and manpower-wise between protecting facilities from a State Sponsored Terrorist Group as opposed to dealing with theft, or other form of criminal act, or a disgruntled employee intent on making a statement against their employers.

Having established the credible threat level, an SVA will then identify all Critical Assets (those assets that if compromised, are likely to have the most serious consequences for an organization or property/facility), such as people, processes, data, inventory, production facilities, formulas, hazardous materials, etc.

An unfortunate fact in the security industry is that it is not possible to protect everything for financial and logistical reasons and thus it is critically important to identify and protect those assets considered most essential to the on going safety and well-being of a respective entity.

Given the credible threat level and identification of all critical assets, it is then possible to establish the Design Criteria that will provide the framework for all physical and electronic security measures necessary to meet an adequate level of protection for that facility.

There is no such thing as guaranteed 100 percent security (the ingenuity of the human mind precludes such a goal), and thus it is vitally important to have Security Design Criteria (those specific reasons as to why a certain security system was installed in place of another, and why security devices such as cameras and access control readers were placed at certain locations and not at other points within a facility).

A professional SVA will identify such Security Design Criteria and allow an entity to defend itself against alleged wrongdoing in the event of an incident.
An entity includes both the owners and property managers, as well as the architects and architect firm involved in the construction of a new building, school, college addition, commercial campus development, distribution center, and other structures, or major renovation of same.

Security Design Criteria is identified with an SVA

Applying correct design criteria will also, in a majority of cases, avoid unnecessary cost brought about by implementing security systems that are either “overkill,” incorrect for the proposed purpose, or addressing aspects of security that are trivial in nature with costly measures and equipment. Many clients do not have design criteria of any sort for their facility, and in the event of an incident and court action, one of the first questions asked by the plaintiff’s attorneys is “what were the design criteria for the installed security systems?” The inability to answer this question immediately places the defendant in a less than favorable light.

A professional SVA will also assess Consequences for a facility based on prioritized critical assets should they be compromised, as well as illustrating possible Mitigation where for a variety of reasons, it is not possible to implement practical, or cost prohibitive security measures.

The Observations and Recommendations emanating from an SVA is perhaps the most important section, as this provides an invaluable assessment of those issues most likely to have serious consequences for the organization.

A professional assessment of such issues is generally based on both many years of security industry experience, where the consultant team has experienced first-hand what should be in place in terms of security measures, and what is effective and what is not. The same assessment is also likely to be based on direct experience with current legislation, and knowledge of pending legislation.

Recommendations will also illustrate cost/effective and reasonable methods of addressing such issues, while limiting the security solutions to those necessary to meet specific requirements and/or legislation. Again, a professional SVA prevents “overkill” and excessive cost in dealing with security issues for a specific facility or commercial structure, etc.

It should also be noted that carrying out an SVA essentially provides for the protection on the part of architect and owner/developer from potential negligent liability when the project is completed, in the event of a security incident and possible lawsuit.

Other Factors Considered in an SVA:

A) Legislation:

Since “9/11” there has been extensive Security Legislation covering many industries, as well as the eight Key Infrastructures identified by the U.S. Government in 1998.

Other Factors Considered in an SVA:

A) Legislation:
Substantial new security legislation is either going through the “House” at this time or is pending. As previously stated, it should be noted that the majority of security legislation requires an SVA as the first stage of such requirements.

It would appear that much of the new security legislation will be modeled on the Department of Homeland Security’s CFATS requirements which include both stringent regulations and penalties for violators of the legislation. It is therefore important to meet new legislation, and not incur financial penalties that can be $25,000.00 per day for each day of violation.

Many companies and facilities are unaware that they fall under the CFATS regulations by having quantities of certain chemicals stored at the facility. A professional SVA takes into account all current legislation that might apply to an organization, as well as looking at the potential effect of pending legislation so that an organization has time and flexibility to incorporate reasonable solutions into their medium and long-term planning.

B) Federal, State & Private Grant Funding:
There is considerable Federal, State and Private Grant Funding available at this time, that can be used to offset the cost of any required security improvements, etc.

These grants can cover many different areas ranging from training grants, and information technology to advanced electronic security systems that include communications, security management, CCTV Camera Surveillance systems, vehicle control, and others.

Recent examples are Federal grants given to companies located from the Brooklyn and Philadelphia Navy Yards in NY and PA, to facilities on a major waterfront area in Illinois, where the grants ranged in value from $150,000 to $1.5 Million and above.

A professional SVA is often the single most important document supporting such Grant Applications.

C) Counter Liability:
In the event of an incident within an organization or at a facility, the event would almost certainly be followed by a law suit that is also likely to allege some degree of Negligence or even Gross Negligence. The inability of the organization or facility to demonstrate that they had already carried-out an SVA by a qualified party is likely to be seen as an immediate example of the failing of that entity.

Note: It should be remembered that the implementation of SVA recommendations is not governed by a precise time period, and from experience, many recommendations can be instigated using existing manpower with minimal cost. Thus, it will be exceptionally difficult for any defense team to prove any form of negligence where an SVA was performed, and where at least a part of the implementation program is shown to have been underway.

In the case of new construction and likely clientele that will occupy the facility, an SVA will also address future expansion and ensure that recommended security systems and measures will be such that they are fully compatible and easily expandable at optimum cost and in compliance with security industry standards and accepted practice.

An SVA specifically addresses situations which may be considered liable for the client both immediate and into the future whether it be new construction or new renovation.

D) Insurance Compliance:
Insurance companies are now asking their customers to undergo an SVA as part of the insurance company’s due diligence before setting a premium for that customer.

An SVA will provide evidence to any insurer that their client has taken steps to prevent possible liability, including negligence and gross negligence, as well as meeting legislation requirements, and identifying potential security problems.

Provided that there is some intent to implement recommended measures over a period, the client may see a discounted insurance premium, or avoid a substantial increase in the insurance premium, in the event that they have not carried out an SVA.

E) Development of a Phased Solution:
An SVA provides an opportunity for a client to address potential security problems in a flexible manner, and over a phased implementation period. In many cases, it is possible to develop a phased timetable of implementation based on asset protection priority, and over several years.

It also allows a client to incorporate security requirements, whatever they might be, and whether it is to meet legislation or prevent possible liability, over a period of years, thus easing the financial strain of having to meet security requirements in a hurry following an incident, etc.

F) Emergency Planning & Preparedness:
One of the byproducts of a professional SVA is typically the updating of any Emergency Response Plan, not to mention the correct identification of critical assets within an organization or facility.

Knowing the full extent of potential consequences of given actions, an organization is thus able to better respond to an emergency with appropriate resources at minimal cost, and to be able to demonstrate their overall preparedness for such emergencies.

Primary Benefits for Architects and their clients to carry out an SVA, ideally at the start of a project:

1). CREDIBLE THREAT LEVEL:
Having an accurate Threat Level allows for the design and development of security measures that are not considered “overkill” but are considered adequate for the project, thus keeping costs in check and still meeting current security industry standards and practice.
2). CRITICAL ASSETS:
Knowing what and who requires highest levels of protection is crucial to adequate security, and while critical assets most certainly concern people, they may include many other non-human assets which will be identified in a professional SVA and which then deserve an appropriate level of protection.
3). SECURITY DESIGN CRITERIA:
Solid security design criteria not only ensures good security that will stand up to any alleged negligence on the part of the plaintiff in a lawsuit following a security incident and claims that there was inadequate or incorrectly positioned security devices, but has a second purpose.

That of making sure the security equipment and systems are those necessary to meet the SVA recommendations both in quantity and at optimum cost.

4). BONAFIDE OBSERVATIONS & RECOMMENDATIONS:
The SVA observations and recommendations are put together by security professionals with many years of experience as well as expertise. In the case of Wivenhoe Management Group, all consultants have a minimum of 25 years or more of experience in security and the Firm takes full responsibility for the observations and recommen- dations, thus relieving the architect and owner/developer of any negligent liability in the event of an incident.
5). COMPLIANCE:
Last but not least, a professional SVA will take account of making sure that the project is complying with all current and pending security legislation, insurance security requirements, solid security practice, and providing an excellent base for emergency preparedness.