The rule of thumb when reviewing risk assessment recommendations is to compare what is being recommended with the likelihood of the event occurring. This is called risk frequency. A consultant performing a risk assessment is retained to identify all potential risks and then measure the likelihood of the risk occurring, how much damage will be incurred, what that damage will do to your company, and how much will the damage cost you both at onset and after repairs are made. This is called risk cost. This is what you pay the consultant to identify.
The trick is to balance the likelihood of an event happening with the cost of the recommended solution. If the frequency of occurrence is low or non-existent, then you may elect to eliminate the recommendation. If the likelihood that the identified risk will occur is high, then you need to either spend the budget dollars on the recommended solution or avoid the cost in lieu of accepting the risk by increasing your insurance coverage/premium for the identified risk. If the consultant you have hired is not providing you with this type of risk versus likelihood comparison and is expecting you to decide merely on his/her expertise, then I would say it is time to reconsider your business relationship with your consultant.
ABOUT THE AUTHOR: Thor A. Mollung, CHSII, Managing Director, Security Consultant, has over 20 years of experience in the industrial security industry with companies such as Fidelity Investments, Mellon Bank and State Street Corporation. Mollung is a member in good standing of the American Society for Industrial Security (ASIS-International), the National Fire Protection Association International (NFPAI), and the American College of Forensic Examiners Institute.
This was first published in February 2007