Key considerations in risk management

Whether an emergency has far-reaching consequences is determined long before the event itself – through risk analysis, the allocation of roles with clearly defined responsibilities, and technical interconnectivity. Individual measures are simply not enough, particularly when it comes to critical infrastructure and complex sites. What is needed is a holistic approach: a crisis and emergency management system that integrates physical security, IT and organisational processes, and remains resilient even under pressure.

“It is important to identify all possible risks using a comprehensive risk assessment approach. These risks must then be prioritised and addressed in the security concept through appropriate measures, in order to limit both the probability of occurrence and the extent of damage in line with the ranking,” explains Wilfried Joswig of the Association for Security Technology (Verband für Sicherheitstechnik e. V.). Risk management – that is, the systematic process of identifying, analysing, assessing, managing and monitoring risks to safeguard a company’s existence and success – translates potential crisis scenarios into concrete procedures: anyone wishing to react quickly must be aware of the risks in advance, assess them effectively and ensure they can be managed within the organisation.

What makes a robust plan

Emergency planning must be as tailored to individual circumstances as the buildings, uses and operational processes themselves. “Requirements vary significantly depending on the type of building – for example, schools, office buildings, hospitals or industrial facilities – and are therefore defined on a case-by-case basis according to the specific use,” says Stefan Pusch, Strategic Sales Manager at Securiton Germany. This is precisely why emergency planning needs to be tailored precisely to the specific site. “It is therefore not enough to simply adopt the emergency plan from another site,” warns Joswig, pointing to relevant regulations and guidelines that can provide important guidance during the planning process.

A functional evacuation plan takes into account, for example, the architectural structure, the specific use of the building and particular hazards. It also incorporates aspects such as different groups of people, route planning, assembly points and the appropriate alert strategy.

For planning to translate into the ability to act, a contingency plan must not remain merely on paper. It must be regularly reviewed, practised and evaluated. “Only when procedures are in place can the situation remain under control,” Pusch sums it up. Tests, audits and drills reveal where improvements are needed. “Particular attention must be paid to the allocation of roles and the associated responsibilities of crisis managers,” says Joswig.

Special requirements also apply to CRITIS sites. Operational failures can not only have financial consequences but also immediate implications for security of supply and public order. “CRITIS operators face high demands in terms of compliance, documentation and traceability. A structured, audit-proof approach is therefore essential,” emphasises Benjamin Körner, Manager of Strategic Accounts and A&Es DACH at Axis Communications.

Real-time situational awareness

A comprehensive risk and threat analysis covers both physical and digital scenarios – ranging from natural disasters and technical failures of critical systems to cyberattacks and targeted sabotage. The key lies in the ability to quickly gather and link information and translate it into a robust picture of the situation. “A consistent, real-time overview of the situation is the basis for informed decisions – particularly under time pressure,” emphasises Körner, “only when relevant information is collated centrally and contextualised can complex situations be quickly assessed and prioritised – and escalations ultimately prevented.”

This highlights the importance of open, IP-based technologies: they enable the integration of different systems on a single platform. Video surveillance, access control and other safety and security solutions can thus be networked and controlled centrally. “Integrating all systems into an overarching security management system ensures that all information is consolidated in one place to provide optimal support to security and emergency services,” says Pusch. Such a platform forms the nerve centre where alerts from access control, video surveillance, fire detection technology and electroacoustic systems converge and are combined with control centre processes. The result is a consistent information base that supports both security managers and emergency services alike.

Such systems must function reliably even under adverse conditions – redundancies, robust network infrastructures and a well-thought-out cybersecurity strategy are therefore an integral part of modern security architectures. In practical terms, this means that these processes must remain effective even if parts of the infrastructure are already compromised. Evacuation and emergency procedures are therefore designed to operate reliably even in the event of partial failures – such as network or power supply outages. “The systems used must be designed to be cyber-resilient and tamper-proof in order to function stably even in critical situations,” says Körner.

Clear communication

In the event of an incident, everything comes down to a matter of minutes: situational awareness, communication and leadership must all work in tandem. Often, the quality of communication determines whether a situation remains under control or escalates.

In this context, Stefan Pusch highlights the importance of a clearly defined fire safety and evacuation plan. “Reliable and highly available fire detection and voice alarm systems form the essential basis for this,” he says. This is because, through targeted and clear instructions, voice alarms can significantly increase the effectiveness of an evacuation.

In addition, dynamic escape route control is becoming increasingly important. “If an escape route is unusable due to fire, smoke or a temporary construction site, alternative routes must be automatically displayed and specified,” adds the Securiton expert. Digital systems now make it possible to make such adjustments depending on the situation and to communicate them reliably to those affected.

Where many plans still have weaknesses

In practice, emergency plans often fail not because of individual weaknesses, but due to a lack of coordination between processes, responsibilities and systems. Wilfried Joswig emphasises, above all, cross-organisational cooperation: “Unfortunately, there have been various incidents that have clearly shown that cross-regional cooperation, in particular, leaves much room for improvement. As we adopt a “all-hazards” approach to crisis management, it is essential to be familiar with supra-regional emergency and operational plans and to integrate them into our own planning. This includes, for example, neighbouring companies, BOS organisations, utility and waste management companies, weather services, etc.”

Körner also sees inconsistent system landscapes as a significant risk: “In practice, it is still frequently the case that security systems remain too fragmented and insufficiently networked. This delays the assessment of the situation and makes a rapid response more difficult. Often, there is no unified view of security-related events, meaning that information from various sources has to be collated manually.”

Added to this are organisational ambiguities that often go unnoticed in day-to-day operations but can have serious consequences in an emergency. According to Pusch, the situation also becomes critical when responsibilities are defined only in a formal sense. Roles may be defined – but in an emergency, those involved must also know exactly what is expected of them. He also points to technical and planning shortcomings: “In existing emergency and evacuation plans, safety-critical components are sometimes not optimally designed from a technical perspective, such as lack of availability, insufficient resilience to cyberattacks or inadequately planned public address systems.”

Crisis resilience is therefore not a matter of individual technical components, but a management and organisational task. The key lies in the interplay of risk analysis, clear responsibilities, well-rehearsed procedures and networked security technology. Only this combination provides the situational picture in an emergency that enables rapid decisions, prevents escalations and provides targeted support to emergency services.