Site Security Risk Assessment Guide: Risk, Loss, and Liability

The construction site environment is laden with potential hazards. To adequately protect against these, it is a legal requirement that a site be subject to a risk assessment.

The security risk assessment goes beyond the concerns and considerations associated with security, instead covering the span of health, safety, security, and the environment (HSSE) to ensure staff, visitors, and the public at large are all protected.

A site security risk assessment exists to identify hazards on a project, assign responsibility for their mitigation, and assess the correct steps necessary to do this.

The site security risk assessment document is typically completed by the site manager. They further take responsibility for sourcing the right solutions to implement the actions recommended within. During an in-depth evaluation of the location covered, any vulnerabilities will be documented. These are often physical in a site security risk assessment; however, they can be digital or even procedural in some cases.

Hazards can come in various forms, from unauthorised access or trespass to theft, vandalism, or even violent/aggressive behaviour between colleagues.

Environmental factors are to be considered here as well; the potential for fire and flood can be present on projects.

Risk is assessed based on the potential level of harm caused. The greater the harm, the greater the risk rating.

A common approach is for the risk assessment to use a numerical system to rate severity and use this as a basis for identifying the right response. Despite allocating ratings like this, no threat is deemed too small to be considered important within the overall framework.

This risk rating is identified from a calculation multiplying likelihood by severity. Both factors are judged on a scale; likelihood will range from 1 (meaning rare) to 5 (meaning a certainty) while severity will range from 1 (meaning insignificant) to 5 (meaning fatal). A typical range could be represented by the following:

• 1-8 would be deemed low-risk and worthy of monitoring as the site progresses

• 9-13 would be deemed medium-risk and worthy of monitoring and regular review, with risk reduced where possible

• 14-25 would be considered high-risk with further action required.

The next step is identifying the groups most at risk. Typically, this will involve employees, the public, contractors, and visitors. Often if a specific demographic within these can be isolated for additional concern, a site manager will do so. On a construction project this could include young people who pose a greater intrusion risk. 

A site security risk assessment is essential to build a process of protecting a site, all individuals who work on it, and the public at large. Building sites can be vulnerable environments.

Without a clear understanding and assessment of the threats faced on a site, risks can grow out of control with the security response ineffective and reactive.

Insurers expect evidence of a comprehensive risk assessment and regularly reviewed site security planning.

This is especially necessary on high-value deployments or environments that carry significant dangers. Often incorporated into policies, failure to comply could result in reduced payouts, void coverage, and increased premiums.

Legal regulation, and the obligation a principal contractor has to insurers and clients are the strongest reasons as to why a construction site security risk assessment should take place.

Principal contractors and construction companies have a legal duty of care to protect workers and members of the public. In workplaces with 5+ employees, the production of a risk assessment becomes a legal requirement. With legal obligations and insurer requirements understood, the site security risk assessment is deemed essential.

The site security risk assessment process can be condensed into 5 distinct stages.

1. Identify and log hazards and assets on the site

In the first stage, an identification of the hazards on a site will be considered. Ask the obvious questions. Is the site liable to be a target for intrusion? Is the unrestricted access infrastructure in place likely to contribute to this? If so, identify this as a hazard.

The identification and logging of valuable assets on site is further encouraged. Hazardous materials, inventory, and equipment should be noted if they are compromised due to theft or damage.

Assets can extend to individuals as well. On sensitive projects, internal employees - or those who have left the organisation - may have access to equipment or information that can be used maliciously against an employer.

Risks can be both complex and basic. The importance here is to be thorough and clear as to what potential harm could be caused. Awareness is the first step to addressing any potential before they cause harm.

2. Identify and log risk severity

In the second stage, consideration must be given to the severity of the risks. This is the stage at which a ‘risk rating’ will be allocated and the groups (and sub-groups) of people affected will also be recognised.

This can be a nuanced process. For instance, civil unrest resulting in vandalism, arson, or occupation may be rare, but the damage caused to a site’s operations can be severe. A trip caused by an uneven surface will occur far more often, yet it is unlikely to be fatal or highly damaging and would therefore be deemed to be of a lower risk.

3. Identify and log existing controls with further required actions

The third step is to outline existing controls and record any further actions that are required or recommended. These form the core component of the security risk assessment, and integral to ensure all risks are addressed by action where necessary.

Ensuring target dates for the completion of these further actions is integral to demonstrate that the risk management process is of a critical concern. This transparency can also be beneficial when communicating with insurers.

4. Identify and log the security solutions to be utilised on the site

At this point of the assessment, security solutions will be identified. Utilising the right solutions will ensure that controllable risks are addressed effectively.

For instance, where intrusion is identified as a danger, controls could include secure steel fencing and the establishment of access restrictions like barriers or secure doors. A further action could be to implement fixed CCTV to eliminate any blind spots, alongside a perimeter intrusion detection solution for enhanced detection.

5. Revisit the risk assessment over time

The site security risk assessment is an ongoing process. With every new potential danger that is identified, and with the completion of all further recommended actions, the risk rating must be addressed and reviewed. The recalculation of threat levels will ensure all parties are up to date regarding the security and safety controls implemented on site.

Once the threats on site have been established, the principal contractor or site manager could contact a site security provider to introduce physical solutions to any risks.

The security provider will conduct their own review of the vulnerabilities on site. A survey will consider the perimeter of the project, access points, boundaries, and the site layout.

Intruder detection and access control are the primary concerns for most security providers, as maintaining a strong boundary will deter access to the project and prevent theft and vandalism.

At Safer Group, our approach is led by a construction solutions specialist who pinpoints the critical areas to address during a thorough on-site survey. This process is highly collaborative, with recommendations made that are aligned with your budget and core requirements.

While a typical site security risk assessment will prioritise security first, our full risk mitigation approach allows our solutions to incorporate protection against environmental threats like fire and flooding. If the worst were to occur on site, these can contribute to significant monetary loss and damages.

While the site is of the utmost concern, the local area is also evaluated, with crime trends and reports reviewed to identify the specific risks that are prevalent within the postcode area around the site. This crime analysis can assist in determining the choice of solutions implemented, and the areas that would best suit any chosen technology.

The comprehensive security plan created by our solutions specialist will look to utilise and support the site security risk assessment to ensure all threats are matched by the right solutions.

All individuals operating on site have a responsibility to maintain the safety and security of the premises. This all hinges on the completion of the site security risk assessment, essential to protecting staff, visitors, and those who access the site illegally.

By completing the risk assessment and implementing the correct measures to control or manage risk, both the principal contractor and site manager ensure a project maintains full compliance with legal and insurer needs.

The security provider plays an integral role in ensuring further actions are carried out to cover both risks identified in the assessment, and any further risks identified during the site visit carried out by a specialist. Working together to implement these solutions will protect a project from the most damaging risk factors like intrusion, theft, fire and flood.