The Weakest Link In Your Security Process Is...

By Brittany Dodds

Effective security processes require constant updates to combat the rapid evolution of malicious technology and ever-expanding range of threats. This truth may be evident to every federal security executive out there, but the appropriate response may be less clear.

We’ve already touched on how to tackle process improvement projects (See our previous post A Simple Approach to Process Improvement That Works Every Time), but the inherently high-risk nature of federal security requires an extra layer of defense. Enter the Failure Mode Effects Analysis (FMEA).

If you’ve ever worked in manufacturing, FMEA may be a familiar practice. This tool, originally designed by NASA and popularized by the automotive industry, plays a key role in helping manufacturers achieve extremely low error rates. After all, if errors aren’t caught in the design of spacecrafts and brake systems, lives are at risk. To achieve similar results, you should think of your security functions as processes and also apply FMEA to prioritize valuable resources towards fixing those areas most likely to fail with the worst consequences.

The beauty of this tool is in its unique ability to help leaders think about all the potential failures inherent to their processes or product designs. Unlike the typical off-the-shelf approach to quality assurance (endless reviews and rework), FMEA enables leaders to methodically:

  • Brainstorm potential failures
  • Evaluate the severity and likelihood of failures
  • Determine the effectiveness of corrective actions in detecting failures
  • Identify appropriate measures to mitigate and prevent failure

How Does FMEA Work?

First, break your process up into discrete steps and list each step out in the order that it is performed (A SIPOC or Value Stream Map exercise will help you get to this point). For each step, brainstorm all of the potential ways that that step could fail - these are called "failure modes".

For example, consider the background investigation process. One step might be to enter an individual's social security number into a database to check for felony charges. Potential failure modes might include: making a typo, the database being offline, the database being outdated, or an employee forgetting to enter the data altogether. 

Next, think about the potential impacts of each failure mode occurring. Continuing with the previous example, if the employee makes a typo, they may overlook felony charges and grant a security clearance to a dangerous individual. That individual could steal or leak classified information, sabotage government property, or cause other grave harm to national security. Additionally, the organization conducting the background investigation would come under scrutiny if an incident occurred and it was discovered that they made this error. Go through this thought process for each failure mode.

Brainstorm the various potential causes of failure, as well as the current controls and procedures that prevent either the cause of the failure mode, or the failure mode itself. Then, assign a rating (typically on a scale of 1-5 or 1-10) to each failure mode to describe:

  1. The severity of the potential effects of each failure mode
  2. The likelihood that each failure mode is to occur, and
  3. The likelihood that each failure mode will be detected when it occurs.
Multiplying all three ratings together generates a Risk Priority Number (RPN) for each failure mode. As the name suggests, an RPN tells you the relative risk of each failure and provides an objective basis on which to prioritize areas for immediate action.


Expert Tip: By revisiting the plan after implementing any actions to mitigate future risk, the FMEA becomes a living document to demonstrates change (or lack of change) over time. Leaders can use this information to clearly see which corrective measures have been most successful and which haven’t, ultimately improving the quality assurance system over the long term.

I’ve never used FMEA, so why do I need it now?

As the risk associated with security threats continues to escalate, federal security execs can no longer get away with simply piling new steps onto existing processes. This approach has never been effective, but that probably hasn’t stopped most managers from adopting this Band-Aid approach at one time or another. When the stakes are low, this might hold the organization over temporarily, butjenga.jpg...

With time, your teetering tower of Band-Aid solutions will topple over if you don’t re-think your approach.

As organizations are increasingly forced to re-design their security processes to accommodate expanding requirements (without expanding budgets), FMEA becomes more than just a great tool to think about quality assurance. It becomes an imperative step to ensure that critical safeguards aren’t mistakenly identified as waste and thrown out in the re-design process. By identifying the problems associated with proposed solutions before diving into implementation, organizations can eliminate many of the risks traditionally associated with security transitions.

If you’ve never used FMEA to analyze your process as a whole, now is the time to learn how to use this valuable methodology. Instead of exposing your organization to unnecessary (and potentially catastrophic) liabilities, use FMEA to add an extra layer of insurance: security for your security program.

Interested in walking through a Failure Modes and Effects Analysis for your security process with the help of a Big Sky federal security SME? Take advantage of a limited-time offer for a free, 30 minute FMEA consultation by clicking the link below:

Free Consultation - Find The Weakest Link In Your Security Process