Casino Risk and Vulnerability Assessment: The Foundation of Critical Incident Response

by David Vialpando

The world today, both natural and manmade, can be volatile and unforgiving in the damage and grief it can wreak when disaster strikes. As the tragic loss of life on May 1, 2021 at the Radisson Hotel and Conference Center in Ashwaubenon, WI illustrates (part of the Oneida Casino complex), the casino gaming industry is not immune to the unprovoked and all too frequent violence plaguing communities across our country. We must be prepared to effectively respond to not only active shooter incidents and acts of human violence, but also to protect casino patrons, visitors, and employees in case of fire, explosion, chemical exposure, extreme weather, and infectious disease exposure. The foundation for cogent response is a thorough and informed casino risk and vulnerability assessment process.

Casinos and Tribal Gaming Regulatory Agencies (TGRAs) employ the risk assessment process in a variety of gaming processes, from money laundering and financial crime, to cyber threats and IT vulnerability. Risk and vulnerability assessment for critical incidents should be designed to answer the same overarching questions as other types of risk assessment:

• What are the ruinous events that could affect our casino?

• What is the likelihood of these events occurring at our casino?

• What can we do now to mitigate damage and harm?

• How effective will we be in responding to catastrophe?

• How quickly can we recover and return to normal operation?

Who Should Conduct the Risk and Vulnerability Assessment?

The risk and vulnerability assessment team should be led by qualified individuals from the department charged with the safety and security of the facility. This can be the casino security department or tribal law enforcement agency. Qualified individuals are those who have received specialized training in risk/hazard assessment or personnel holding board certified credentials, such as the ASIS Certified Protection Professional certification.

The risk and vulnerability assessment team should be composed of management or mid-management representatives from various casino departments, including administration, facilities, surveillance, and operations. Including those who work outside the casino departments under evaluation as part of the evaluation team can bring a fresh perspective. Representatives from the TGRA or TGRAs from other jurisdictions can fill this role.

The team should also include professionals from outside agencies likely to respond, in case of a critical incident, such as tribal, local, state, and federal law enforcement, emergency response and medical services personnel, local utility representatives, disaster service personnel (such as the local Red Cross), and tribal government representatives.

Where to Start

A comprehensive risk and vulnerability assessment begins with an evaluation of the governing documents outlining processes, policies, and procedures that will be applied in any critical incident. These include the casino’s policies and procedures, emergency response plan, disaster recovery plan, TGRA regulations, critical incident response protocols, and gaming ordinance.

The team should evaluate the casino’s critical incident coordination protocols with local emergency response agencies (law enforcement, fire, and emergency medical). This evaluation presents an opportunity to review and update point of contact information. The time to discover change in a critical contact number or the location of the nearest trauma center is not when a critical incident occurs.

Facility Risk and Vulnerability Assessment

The team should be divided into designated facility review units charged with conducting a physical facility risk and site safety assessment utilizing a pre-designed risk assessment matrix specific to the casino. The elements listed below should include the casino, lodging facility, restaurants, recreation amenities, and event facilities/conference centers. Assessment areas include examining the following:

Casino Management: threat awareness/threat mitigation plan; emergency communication plan; records management protocols; directives to casino departments and middle managers; post-critical incident protocols; risk management unit/procedures; TGRA emergency response responsibilities; incident command system procedures; and disaster recovery and continuity protocols.

Security Protocols: access controls and key/card management; intrusion detection; security resources; policies and procedures; emergency response protocols; codes and contingencies: panic alarms, designated safe rooms, designated escape routes, theft and damage controls, fire protection system, fire detection system, sprinkler/ suppression system, emergency responders; suspicious package and device disposition procedures; cash vault and  gaming assets controls; medical service resources; vehicle controls and traffic management; and shelter-in-place emergency equipment and supplies.

Surveillance Department: risk/vulnerability detection protocols; emergency response procedures; law enforcement/public safety coordination protocols; reporting structure and emergency notification procedures; and specialized emergency response and communication training.

Facility Engineering: HVAC system; fire control system; electrical infrastructure; gas and oil resources; chemical storage; water storage/supply; exterior lighting; perimeter fencing/barriers: facility and building access points, loading dock/receiving operations; grounds maintenance: landscaping and shrubbery (obstructions/ hazards), debris, environmental hazards; transportation resources; and equipment safety (lock out/tag out).

Training Evaluation: management training; supervisory training; all-staff training: workplace violence prevention, stress recognition and intervention, employee assistance resources; FEMA training: active shooter, emergency planning, Incident Command System (ICS), disaster recovery, inter-agency training, specialized training, and records management.

Neighborhood Public Safety Issues: local crime statistics and offender types; international or cross border concerns; law enforcement coordination protocols; casino crime and public safety data; casino patron safety concerns; public safety concerns identified by visual inspection of property and surroundings; weather and environmental event trend data.

Casino Staff Interviews

The risk and vulnerability assessment team should conduct line staff interviews to elicit input regarding perceived threats and suggestions for improvement in threat response readiness. Areas of inquiry during these interviews might include level of threat awareness/readiness, safety concerns, personal emergency response plan, and military, law enforcement, and medical experience.

Risk and Vulnerability Assessment Data Analysis

Once the assessment has been completed, compiled information should be analyzed to determine the actions or changes required to address identified risks and vulnerabilities. The analysis should be focused on identifying the cause of adverse events, factors creating risk and the effectiveness of risk treatment. The analysis should identify individuals or groups associated with threat, control of risk, and/or impacted by risk. Identifying the source of risk and determining how adverse events can happen should be an element of the analysis.

The analysis should not only cover what might occur, but also determine when and where adverse events are likely to occur. Determining the likelihood and potential consequences of adverse events provides policy makers with valuable information upon which to make informed decisions.

The following risk analysis rating system matrix can be used to quantify identified risks, hazards, and critical incidents.

Probability of Risk

Consider conducting an analysis of the impact of identified potential critical incidents and disasters. Analyzing impact in the following areas can provide casino management with the information necessary to determine the proper course of action.

Human – physical and psychological harm to employees, patrons, visitors, and vendors.

Physical Asset – property loss and replacement costs.

Information – loss of confidential, proprietary, or personal information.

Financial – lost business from suspension of operations, loss of market share, lawsuits and legal costs, regulatory fines and penalties, overtime and unplanned costs related to event recovery.

Reputational – diminished safety confidence by patrons, employees, and the public.

Community/Societal – direct impact on the tribal community and indirect impact on the regional economy.

Environmental – damage to the health of the environment.

Presentations of Findings and Recommendations

The risk and vulnerability assessment process is complete only when the information gathered by the risk and vulnerability assessment team has been compiled into a complete and cogent document summarizing the team’s findings and recommendations for presentation to management. A suggested outline for the presentation of this information should include an executive summary, identified risks and areas of vulnerability, recommended prevention and mitigation procedures, recommended response procedures, recommended continuity procedures, and recommended recovery procedures.

A risk and vulnerability assessment is usually conducted annually, in conjunction with the casino’s critical incident response training presented to casino staff. If the training also involves practical exercises designed to refresh critical incident response, the risk and vulnerability assessment team can evaluate the effectiveness of various emergency response protocols and systems, such as communication and coordination processes. The risk and vulnerability assessment team should consider analyzing critical incidents that occur across the country, particularly those impacting gambling facilities, to cull lessons learned from the tragedies experienced by others.

Training casino security, compliance, risk management, and TGRA regulatory staff in risk assessment and vulnerability identification extends an annual process into a daily task of identifying conditions within and surrounding the casino that pose a hazard or danger. These hazards may be as seemingly mundane as equipment or gaming devices blocking back-of-the-house hallways preventing expedient evacuation, exterior kitchen doors propped open for fresh air, or burned-out parking lot bulbs creating dangerous areas at night. The observed risk may be disgruntled employees or patrons displaying troubling behavior. 

An effective risk and vulnerability assessment process is both a responsible business practice and a commitment to safety  patrons and employees expect. As Benjamin Franklin once said, “An ounce of prevention is worth a pound of cure.”  

David Vialpando is Executive Director of the Pokagon Band Gaming Commission and Vice-Chairman of Tribal Gaming Protection Network. He can be reached by calling (269) 926-5485 or email [email protected].