With the team assembled and the methodology established, the work began. The team began conducting a gap analysis to identify those areas in the existing program that needed to be enhanced to meet the standard. “It is difficult to get where you’re going if you don’t know where you are,” explains Arenovski. “We needed to identify what we thought we had, what we knew we had, and then what we needed to have.”
A key point the team needed to understand before beginning the gap analysis, however, was how items were organized in the standard. The standard uses the terms “can, may, should, shall.” These key terminologies were used throughout the process to determine which items were required and which were recommended or optional. For example, if the standard said “training shall be conducted,” the team members knew this was critical. If the standard said “training can be conducted,” that item was optional.
Security set up shared documents for the team in SharePoint. The main document was an Excel worksheet. Each line of the standard was given a field on the worksheet. This allowed team members to easily identify which line was currently under discussion and to see which section of the standard it was tied to. “The gap analysis needs to become a living document in order to keep improving the program,” says Faber.
Within the gap analysis, we color coded the lines to identify who completed the section. For example, security might be represented by light blue and HR by light green and so on. “This was helpful because we could identify and sort by domain or section to review progress and open items. We knew who was involved and which items each group identified as a gap,” says Arenovski.
Each section of the standard identified with a gap was represented by a line in the spreadsheet. That line spread across columns that provided answers to questions such as, “Was there a gap?” “Who is the Stakeholder?” “What is needed to fill the gap?” “What training will be required?” and so forth.
For example, a line in the gap analysis might deal with terminations. Since terminations cross several domains (Security, HR, General Counsel), those would be represented individually on different lines, each having their own conclusions. The gap analysis would then be reviewed and discussed and possibly a single solution would be chosen.
The next column was used to indicate, based on the answers from departments, whether there was a procedure in place. For example, on conflict resolution, a line of the standard dealt with training security officers to deal specifically with a workplace incident that could potentially turn violent. Security was not trained to deal with these issues on the scene so this column would indicate that there was no procedure in place.