There was a time when a construction company’s assets could all be loaded into the back of a truck. Jobs were “simpler” and plentiful. As the industry has expanded and matured, this has changed dramatically. From small specialty contractors to large general builders, the variety of assets and the cost of these assets have grown exponentially. Nowadays, contractors spend tens and hundreds of thousands of dollars on field equipment and office technology. It is simple to take a piece of field equipment and chain it, lock it, or hoist it in the air. Question is, what about the “invisible” assets?


Some of the most valuable items companies own are their client lists, contact names, past projects and the software that manages all of this intellectual property on the business’ behalf. These are out of sight and often out of mind when it comes to assessing risk and taking steps to protect a company against loss, but they are crucial because they set the company apart. Failure to adequately safeguard these assets could compromise a company’s chance of survival, especially in an adverse economic climate.

The internet compounds the risks as information is shared and accessed from locations outside the office or the network. While the digital world promotes connectivity with clients and suppliers by allowing firms to share documents and communicate between themselves, it also increases the possibility of breaches and theft. This vulnerability requires construction firms to implement policies and processes that extend security across the work site and the office to ensure protection of both physical and intellectual assets.

First Step

The risk management process for construction firms begins by identifying the steps involved: assessment, mitigation, and monitoring and reporting. Assessment is the first step for companies. It allows them to identify and evaluate vulnerabilities and potential areas of exposure to the business, whether the risk is physical, intellectual or technological.

Areas for assessment include business processes such as, auditing the existing administrative policies, adequately training employees and reviewing security oversight processes. Often, contractors know to implement some level of computer access security, such as procedures for passwords, backup and recovery, and network virus/malware protection. This focus is centered on the external theft or attack, but what if the unthinkable happens and a theft or attack occurs from the inside?

Following an assessment of business practices and technologies, which includes working with current employees to identify process opportunities, businesses move to the mitigation stage. This refers to developing risk management procedures that will proactively reduce and eliminate vulnerabilities on an on-going basis. Assessment and mitigation need to be supported and sustained by monitoring and reporting policies that are conducted on a regular, scheduled basis and are under constant review. Having safeguards in place will ensure companies are alerted to any potential discrepancies, breaches or dangers. Are passwords changed when employees leave? Does the contractor know who is accessing the applications that house their contacts and their projects? If people walk out the door with copies of the software, can they still use it even after they are no longer employed by the company? 

Part 2 of the series will cover how to hurdle the challenges by implementing controls in order to access and track information about data usage in real time.