Aligning Security with Risk Appetite and Business Strategy

Hospital and health system leaders are grappling with an alarming rise in violence within healthcare facilities. In response, many consider high-visibility measures like metal detectors or AI-based weapons scanners as quick fixes to keep staff and patients safe. It’s an understandable reaction – after an incident or threat, installing a weapons detection system seems like a tangible action to “do something.”

However, a growing body of evidence and expert experience suggest that simply buying the latest weapons detection technology is not a panacea. In fact, relying on technology alone can create a false sense of security while introducing new operational challenges. The reality is that true safety comes from a holistic approach grounded in a clearly defined risk appetite and aligned with the organization’s broader business strategy. Technology should be the outcome of this strategy, not the starting point.

The False Sense of Security in Standalone Detectors

It’s a misconception that weapons screening devices by themselves will stop violent incidents. Workplace violence in healthcare is complex, and most incidents do not involve a firearm or knife at all.

Technology can catch weapons, but it can’t prevent violence on its own. Nor can it replace the fundamentals of a well-designed security program.

In a recent multi-facility pilot conducted by a large healthcare system:

• Several weapons were intercepted at emergency department entrances.
• One advanced, AI-based detection system missed more contraband than traditional walk-through metal detectors.
• Some high-traffic facilities experienced bottlenecks, especially during afternoon and evening peaks.
• Staff members were often not required to pass through screening, creating inconsistent enforcement and potential vulnerabilities.
• Screening of bags carried by entrants was sometimes inconsistent, particularly when lines had formed.
• The interconnected layout of hospital campuses allowed individuals to bypass screening entirely by entering through unsecured or unmonitored access points.
• Staff and patients generally reacted positively to the screening, but it became clear that the tools alone weren’t enough.
• To the best of everyone’s knowledge, no attacks were stopped. And most of the individuals carrying weapons weren’t acting with malicious intent.

The takeaway: Technology can enhance safety, but it cannot guarantee it—especially when implemented in isolation.

Calibrating Risk Appetite Before Jumping to Solutions

One of the most overlooked steps in security planning is the definition of risk appetite—the level and types of risk leadership is willing to accept in pursuit of operational continuity, staff safety, and patient trust.

In the pilot referenced above, the health system aligned its strategy to a “risk reduction” model:

• They acknowledged that zero-risk environments are unrealistic.
• They prioritized data-driven decision-making to reduce risk where it was highest.
• They chose selective deployment over system-wide implementation.

That clarity guided all subsequent actions: staffing plans, policies, communications, and technology procurement.

Without this clarity, hospitals often default to reactive spending—purchasing tools that look good on paper but don’t align with the mission, layout, or workflows.

The Risk/Reward Tradeoffs Inherent in Any Security Decision

Every security measure comes with tradeoffs. Understanding those tradeoffs—and evaluating them through the lens of risk appetite—is essential to making smart, sustainable decisions.

Examples of common risk/reward tensions:

• Open access vs. controlled entry: Bottlenecks at emergency department entrances may improve safety but reduce patient throughput.
• Staff perception vs. patient experience: Employees may feel safer with visible screening, but visitors may feel surveilled or unwelcome.
• Technology cost vs. operational value: A high-end scanner might offer advanced features, but still underperform in real-world detection compared to lower-cost options.

In the pilot example, staff appreciated the new safety measures, but leadership had to reassign personnel to manage patient flow during peak screening times. They also discovered that AI-driven tech missed multiple weapons, raising concerns about over-reliance on unproven tools.

The takeaway: security investments must be proportional to risk, tested under real conditions, and balanced against patient care priorities.

Aligning Security with Business Strategy and Values

Calibrating risk appetite is not a theoretical exercise – it directly ties into the hospital’s business strategy and values. For instance, if an academic medical center’s strategy emphasizes being a welcoming, patient-centered campus, that needs to be weighed in security planning. On the other hand, if a system is branding itself as having “the safest hospitals in the region,” that might warrant more visible, stringent security measures as part of the brand promise. The point is that security strategy should support and reflect the overall business strategy, not work against it.

Technology should come last, after the organization has clarified its risk posture and business strategy.

Before investing in detection systems, leadership should ask:

1. What level of risk are we trying to eliminate, reduce, or accept?
   Align security strategy with that appetite, not with market trends or media pressure.
2. Where does the risk live?
   Use data—incident reports, emergency department walk-in volume, and local crime—to identify specific facilities or departments for targeted deployment.
3. What are we willing to trade to reduce that risk?
   Slower entry? Higher labor costs? Reduced patient satisfaction? These are real operational impacts, and leadership must agree on acceptable thresholds.
4. Does this align with our mission and brand?
   A hospital that prides itself on a welcoming, healing environment must carefully balance safety measures with patient trust and experience.

Hospitals that start with these questions will choose smarter, more sustainable technologies—and avoid unnecessary spending on systems that don’t fit their environment or goals.

How Executive Leadership Must Co-Own Security Planning

Security is no longer just a facilities or compliance issue. It touches operations, legal exposure, patient satisfaction, clinical workflow, and brand reputation.

That means hospital security strategy must be co-owned by the C-suite, including:

• Chief Executive Officer: Aligns safety with business strategy and values.
• Chief Legal Officer: Addresses liability, regulatory requirements, and search policies.
• Chief Human Resources Officer: Leads workforce safety, training, and cultural change.
• Chief Operating Officer and Chief Nursing Officer: Manage workflow, staffing, and patient experience.

In the pilot we observed, this kind of leadership alignment made all the difference. After early results showed operational friction and technology gaps, executives adjusted its implementation and shifted toward a tiered, risk-based approach that included:

1. People: Expanded 24/7 police presence and trained officers at high-risk entrances.
2. Process: Clear wanding protocols, revised search policies, and consistent escalation procedures.
3. Technology: Selective deployment based on volume, incident history, and local crime data.

Because the risk appetite was agreed upon—and leaders owned their respective roles—this approach delivered real, measurable value.

Final Takeaway: Technology Is the Outcome, Not the Starting Point

Hospitals do need to act. The risks are real. But action doesn’t mean racing to install expensive technology in the hope that it will solve a complex, systemic problem.

Instead, the path forward is clear:

• Define your risk appetite.
• Align leadership on your priorities and tradeoffs.
• Design policies, staffing models, and escalation plans.
• Then, and only then, implement technology—strategically, not reactively.

When security is treated as a strategic function—owned by leadership and integrated across the organization—it becomes more than a protective measure.

It becomes a competitive advantage. A reason patients trust your care. A reason staff stay.

‍