Every catastrophic failure begins long before headlines, lawsuits, or public outrage.
It starts in a quiet conference room where someone looks at a spreadsheet and decides that safety is “too expensive.”

In my work as an expert witness, I am brought in after something has already gone terribly wrong—after people are hurt, after organizations are facing lawsuits, and after leadership is wondering how it all went so far off the rails.

What I see, over and over again, is that security is almost always the last line item on the budget. It is treated as a negotiable expense instead of a non‑negotiable responsibility. That decision is where failure really starts.

When Safety Becomes a Cost Instead of a Duty

Catastrophic failure doesn’t begin with chaos. It begins with a quiet decision to treat safety as an expense instead of a responsibility.

On paper, it sounds reasonable:

• “We’re tightening the budget this quarter.”

• “We haven’t had an incident in years—do we really need this level of security?”

• “We’ll revisit this next fiscal year.”

Nothing about those statements feels reckless in the moment. In fact, they often sound prudent, even responsible. But the problem is this: when prevention is reduced to a budget line item, risk does not disappear. It accumulates.

You’re not eliminating risk; you’re deferring it.
You’re not saving money; you’re shifting the cost to a later date—when it will be far more expensive, far more public, and far more painful.

Security Doesn’t Fail All at Once

We like to imagine security failures as dramatic, sudden events—an attack, a breach, a crisis that erupts out of nowhere.

In reality, security rarely fails in a single moment. It erodes gradually through a series of compromises that each feel rational at the time.

• A position goes unfilled “for just a few months.”

• Training is postponed because “everyone’s too busy right now.”

• A system upgrade is delayed because “it’s not in this year’s budget.”

• A policy is relaxed because “we trust our people and don’t want to overreact.”

None of those decisions, taken alone, feel like negligence. They feel like trade‑offs.
But risk doesn’t care how rational your justification sounded in the meeting.

Each small compromise widens the gap between what should be happening and what actually is. Over time, that gap becomes the space where bad things happen.

The Hidden Cost of Cutting Safety

Organizations do not save money by cutting safety.
They defer accountability.

Eventually, the unpaid bill shows up in one of three forms:

• Lives

• Lawsuits

• Or both

When something goes wrong—an assault on a property, a preventable shooting, a major workplace incident—the question is never just “What happened?”

It quickly becomes:

• “What did leadership know?”

• “What should they have done?”

• “What reasonable steps did they choose not to take?”

And this is where the earlier “cost savings” decisions come back with interest.

The legal system, the media, and the public will all ask:
Was this risk foreseeable?
Were reasonable measures available?
Did the organization choose not to implement them to save money, time, or inconvenience?

When the answer is yes, that cost is no longer a line item. It’s a verdict.

Foreseeable Risk vs. “We Didn’t Know”

One of the most common defenses I hear is, “We had no idea something like this could happen.”

But in many cases, that simply isn’t true.

• There were prior incidents on or near the property.

• There were internal reports, complaints, or observations about unsafe conditions.

• There were known vulnerabilities that had been discussed but not addressed.

In threat management and security, foreseeability is a key concept.
If a reasonable person in your position could anticipate the risk, then you are expected to act on it.

Choosing not to invest in appropriate security measures doesn’t erase the risk.
It documents your decision not to address it.

How Risk Accumulates Inside Organizations

Think of risk like water behind a dam.

No single crack is catastrophic by itself.
But every ignored leak, every postponed repair, every “we’ll get to it later” conversation adds pressure.

Inside organizations, risk accumulates through:

• Outdated policies that don’t reflect current threats or realities

• Understaffed security teams stretched beyond reasonable capacity

• Lack of training for front-line staff who are the real first responders

• Poor communication between leadership, legal, HR, and security

• Complacency after long periods without visible incidents

From the inside, it feels like business as usual.
From the outside—especially after an incident—it looks like a pattern of neglect.

The Illusion of “We’ve Been Fine So Far”

One of the most dangerous beliefs in any organization is:
“We’ve done it this way for years and nothing bad has happened.”

That statement confuses luck with safety.

• Just because no one has slipped yet doesn’t mean the floor isn’t wet.

• Just because no one has attacked yet doesn’t mean your access points aren’t vulnerable.

• Just because no incident has been reported doesn’t mean there is no problem.

Most systems under stress don’t fail instantly.
They fail after a long period of silent strain.

If your justification for cutting security is “nothing’s happened yet,” what you are really saying is:
“We’re betting our people’s safety and our organization’s future on luck.”

That’s not strategy. That’s wishful thinking.

Responsibility Lives at the Top

Security failures are often blamed on the last person in the chain—the guard on duty, the employee on shift, the contractor at the door.

But the real origin of failure is rarely at the perimeter.
It’s in the boardroom.

Leadership sets:

• The priorities

• The budgets

• The policies

• The culture around safety

If safety is framed as a burden, a nuisance, or an obstacle to productivity, that message filters down.
If security is framed as integral to operations and duty of care, that message filters down too.

You can’t expect front-line personnel to prioritize what leadership treats as optional.

From Expense to Obligation: Reframing Security

To reduce catastrophic risk, organizations must reframe how they think about security.

Security is not:

• A luxury to add when times are good

• A checkbox to satisfy insurance or compliance

• A “nice to have” if the budget allows

Security is:

• A core operational function

• A legal and ethical duty to those in your care

• A direct reflection of your organization’s values

When you make that shift—from expense to obligation—you start asking different questions:

• “What risks are we responsible for managing?”

• “What level of protection is reasonable given those risks?”

• “What would we be expected to explain or defend in court after an incident?”

Those are uncomfortable questions.
But they are far less uncomfortable than the consequences of never asking them.

Practical Steps: Building a Culture That Prevents Failure

Moving from reactive to proactive doesn’t require fear—it requires structure.

Here are practical steps leadership can take:

1. Conduct a realistic risk assessmentBring in qualified professionals to evaluate your current security posture, foreseeable threats, and existing vulnerabilities. Not a box‑checking exercise—an honest assessment.

2. Align security with mission and valuesMake clear, in writing and in practice, that safety is non‑negotiable. Tie security standards to your duty of care, not to quarterly convenience.

3. Invest in training, not just hardwareCameras and access control systems are tools. People are the operators. Without training, policies, and clear expectations, technology alone will not save you.

4. Create clear reporting pathwaysEncourage employees and customers to report concerns early. Make it simple, safe, and stigma‑free to say, “Something feels off.” Early reporting is one of the most powerful forms of prevention.

5. Review incidents and near‑misses honestlyTreat near‑misses as gifts, not annoyances. They are early warnings that allow you to correct course before someone gets hurt or a lawyer gets involved.

6. Protect the budget for preventionBuild security into your operational baseline so it can’t easily be slashed when times get tight. Cutting prevention is the most expensive “savings” you will ever find.

The Real Question: What Will It Cost You If You Don’t?

Every organization has a budget. Every leader feels pressure to reduce costs.
But some cuts are different.

When you cut security, you are not trimming fat—you are removing structural support.

The question is not, “Can we afford security?”
The real question is, “Can we afford the consequences of not having it?”

Because in the end, catastrophic failure is not an accident.
It’s the final chapter in a series of quiet decisions to treat safety like a number on a spreadsheet instead of a responsibility to human beings.

That’s where failure starts.

From a threat assessment and security perspective, understanding how risk develops is everything. In negligent security cases, one legal framework continues to define whether a crime was predictable or not—and ultimately, whether a property owner is held liable.

That framework comes from a landmark Texas Supreme Court case: Timberwalk v. Kane.

What Determines Liability After a Violent Crime?

Why do some apartment shootings lead to million-dollar lawsuits while others don’t?

The answer isn’t just that a crime occurred. It’s whether that crime was legally foreseeable.

Foreseeability is the standard courts use to determine if a property owner should have anticipated the risk and taken action. If the answer is yes, liability follows.

The Timberwalk Framework

In 1998, the Texas Supreme Court established five key factors that define foreseeability in negligent security cases:

• Proximity

• Recency

• Frequency

• Similarity

• Publicity

Individually, these factors provide insight. Together, they create a powerful framework for identifying patterns of risk.

And those patterns matter more than most people realize.

Violent Crime Follows Patterns

One of the biggest misconceptions about violent crime is that it’s random.

It’s not.

Violent crime tends to emerge where opportunity and vulnerability intersect. When you analyze incidents over time, patterns begin to form—patterns that signal increasing risk.

The Timberwalk factors help make those patterns visible.

Breaking Down the Five Factors

Proximity

Proximity asks a simple question: where did prior crimes occur?

Incidents that happen on the property itself—inside units, in parking lots, or common areas—carry significant weight. Once violent crime enters the environment, the likelihood of future incidents increases dramatically.

Recency

Recency focuses on timing.

A crime that occurred years ago may not carry much weight. But incidents that occurred weeks, days, or even hours earlier point to an active and ongoing risk.

Recent activity signals that the threat is current—not historical.

Frequency

Frequency reveals patterns.

A single incident might be dismissed. Multiple incidents are harder to ignore. Repeated acts of violence suggest the property is becoming criminogenic—a place where crime is more likely to occur.

Similarity

Similarity examines the type of crime.

If prior incidents closely resemble the current event—such as repeated gun-related violence—they become highly relevant. They demonstrate that the specific danger was already present.

Publicity

Publicity addresses awareness.

Did the property owner know, or should they have known?

Evidence like police reports, tenant complaints, incident logs, and internal communications can establish “notice.” And once notice is established, responsibility becomes much harder to deny.

When Warning Signs Become Liability

Consider a scenario where residents report hearing gunshots outside their apartment. Police respond. The incident is documented. No one is injured.

On its own, it might seem insignificant.

But through the lens of Timberwalk, that same event becomes critical. It establishes proximity, recency, similarity, and publicity—all at once.

It becomes a warning sign.

And when warning signs are ignored, they don’t disappear. They compound.

The Real Risk Isn’t the Incident

The real risk isn’t just the violent act itself.

It’s the pattern leading up to it.

When those patterns are visible—and documented—property owners are expected to respond. Failing to do so can transform a preventable situation into a legal and financial disaster.

Why This Matters

For security professionals, property managers, and anyone responsible for safety, the takeaway is clear:

Risk rarely appears without warning.

The question isn’t whether the signs exist. It’s whether they’re recognized—and acted on—before it’s too late.