A Summary of the Security Risk Assessment Process

As a result of the numerous domestic terrorist attacks and mass killings, I am often asked if these killings are preventable.  My response is that the vast majority all of security incidents are preventable if organizations would take time to utilize a security risk assessment process to improve safety and security at their facilities. The following is a summary of this process and in no way intended to address every aspect of a comprehensive security assessment.

Every organization has an obligation to protect employees and visitors while on their premises. To ensure that basic protection is met, a security program is necessary. A security program’s objectives are to deter, delay, detect, deny, respond to and recover from reasonably foreseeable loss events. These objectives are not met by simply installing a burglar alarm and CCTV System. Implementing these security strategies can prove costly and ineffective without first understanding what your security needs are and what you expect security strategies to accomplish. There are basic steps that you can take with assistance from an experienced security practitioner to help you understand just what it is that a security program can do for you and the security strategies needed to help your business protect assets.

Improving Security Using a Risk Assessment Methodology

Conduct a Security Survey

The security survey consists of an on-site examination of your physical protection system which consists of policies and procedures, well trained security personnel, and equipment/technology to ensure that these three components are working cohesively to protect a facility. This survey will help identify vulnerabilities within your physical protection system and operation and will also be helpful when reviewing security strategies to enhance overall security during the risk analysis process. A survey should be done prior to purchasing security equipment or changing an existing security process or system. It is conducted by a qualified security practitioner along with someone familiar with the property and daily operations at your facility.

Form an Ad hoc Safety and Security Focus Team

This safety and security focus team is made up of key department heads familiar with day to day activities of your business and property. This team will work together under the leadership of the security consultant to conduct the security risk analysis. The focus team is not the safety and security team which will be formed later if it does not already exist.

Who should be on this ad hoc safety and security team to assess risk? I recommend: a person representing: Senior Management, IT, Security, Safety, Administrative, Operations, Finance, HR, and Maintenance.

The security risk assessment is broken down into two components; the risk assessment component and the risk management component.

Part A: Risk assessment identifies threats and hazards that could impact critical assets, the probability or likelihood of these threats and hazards occurring and their impact or consequence on the organization. A few examples of threats and hazards that occur at businesses are theft, vandalism, arson, assaults, fire, active shooter and severe weather events.

Prioritize Assets

After the security survey, the safety and security focus team will evaluate and prioritize critical assets requiring protection. Assets are people, property, information and reputation of an organization. When thinking about assets and subsequent harm from a threat, consider the difficulty and cost of replacing damaged or lost assets and the harm and impact that a loss event can have on the reputation of your business. Assets are prioritized in order of value and level of protection needed with people being the most valuable asset.

Identify Threats and Hazards

The next step is to identify threats and hazards that can impact your business. Threats are normally associated with humans and can either be intentional or unintentional (fire started by accident or arson deliberately) while hazards are associated with nature such as a hurricane. Following are a few sources to help identify threats and hazards that could occur at your business: 1) Police reports of crimes in your immediate area. 2) Uniform Crime Reports for your municipality. 3) Insurance carrier. 4) Internal reports. 5) Other like businesses. 6) Professional associations 7) Open source information. We need to be concerned about terrorist attacks which require an analysis of terrorist groups operating in your area to assess their intent, tactics and capabilities to execute an attack.

Probability of Occurrence

Your safety and security focus team will then decide the likelihood or probability for these threats and hazards to occur. Let’s look at probability of occurrence first. In order to evaluate likelihood, the safety and security focus team will review historical information. A best security practice is to review security incidents occurring in the past two years since recent incidents are a good indicator of future incidents. A few other factors to consider are: 1) Close proximity of your business to an interstate. 2) Isolation of your business. 3) Controversial issues involving your business. 4) Crime, gang activity and other socio-economic factors. Many businesses utilize the CAP Index to help in assessing risk factors 5) Existing physical protection system. If policies and procedures, technology and well-trained personnel are working cohesively and theses strategies are audited and current, the probability of occurrence is less.

Once your safety and security focus team evaluates this information, each threat can then be ranked on a scale of 1 to 5 with 1 being the least likely to occur and 5 being the most likely. What do you consider a reasonable likelihood for each threat and hazard to occur? If you think after reviewing the aforementioned or other available information that the likelihood is low, then rank the threat or hazard low.

Consequence of Loss

Now your safety and security focus team will consider the impact or consequence that each threat could have on your business. If the impact is considered high, then rate as 5 and if on the low side then rank as 1. Consider the value in dollars as well as harm to the reputation of your business when ranking impact. Your team will then rank the impact on others on a 1-5 scale considering the harm to individuals and to the victims. Consequence is impacted by your ability to recover from a loss event which is aided by maintaining a resilience plan that is updated and practiced as necessary to meet changing threats.

Once probability and consequence of loss scores are totaled across your chart, select cost effective security strategies to prevent or mitigate damage from each threat or loss event with priority focus on the highest ranked threats and hazards, probability of occurrence and consequence of loss. There are only so many resources available so we must have a method to prioritize protection efforts.

PART B: Risk management determines cost effective security strategies to mitigate threats and hazards and reduce vulnerabilities. One security strategy that is often implemented without proper evaluation is the implementation of a CCTV system. While this security strategy may be helpful, an experienced security manager or consultant understands the importance of conducting a security risk analysis prior to adding equipment, services or changing a security process. It is important and necessary to understand what is expected from the implementation of each security strategy. Making change without appropriate analysis may create liability as well as prove ineffective.

Remember, security strategies are designed to mitigate a loss event. When selecting security strategies, you will consider: 1) Implementation cost. 2) Maintenance cost. 3) Attractiveness of asset. 4) The likelihood of the strategy preventing the threat or hazard or mitigating the impact. 5) The cost benefit of the strategy. You would not select a $20,000 strategy to protect an asset from a threat that could cost $500.00 with a low probability of occurrence.


The final and most often over-looked part of the security risk analysis is the maintenance phase.  This is the phase that is most often overlooked!

All too often cameras and alarms are implemented, and procedures are put in place to increase protection, but these systems and procedures are then neglected. An on-going audit and review program to ensure compliance with policies and procedures designed to protect assets, an emergency plan for all major events that could occur, and education and training programs to promote security awareness are essential for the success of any security program and the key is that these actions must be on-going.

How many times do we read that a company or municipality had the best CCTV and or alarm equipment only to learn that the system was not working! There are many examples, but a striking example was the burglary that occurred at a Paris Museum where thieves gained entry and stole several hundred million dollars in art. The burglar alarm had not functioned for nearly six weeks. Unfortunately, a malfunctioning security system is often discovered only after a serious breach of security has occurred.

Resilience Plan

Terrorists want nothing more than to damage or destroy a target so that the facility or organization is unable to return to normal operations over a reasonable period of time. Part of any security strategy should include a resilience plan designed to assist the organization is the recovery process. This plan is designed to assist businesses quickly adapt to disruptions of service and regroup by relocating to another facility or relying on other businesses to assist in continuing critical operations until normal services are fully restored.

The aforementioned writing is simply a summary review of a comprehensive methodology to evaluate and mitigate risk. I recommend an easy-read paperback entitled “The Security Risk Analysis Process” by Ira S. Somerson, CPP to obtain a more thorough understanding of this important process.

An important outcome of this process is that the end result is an evaluation of existing security and recommendations of cost-effective security strategies to improve safety and security which are completed by key personnel who are responsible for implementing the results produced rather than outside resources writing the plan with little or no input from the local team.


Jim McGuffey, M.A., CPP, PSP has 50 years of security management experience. He is Board Certified, in Security Management, Physical Security, and Investigations. Jim is one of 350 security professionals worldwide, holding all three ASIS International Board Certifications in Security, which are accredited by the Department of Homeland Security, International Standards Organization, and the American National Standards Institute. He has a B.A. in Criminal Justice and M.A. in Management and has been a member of A.S.I.S. International since 1981. 

His background consists of military, law enforcement and senior level security management. Jim has had responsibility for several thousand-armed guards, 1,000 armored trucks and 50 high risk facilities. Since 2012 he has served as a private security instructor for the Department of State Antiterrorism Assistance (ATA) Program, teaching more than 70 antiterrorism courses in the Middle East, Africa, South America, Latin America, Mexico, Indonesia, and parts of Western Europe. 

As part of the ATA Training Program, Jim has supervised security risk assessments at the following facilities: Water Treatment Plants, Railway Stations, Bus Terminals, Electric Power Plants, Hotels, Malls, Hospital, Sports Stadiums, Secretary of Energy facility, Secretary of Interior facility, Military Training Centers, Department of Interior facility, National Police Headquarters, a National Control Center for Energy, a Government School (ages 5-18), a Mosque, Churches, a National Art Museum, Airports, a Commercial Shipping Pier, a Police College, an International Expo Center and other critical infrastructures.  

Jim also serves as an expert witness for plaintiff and defense and has been admitted in both Federal and State courts, as a security expert. He is often called on by various news media for comments regarding security loss events. 

Contact: jimmcguffey37@gmail.com


Disclaimer:  The articles contained on this website are written for general information purposes only and are not intended to be, and should not be used as, a primary source for making security decisions. It is the responsibility of the end users and viewers to evaluate and seek out additional guidance as deemed appropriate for application.

Scroll to Top