There are two types of security risk assessments, the general and the specific. A general security risk assessment should be conducted for family offices, HNWIs, corporations, private aviation departments, and VIPs every 1-2 years. Specific security risk assessments are recommended when company personnel are traveling to a foreign country, or when a VIP is planning to speak at a public event. Attempting to allocate security resources without a proper risk assessment is akin to driving without your lights on at night; you might arrive safely, but only by pure chance.
There are three primary steps to assessing risk: Identification of assets, identification of threats, and identification of vulnerabilities. Secondary steps include weighing impact (criticality), and calculating probability of threat occurrence. Following the risk assessment a security plan is developed, which focuses resources towards the most critical and most probable threats. Once a security plan is in place, it must be tested through a function called red-teaming.
During the initial stage of a security risk assessment, people and things (buildings, aircraft, information, etc) are identified. This ensures the risk assessment is founded in proper context, and boundaries are set, limiting the scope to realistic proportions.
During the threat identification stage, things that have potential to harm the protected assets are recognized. Example of threats include stalkers, street crime, natural disasters, car accidents, package bombs, and digital intrusion.
Vulnerabilities are situations that allow threats to have impact upon assets. A threat without a vulnerability linked by time and place is irrelevant. An example of a vulnerability is a protectee's unattended vehicle parked in a space labeled "CEO".
Security Plan Creation
After the initial security risk assessment is completed, preventative and emergency operating procedures are created to close vulnerabilities and avoid threats. This is where Intelligence-Based Security Methodology℠ plays a key role.
red team testing
Once the security plan has been implemented, red team testing must be conducted. Red team testing serves two very important purposes. First, it gives the security plan a reality check, to ensure it actually functions as designed. Second, it reminds security personnel that even if the occurrence of a real threat event is a rare one, audits are conducted more regularly, leaving no room for complacency.