Security Risk Assessment Explained: Process, Output, and Application

Every professional security programme starts with an assessment. A close protection team, an event security plan, a residential security arrangement – all of these are outputs of a process that begins with understanding the specific threats, the specific vulnerabilities, and the specific consequences that the security measures need to address.

Without that assessment, security decisions default to instinct or industry convention. Neither is wrong in every case, but neither is calibrated to the actual threat picture. The purpose of a risk assessment is calibration.

The fundamental framework: threat, vulnerability, impact

The standard framework for security risk assessment is built on three components:

Threat. What or who might act against the principal, the asset, or the organisation? Threat includes specific, named threat actors (a known stalker, a hostile competitor, an identified organised crime group) and general threat categories (opportunistic crime at the destination, civil unrest during a specific period, terrorism threat at a venue type). The threat assessment draws on available intelligence – travel advisories, OSAC briefings, destination-specific crime data, the principal’s own knowledge of their threat environment – to define who or what the security programme needs to address.

Vulnerability. Where are the weaknesses that a threat actor could exploit? Vulnerability analysis for close protection looks at the principal’s predictable routines, the security measures currently in place, the physical characteristics of venues and routes, and the points in the itinerary where the principal has reduced protection or increased exposure. For residential security, it covers perimeter quality, access control points, staff vetting, and the predictability of household routines.

Impact. What would actually happen if a threat were realised? Impact assessment considers both the immediate consequence (physical harm, financial loss, data compromise) and the downstream consequences (reputational damage, operational disruption, duty of care liability). Two threats of equal likelihood are not equal risks if one would produce a minor inconvenience and the other would produce a catastrophic outcome.

The output of these three components is a risk rating for each identified scenario. The risk rating drives the security posture: which measures are warranted, at what level, and in what priority.

The pre-travel risk assessment

ISO 31030:2021 (Travel Risk Management) sets out the framework for pre-travel security risk assessment as a component of corporate duty of care. The standard requires organisations to identify the risks associated with each travel assignment before approving travel, to implement controls proportionate to those risks, and to have incident response capability in place before departure.

A pre-travel risk assessment for a senior executive visiting a P1 market covers:

Destination threat. What is the current security environment at the destination? This draws on FCDO travel advisories, OSAC destination reports, Control Risks country risk ratings, and any specific intelligence available about the current situation. The assessment is dated and time-specific – a report from twelve months ago does not capture the current environment.

Principal profile. Who is the individual, and why might they be a target? A CEO of a company with active litigation in the destination country faces a different threat profile from a finance director attending a routine conference. The profile section of the assessment should identify the principal’s specific exposure factors: industry, public profile, corporate relationships, any known threats.

Itinerary exposure. Where will the principal be, and when? Venue risk, route risk, and the security posture available at each point in the itinerary are assessed against the threat and vulnerability picture. Gaps in coverage – periods when the principal is between the hotel and the first event, or moving between venues without security support – are flagged at this stage, not discovered after arrival.

Critical assets. What data, relationships, or physical assets does the principal need to protect? A principal travelling with commercially sensitive information faces a different risk picture from one travelling for a routine meeting. The critical asset assessment drives the digital security posture alongside the physical security arrangements. See our executive digital security guide for the specific controls.

Independence and the role of conflict of interest

A risk assessment conducted by the organisation’s own security staff is subject to unconscious bias. Staff who are responsible for existing security arrangements have an interest in those arrangements being assessed as adequate. That is not a reason to exclude internal staff from the process – they have institutional knowledge that is valuable – but it is a reason to ensure the assessment has independent oversight.

A risk assessment conducted by a security provider with a commercial interest in the outcome faces a different conflict: the incentive to assess risk as higher than it is, because higher risk justifies more services. The ASIS Risk Assessment standard and ISO 31030:2021 both recommend that assessments be conducted or reviewed by parties independent of those delivering the security measures.

Turning the output into a security posture

A risk assessment produces a risk register: a structured list of identified risk scenarios, their likelihood and impact ratings, and the recommended controls for each. The security programme is then designed to address the risks on that register, in priority order, within the available budget and operational constraints.

Where the risk assessment identifies that a particular scenario is high-likelihood and high-impact, the corresponding control should be robust and tested. Where a scenario is low-likelihood and low-impact, the control can be proportionately light. A programme that treats all risks as equal wastes resources on the low-priority scenarios while potentially under-resourcing the high-priority ones.

For a pre-travel risk assessment that feeds directly into close protection deployment, see our executive protection services page. For country-specific risk profiles across our 15 primary operating markets, see our risk assessments directory.

When the assessment needs to be updated

An annual review is the minimum. The following circumstances should trigger an immediate reassessment regardless of schedule:

• A material change in the principal’s threat profile (new litigation, public statement, acquisition announcement, change in role)
• A change in the destination’s security environment (election, civil unrest, significant security incident affecting the sector or city)
• A significant change to the organisation’s activities in a market (expansion, regulatory dispute, public controversy)
• Any incident affecting the principal or a comparable individual in the same sector

A risk assessment that was accurate six months ago may not be accurate today. The value of the document is its accuracy at the point when decisions are being made from it. For the on-site assessment that tests whether physical controls at a specific premises meet the threat level identified in the risk assessment, see our physical security assessment guide.

Sources: ISO 31030:2021 Travel Risk Management. ASIS International: Security Risk Assessment Standard. OSAC: Country Security Reports (2024). Control Risks: RiskMap 2025.