Risk Context Analysis for Executive Protection

In today's ever-evolving security landscape, protecting Critical Impact Individuals (CII) has become paramount for organizations seeking to safeguard their operations and continuity. Yet, in many instances, traditional protection measures have fallen short due to empirical assumptions, inaccurate information, or outdated analysis. This underscores the critical need for a comprehensive risk management framework tailored to Executive Protection – Critical Impact Individuals Risk Management (CIIRM).

After a thorough review of the available bibliography, I detected a lack of a complete CIIRM model, with most books, articles, and standards stating the critical importance of applying comprehensive risk management to protecting principals, but no detailed insights into a step-by-step application and practical implications for executive protection professionals. I also realized the need to develop a holistic approach to mitigating risks associated with protecting key individuals, aligning CIIRM seamlessly with Enterprise Security Risk Management (ESRM) efforts and ISO - International Organization for Standardization - ANSI - American National Standards Institute standards and ASIS International guidelines.

CIIRM provides a quantitative model specifically designed for the executive protection community, offering a systematic and comprehensive approach to identifying, assessing, and managing risks faced by CII's.

The resulting CIIRM model follows Deming's PDSA continual improvement cycle, with four simple steps:

1. PLAN: The cycle begins with Risk assessment and design of the EP program.
2. DO: Implementation of EP Risk Mitigation strategies and tactics.
3. STUDY: Supervision to test the validity of the plan and evaluation for signs of success and areas of improvement.
4. ACT: Feedback integrating the learning generated by the process - improvement cycle from a small-scale experiment to a larger implementation plan.

Ultimately, CIIRM aims to ensure the survival and continuity of organizations by effectively managing the risks their key individuals face.

In CIIRM, the threat to CII’s is defined as "any potential cause of an undesirable event that can cause harm to the executive's (1) personal integrity, (2) information, (3) time loss, (4) damage to their reputation, and (5) entourage."

Risk assessment

The first step of the "PLAN" stage is Risk Assessment. Due to the Critical Impact nature of Executive Protection, we must follow a comprehensive and systematic process to include risk identification, risk analysis, and risk evaluation.

In a professional protection operation following CIIRM, all elements of vulnerability and threat are identified, qualitatively characterized, and finally quantified. The assessment process is then closed by comparing and prioritizing them.

When approaching risk assessment for executives as a systematic standardized process, we must start orderly from contextual to individualized risks. This way CIIRM empowers security professionals to methodically identify and mitigate potential vulnerabilities, thereby fulfilling their DUTY OF CARE defending their DUE DILIGENCE findings and effectively ADDING VALUE to the overall security posture of the organization.

CIIRM follows the philosophy of threat as the basis for design (Design Basis Threat - DBT), characterizing vulnerabilities and threats -qualitatively and quantitatively- that can affect the goal of maintaining a relatively stable and controlled environment for executive activities.

In this article I will delve into the first part of the first step for a risk assessment - Context analysis.

Next is a graphic that shows all the elements for a complete CII's risk assessment.

Contextual vs Operational threats and vulnerabilities

Elements to characterize threat at the contextual level are the level of capability, and at the operational level, the intention to target a specific executive.

On the other hand, vulnerability is defined as the "intrinsic weakness of a control that makes it susceptible to exploitation by one or more threats and can lead to a loss event." Elements of vulnerability at the contextual level are the inadequacy of controls and the opportunities we let at the operational level.

Qualitative Contextual Assessment

To assess vulnerabilities in the context, CIIRM uses the PESTEL methodology, which describes six key factors in the country or region where the company operates:

Applying CIIRM to Latin American countries' qualitative assessment of inadequate control related to PESTEL factors could be as follows:

• Political Factors: Our country has a weakened government structure, instability, and corruption, which is associated with threats such as terrorism and possible foreign intervention.
• Economic Factors: In our country, the economy tends to be volatile, with pronounced levels of inequality, which is related to threats of common crime.
• Sociocultural Factors: There is a high level of social discontent, which is associated with threats of social protests.
• Technological Factors: The infrastructure supporting communications and technology often has flaws, which are related to cybercrime threats.
• Environmental Factors: Our rich natural environment in many workplaces is associated with the threat of natural disasters and the possibility of medical threats.
• Legal Factors: A culture of lawlessness, lack of legal security, and deficiencies in law enforcement make planning and executing control activities challenging in the face of organized crime threats.

Furthermore, threat capabilities identified in the context can be characterized qualitatively by detailing their methods, equipment, and quantity. In the current Latin American context, threats are prioritized by the acronym TOPCMEX and could be qualitatively characterized as follows:

Terrorism:

• Method: Force
• Equipment: Warfare weapons
• Quantity: Individuals and cells of 20 to 25 people

Organized Crime:

• Method: Deception and force
• Equipment: Personal weapons and warfare weapons
• Quantity: Groups of 12 to 18 people

Protesters:

• Method: Force
• Equipment: Unarmed, opportunistic weapons, personal weapons, and warfare weapons
• Quantity: Groups of 12 to an unlimited number of people

Common Crime:

• Method: Stealth, deception, and force
• Equipment: Unarmed, opportunistic weapons, or personal weapons
• Quantity: Individuals and groups of 4 to 12 people

Medical:

• Method: Accidents and diseases

Environmental:

• Method: Earthquakes, eruptions, floods

(X) Cybercriminals:

• Method: Stealth and deception
• Equipment: Unarmed
• Quantity: Individuals

Finding an OSINT quantitative analysis of Latin America countries risk probability profiles is certainly tasking due to the lack of updated information.

Quantitative Contextual Assessment

OSAC reports are a great source of information, but regrettably outdated. Therefore I developed a standardized contextual quantitative methodology where each factor of inadequate control related to vulnerabilities in PESTEL contextual factors and to threats in TOPCMEX is rated on a scale of 1 to 5, by calculating the total score, we can measure both the quantitative vulnerabilities probability associated to inadequate control and threats probability associated to capabilities at a country level context. Color coding has proven invaluable for risk prioritization and communication.

The qualitative and quantitative characterization of context threat and vulnerability levels facilitates the communication between EP professionals and clients. However, once the context has been mapped, we should continue the assessment of specific opportunities and intentions toward the executive, which I will address in the next article.

As it might sound easier to say than do it, the HELPS Latam Expert team was tasked to reformulate our Latin America country risk probability assessments to match this methodology. I also requested to share a monthly Latam Summary and a quarterly country-specific summary at no cost in the Latam.Expert social media (this will be our small contribution towards more professional Executive Protection in Latam).

HELPS Latam also develops detailed/monthly updated reports that are available for a subscription or provided complementarily to its permanent clients. BTW, you should also check the HELPS Latam Protective Intelligence WhatsApp group.

I look forward to your comments about this proposed methodology, let me know if you find it applicable to EP operations, and DM if you want to further collaborate in shaping this Model.