Threat & Risk Assessments

Protective Security Operations

Risk = Threat + Vulnerability

Security as a whole is surely one of the broadest, wide-ranging of subjects, and one that has seen a substantial and dramatic increase of attention in recent times. Naturally, the term ‘security’ can signify or represent different things to different people, depending on that individual’s location, occupation, responsibility and status. Almost everyone and everything incorporates some level of concern for security, whether of the environmental, economic, national, international, global, and social, information technology, communications, company, military or personal kind. Security affects each and everyone one of us. At some point in time, we are all concerned. We are concerned about the repercussions and course of events should that security not be present. Repercussions include but are not limited to, acts of criminality, military attack, and terrorism. Our lives and our way of life depend on levels of security, the responsibility for which falls heavily as a burden on the shoulders of those in a position of power or command. A responsibility that, if not conducted in a manner that is professional, efficient or diligent, could result in dire consequences. However, even if those in a position of power or command are professional, efficient and diligent, there may be times when actions cannot be prevented. These may be ‘Acts of God’, i.e. natural disasters; flooding, earthquakes etc., or indeed in Close Protection terms, actions resulting from the genuine impossibility of protecting someone from everything, all of the time. But what is the procedure for policy makers for making decisions during such a crisis or emergency and does the Chief Security Officer, Security Manager or Close Protection Team Leader (CPTL) really need to discuss the situation with others prior to acting on decisions made?During the initial stages of security implementation, whether physical or electronic systems or procedures, one must first assess the threat and the level of risk in accordance to the threat. Close Protection Team Leaders and Individual Bodyguards make informed decisions about security risks that are directly or indirectly under their control as part of their responsibilities. In fact, to a certain extent, any member of a Close Protection Team does. Within the context of CP, threat and risk assessments (TRA’s) identifies those threats present and makes recommendations where to avoid, reduce and ‘accept’ risk, as well as how to diminish the impact of threatening events. In an existing security operation, the TRA further assesses and identifies security measures that are inappropriate or nonexistent. Recommendations are then made to add or modify where applicable but also to determine the implementation priorities.

As in Close Protection, it is impossible to determine the correct type and degree of protection unless the type and degree of threat has been established. Once the potential for harm has been evaluated, a determination must be made as to what resources and actions are necessary to control those risks. Where possible, the avoidance of risk is preferred. The purpose of a threat assessment therefore is to determine what risks exist and to separate serious from non-serious. In this manner, we can develop plans that will avoid some of the risks, and we can determine how much of our resources to deploy against the threats that cannot be eliminated. We do not over-react or under-react. Over-reaction and under-reaction are almost invariably the result of knee-jerk responses. They come from a lack of planning, a failure to anticipate and prepare for an event. The inability to predict the future contributes to risk. However, even though the threat and the risk of exposure to that threat is assessed, the potential remains for incidents to arise. This is not due to a lack of forethought in planning or an incorrect assessment of the threats and risks posed, but because the chance of probability remains, no matter how slight or diminutive. In these instances and in most cases, operational procedures are (or should be) drawn up. These involve a selection of actions that are chosen and decided upon with consideration to influencing factors at the time. These events are often described as ‘Crises’ or ‘Emergencies’. All persons/ companies/ agencies or governments involved in these emergency responses are instructed in or informed of the course and method of action to which they should take and which they should subsequently rehearse until the best possible state of preparedness is achieved.

‘Emergency’ has been defined as ‘a sudden unforeseen crisis (usually involving danger) that requires immediate action – an emergency is a situation that poses an immediate threat to human life or serious damage to property’. It has also been defined, as ‘a sudden, unforeseen happening that requires action to correct or to protect lives and/or property’. As one can clearly see, both definitions define an emergency as an unforeseen event; however, as far as the context of many security operations are concerned, specifically Close Protection, I would argue the contrary in most cases. The term unforeseen is not the correct description in this instance. Unforeseen is unanticipated, unexpected and unpredicted.

The security manager (CPTL) has a requirement, a duty to prepare for eventualities that may occur in his area of responsibility, no matter how slight the possibility. He must assess the risks and outline any concerns to company managers and directors. Guidelines for immediate responses to such emergencies must be prepared and rehearsed. Within Close Protection, this is standard practice. Constant ‘What if’ scenarios are considered and a proactive response is initiated to counter such possibilities, scrutinising every detail. A bomb threat/ suspicious package, fire and medical emergencies are all ‘standard’ events within large corporations or companies in cities, which can be anticipated and prepared for. A security and risk manager does not necessarily need to implement group decision-making during such a crisis or emergency due to the fact that the situations have already been discussed and subsequent actions agreed upon to facilitate an immediate response. Of course, the security manager must inform those relevant persons after the event and only during the crisis where time permits or is necessary, or indeed, instructed in the guidelines for ‘actions on’. However, events do occur which have not been discussed, anticipated or planned/ prepared for that lead to a crisis or emergency, such as the involvement of blackmail in the theft of intellectual property during an important takeover bid. This would necessitate a course of dialogue amongst company bosses and security managers, and naturally this would take a certain amount of time . We can therefore see that the major difference between such instances and ‘ordinary’ situations is the ability of the security manager to deal with the latter without the need to facilitate group discussion amongst other managers or directors. By virtue of the security managers’ responsibility, remit and capability, he can conduct effective decision-making without the immediate need to involve others. The situation does not involve threat to life or serious damage to property and therefore consequences materialising are at the minimum. However, that said, it would be highly likely that the security manager in such instances would not only feel he had a duty of care to inform his superiors of untoward incidents, but also out of common courtesy. Although he would have initiated an immediate response to such incidents, the passing of information to superiors would begin a dialogue of promoting group discussion and confirmation of actions carried out and/or further actions to be conducted. Assessment, planning, preparation and training in immediate reaction are vitally important in any security operation. None more so than that of the Close Protection Team. For the most part, the CPT is concerned for the protection of life and well-being of the Principal. Operational procedures for such events as ‘Anti-ambush – reaction to attack’ are drawn up and then trained until the procedure becomes a drill. A drill whereby the reaction is instinctive, a habit that is solid and yet fluid in the foundation of having been constantly practiced. Worst-case scenarios, or indeed, scenarios involving every potential eventuality are discussed and then planned and prepared for. Walking drills, vehicle immobilisation drills, vehicle anti-ambush – block front – gunmen right, block front – gunmen rear, block front – block rear – gunmen left, positioning of vehicles, deployment of assets, illegal check points, embus – debus drills; the list is almost endless.

During the bodyguard’s normal course of duty, he would be capable of working with and influencing senior members of staff. He would have the ability to blend in to dinner parties of a high profile nature. To be able to speak in an educated and eloquent manner. To be meticulous and efficient in all that is said and done. He would address the Principal as Sir or Ma’am; however, nothing could be further from the stark reality in the event of an attack. In a high-risk environment whereby a Principal and protection team has been attacked, he or she is thrown onto the floor of the car, man-handled into cover, shouted and sworn at, pushed through doors, shoved into rooms, laid on top of, carried or dragged. This is no place for manners. This is no place for decorum. Life is in imminent danger. Automatic and effective enemy fire, hand-grenades, rocket-propelled grenades are all ‘in-coming’. This is not Hollywood or some far-fetched adventure story. This is reality and this is why immediate action drills are trained and emergency evacuation procedures are arranged. These are indeed crises and emergencies; however, effective decision-making is not more difficult to implement. There is no room for politeness or correctness. An action is decided upon by that person in charge and thus, is carried out with speed and aggression. A close protection team leader has no concern if he is ‘stepping on anyone’s toes’. He is the experienced manager and through this experience is confident in his actions. A security manager for a company, however, may indeed feel that he/ she needs to act with a little restraint and discuss response actions to a crisis with colleagues and other managers. Every security situation is different. There is no hard and fast rule regarding effective decision-making nor is there any rule demanding that decisions must be implemented as a group. Effective decision-making on the part of security managers rests solely with themselves and what they deem acceptable in terms of conducting responses without implementing group discussions. Time is of the essence during emergencies and if we prepare for worst-case scenarios then the knock on effect is drastically reduced. We must not only ask ourselves, ‘What if?’ but also ‘So what?’ – so what am I going to do about it?

The Purpose Of A Threat & Risk Assessment For Protective Security Operations

The basis of all Close Protection and related security is Threat Assessment. It is of course impossible to determine the correct type and amount of protection unless the type and amount of threat has been established and yet time again we see disproportionate levels of security present in many commercial areas with either too much or too little remaining common occurrences. Attempting to protect individuals at risk from everything all of the time is neither efficient nor effective (it is also not possible) and the people that need it do not necessarily require the same level of protection all of the time. The development of an effective personal protection program demands that a determination be made of the level and type of threat that exists for an individual at a particular time, in a particular set of circumstances. The best is one that affords the appropriate level of protection with the minimum intrusion on the normal life-style of the person being protected. The key to establishing this level of protection is to perform a Threat Assessment. Once the potential for harm has been evaluated, a determination must be made as to what resources and actions are necessary to control those risks. Again, where possible, the avoidance of risk is preferred. The purpose of a threat assessment, therefore, is to determine what risks exist and to separate serious from non-serious. In this manner we can develop plans that will avoid some of the risks, and we can determine how much of our resources to deploy against the threats that cannot be mitigated.

‘Threats’, ‘Threat Assessment’ (TA) and ‘Threat & Risk Assessment’ (TRA) are all terms, which many claim to understand, but in reality, and within a Close Protection environment specifically, they remain confused. The term Threat & Risk Assessment is often used by many security companies within the context of Close Protection, as a service they provide. Yet many fail to understand exactly what it means and what is involved in the provision of it. They state in their glossy blurb, “Threat Assessments are tailored to an individual client’s needs.” This of course, is incorrect and couldn’t be further from the truth. Threat assessments are not ‘tailored’ but are processes for determining what threats are present, what threats are not and to determine methodologies for mitigation and reduction of those where the risk to threat is present or greatest. The TRA is pivotal to the decision-making practices in the deployment of assets for controlling risk to threats and is fundamentally integral to the initial process in the provision of protective services.

The compilation of a TRA is intended for the purpose of:

• Determining the threats posed
• Determining the risks to those threats
• Organising those risks and threats into order of priority
• Mitigation of those threats
• Mitigation and/ or acceptance of risks to threats.

There are many methodologies available for determining risk and the consequences of it. These are mainly due to the differences between the specific industry sectors; from national threats in terms of natural disaster and terrorism, emergency management for school, university & hospital threats, information technology system risk management, critical infrastructure protection, and of course, personal protection to name a few. The initial question for formulating an assessment of risk is of course:

How do we actually quantify it?

An equation often used to illustrate the definition of risk within the context of security risk management and loss prevention is: Risk = Threat x Vulnerability x Cost7. This equation however, insofar as accuracy and relevance is concerned, is not appropriate for our use. As far as the actual physical protection in CP is concerned, ‘Cost’ remains the same constant; that being defamation/ injury to character, physical injury or death. Within a Close Protection environment, a threat is not multiplied by the Boss’s vulnerability to that threat. A threat remains a threat that is constant in terms of its severity. Rather, it is the effects of that threat that change in accordance with the risk to that threat and in relation to operational planning, procedures and safeguards to mitigate them:

If a Principal visits a country whereby his very presence dictates that the threat of directed local crime or murder is high then security measures adopted to mitigate the risk to those threats do not affect the actual severity of the threats presented – they merely negate or reduce the risk and vulnerability of those threats.

Within the context of CP operations a TRA is to determine the level of exposure to a specific threat through the combination of assessment of the threat itself and the likelihood of success of that threat despite current or planned safeguards. By the very nature of CP, operations are dynamic, constantly changing in activity and environment. The TRA should then become dynamic in its response with a flexible approach to the mitigation of risk.

It therefore remains important to understand exactly what defines the terms ‘Risk’, ‘Threat’ and ‘Vulnerability’ –

In light of this then, the process of a TRA for a CP environment should consist of a five-phase process:

1. Assets Identification
2. Threat Assessment
3. Risk Assessment
4. Vulnerability Assessment
5. Recommendations

Recommendations must be based on assessments made of the threat(s) risks and vulnerabilities and the subsequent identification of areas in which to avoid, reduce and accept risk. Recommendations should also include changes to the Boss’ schedule/ methods of travel and locations visited when and where applicable and appropriate.

Acceptance of Risk, and Risk Management

‘Risk exists where the future is unknown’

‘Security measures must be commensurate with the threat’

Risk and the management of it remains the central factor concerning the aims of Close Protection. As defined, it is the level of exposure to threats that ultimately provides the control and the manner in mitigating risk to threats. The two statements above are commonly used in the management of risk. Although they remain correct for the most part, within a CP context they do not accurately appreciate an understanding of the concept of CP operations. Risk does exist where the future is unknown but it also exists where the future IS known. Risk exists as a constant presence, as do those assessed threats. It is the level of risk that changes in accordance with the counter measures employed. The assessment of risk in the context of CP cannot accurately be determined by any mathematical equation. It provides a guideline, a focus to concentrate efforts on those areas where risk is present or, if budgets do not allow, where risk is greatest. However, as the determination of threat and risk is not an exact science, employing safe guards that are merely ‘commensurate’ with the threat is not necessarily the advisable course of action.

If a Principal requests protection services be afforded to him by virtue of his business but has never received any direct threat against him or his family – is an IBG role sufficient?

 Possibly. However, without assessing areas of operation, travel risks, business occupation, business competitors, mergers & acquisitions, disgruntled ex-employees, public/ media profile prominence and so on, then at times, an IBG may indeed remain insufficient. The times whereby an IBG role may or may not be suitable principally relies on the individual conducting the Threat & Risk Assessment. His experience and exposure to CP and security management operations will translate into the provision of mitigation of such risks at a certain level. Naturally, it remains more likely that those individuals with greater experience will mitigate risks to threats far more accurately and effectively than those with lesser experience. It becomes of importance, then, that whoever conducts the TRA is fit for purpose. Further, and due to the difficult nature of accurately assessing threats, it also becomes of importance to implement measures that surpass the actual threats assessed. Risk Management is the identification, assessment, and prioritisation (and acceptance) of risks. However, unlike standard security projects involving risk mitigation, CP is not an environment in which, for the most part, risk to threats can be controlled to the point where the actual risk is controlled in its entirety. With the exception of residence, office and area security, it does not involve the installation of ‘impenetrable fence lines’, thereby reducing the risk of penetration to a controllable state. For the majority of time, the level of risk is accepted and measures employed are designed to minimise the risk through detection and counter efforts. There then remains an obvious issue of the relationship between risk mitigation and budgets available to mitigate it. The decision-making practices and advice of commercial service providers and the wishes/ preferences of the client and/ or Principal further affect this underlying factor, one that is subject to huge influence.

Hence, in the commercial world, the level of ‘security’ is not only dictated by money and party politics but also by ethically improper profit-making strategies or uneducated thought processes by contract service providers. Part of the role and one of the expectations of a CPTL or IBG is to act in the capacity of consultant or advisor – very similar to the corporate security manager. Dynamic threat assessment and risk mitigation is a continuing process throughout the operation but if the measures implemented are unbalanced or deemed not sufficient to meet the risk to threats at the start then the assigned TL/ BG must act. Commercial operations are compounded by many influences otherwise wholly absent in those that are government-led. To jeopardise the safety and security of both the Principal and members of the CPT on operations that do not effectively mitigate threats or the risks to the threats is an action that is irresponsible, rash and risky and one that also fails the values and expectations of the Principal.

The TRA must show:

1. Most likely forms of attack
2. Most likely places of attack
3. Most likely times of attack

The TRA must be clear, current and correct. Above all, it must ask the question:

Why is the Principal a target?

It must study:

• The enemy
• The histories
• The descriptions
• The favoured Modus Operandi
• The recent attacks
• The present capabilities
• The possible future capabilities

As a result, it should now be possible to deduce the most likely forms of attack.

The TL/ IBG must:

• Study the Program
• Assess vulnerable locations & timings
• Traffic conditions
• Enemy weapons
• Weakness in building
• Weakness in perimeter
• Vehicle security
• Interpretation of all available intelligence – Vulnerable elements of operation / Allocation of protection resources

An accurate Threat and Risk Assessment is vital. It must be updated regularly and new information must be used as soon as it becomes available. Conversely, the lack of confirmed intelligence is no excuse for the non-production of a TA.

 At Mobius International, we offer high-quality services to meet your security requirements. All personnel are former government consultants and are selected for their expertise and operational experience. All of our staff have worked for either British or Foreign governments and are highly trained to deliver industry leading assessments.

If you would like your personal security assessed or that of your organisations then give us a call. It’s what we do.

www.mobius.international