Risk assessments, also known as “threat assessments,” “risk, threat and vulnerability assessments” (RTVAs), and “risk audits,” are the foundation of effective executive protection programs. Or at least they should be.
At a very basic level, risk assessment is, of course, the necessary starting point of risk mitigation. If you don’t identify, understand, and evaluate the threats and vulnerabilities that add up to risk, how can you possibly hope to lessen the likelihood of things going wrong?
But effective risk assessment also has a broad range of practical implications for executive protection:
- Risk assessments are key to defining the scope, coverage, and costs of protective programs. Or, at least, they should be
- Appropriate design, alignment, and deployment of the four pillars of protection – physical, people, processes, and technology – all depend on risk assessment to deliver effective and cost-efficient security. For example, tech becomes a force multiplier when we put up cameras and sensors around grounds instead of depending on active patrols only, and travel by private jet enables better security than commercial.
- Because the world we live in is ever-changing, risk assessments must also be dynamically updated to stay relevant. Far too many programs fail to do this and rely on a “one and done” risk assessment – if any at all. For example, how many principals have started working more from home during the COVID pandemic – and how many protective programs have instigated new risk assessments to reflect this?
- Risk assessment has essential productivity benefits for the principal, too. When we do advances, for example, our main focus is assessing risk in new locations. In so doing, we plan not only the safest routes but also the ones that save the most time.
We’ve written about the role of RTVAs in corporate executive protection strategy before but are constantly reminded that even though using good RTVAs should really be common sense, common sense is not so common. Even high-level personal protection programs are started and run for years without risk assessments, and far too many risk assessments end up on a shelf or a hard disk, never to be updated again despite changes in the threat landscape, regulations, technology, client requirements, and resources.
If risk assessment is so critical, why isn’t it the cornerstone of every protective program?
The importance of reliable risk assessment as it pertains to executive protection should be clear to all CSOs, boards and procurement departments involved in deciding the nature and scope of executive protection programs. After all, the principles of Enterprise Security Risk Management (ESRM) are well understood. As we pointed out in our blog on ESRM over a year ago, more and more organizations are adopting the ESRM approach.
Public health researchers talk about “the know-do gap”: even though individuals, authorities, and entire health systems might have the knowledge to improve health outcomes, we don’t always use that insight to get healthier. Everyone knows it’s not a good idea to smoke or be obese, but there are still plenty of smokers and morbidly overweight people.
We believe executive protection practitioners, clients and other stakeholders have our own “know-do gap” when it comes to risk assessment and that there are reasons for this gap. These include:
Lack of capacity: There aren’t enough properly qualified SMEs to conduct risk assessments. Few agents have the necessary expertise. Not all EP companies have the required qualifications or experience, either, and are unwilling to admit this or outsource risk assessment.
Resources: Risk assessments take time and money. Good ones take more of both than poor ones do. What if the purchaser doesn’t want to pay for them? What if the provider doesn’t want to do them for free? What if ongoing risk assessments are not included in RFPs, scopes of work, or master service agreements?
Fragmentation: Risk assessment should be holistic but isn’t always. While a company or principal might be interested in mitigating risk on the job (e.g., on campus or while traveling for work), they might not consider protection for a principal while commuting or at home. This doesn’t mean risks don’t exist on the road or at a private residence. Similarly, companies might be willing to do risk assessments for the CEO, but not for other key people.
Security director push back: If there have never been any risk assessments, it might be difficult to change the status quo. If a risk assessment was “completed” a few years ago, arguing for an update might be difficult. Doing a risk assessment in the middle of an ongoing program can raise feathers. What if the assessment reveals something that makes the incumbent team look unprofessional or even negligent? What if new risk insight requires extra mitigation costs?
Principal push back: Even though a principal’s net worth might have increased by several billion dollars in the last two weeks and his or her prominence has also changed dramatically, many have no interest in other people “snooping around” their homes, families, habits, and lives in general. The assessment might discover vulnerabilities whose mitigation the principal doesn’t want to deal with (e.g., putting up security cameras, making the garden look less pretty)
It’s on us in the industry to do something about this
We in the executive protection industry need to up our game. We need to get better at doing risk assessments at all levels and in all programs, and at thinking this into everything we do. Including responses to RFPs, training, and staffing. And, yes, we need to build ongoing risk assessment into our cost structures: if this adds value, as we claim it absolutely does, we should get paid for it.
But we protection professionals also need to get better at evangelizing the importance of reliable risk assessments. What we do and how we do risk assessment matters – and so does how we sell it. We need to demonstrate that risks can be mitigated in many ways – also in ways that fit well with the principal’s personal preferences and corporate culture.
Even if the client doesn’t want to hear it, it is our responsibility to communicate risks and their underlying vulnerabilities and threats clearly and consistently. Not only can this mitigate the risk of harm to the principal. It can also protect clients and vendors from liability in case something goes wrong. We must present the entire range of risks and suggested mitigation measures, then let the client decide what to pare down. If the client wants to pare down too much so that we can no longer do the work in a responsible way, we must be prepared to fire the client and walk away.
What do you think? What’s your experience? Ping us on social media!