This site uses cookies to provide you with a more responsive and personalized service. By using this site you agree to our use of cookies. You can learn more about our use of cookies and similar technologies and your choices by reviewing our Privacy Policy. By clicking “I agree” you agree to our use of cookies and similar technologies.
7 Best Practices for Performing a Valid Security Risk Assessment
Security risk is a reality for every organization regardless of size, industry, or location. Neglecting to identify, consider, assess, or mitigate against security risks can have severe consequences should a risk event occur and result in harm to people, property, information, or reputation. Whether driven by compliance, duty of care, or a desire to protect, conducting a risk assessment is a necessary step for all organizations.
Risk assessments, however, are not created equally. Drawing from years of experience reviewing assessments from internal teams, external consultants, government bodies, and even volunteers, we’ve identified seven essential practices that distinguish a valid, actionable risk assessment from one that falls short.
- Consult a Wide Range of Stakeholders: A proper risk assessment must understand the organization’s priorities and operations, identify its critical assets, consider past security events, and determine the likely risks for the organization. Multiple stakeholders with different backgrounds are needed to address these areas. In general, consult with operations, public-facing staff, human resources, security, health and safety, legal, information technology, and others with institutional memory for the organization. These stakeholders bring different perspectives, can identify critical assets, and understand the day-to-day operations.
- Consider Both Consistency + Foreseeability: Security liability cases often depend on the organization’s ability to provide consistent security measures and consider the foreseeability of risks. Consistency usually focuses on ensuring some level of similar security measures are used across similar sites. For instance, if one location has multiple layers of security measures but another similar site has none, this is an issue of consistency. Foreseeability addresses the risks an organization has or will likely encounter in the future. Foreseeability is not simply about what has impacted the organization, but what has impacted similar organizations or organizations in similar geographic areas or sectors.
- Understand Sector-Specific Risks: Different sectors can have different risks based on their operations, equipment onsite, geographic areas, and regulations. Some sectors also require or strongly encourage specific risk assessment methodologies, such as the American Water Works Association (AWWA) J100, American Petroleum Institute (API)’s ANSI/API Security Risk Assessments Standard 780, and the Federal Energy Regulations Commission’s CIP-014-2 to name a few. It is critical that organizations understand any mandated risk assessment methodologies and best practices for risk assessments in their sector.
- Use a Reputable + Repeatable Methodology: Even if the sector does not have a recommended methodology, it should be derived from a reputable source and be repeatable, meaning another expert could use the methodology to come to similar conclusions (based on the information available at the time). For organizations without a specific sector methodology, consider the ASIS International Security Risk Assessment Standard (ASIS SRA 2024). Since the ASIS International Standards and Guidelines are SAFETY Act Certified, this can decrease an organization’s lability in the event of a terrorist attack.
- Document the Rationale Used for Decision-Making: Risk assessments should be well documented and retained, so the organization can justify its decision-making, revise the risk assessments following an incident or after a specific period of time, and adjust the risk assessments based on changes to the organization’s footprint, operations, or mission as well as changes in external conditions.
- Be Led by an Experience Security Risk Assessor: While not all members of a risk assessment team need to be highly experienced in risk assessments, the team should be led by an expert who has performed security risk assessments in the past, has exposure to the organization’s sector, and be considered an expert among peers based on qualifications, certifications, and credentials. The most defensible risk assessments are performed by a multidisciplinary team of experienced risk assessors.
- Be Performed Objectively: Organizations may have to prove that their risk assessment was not only performed by an expert team but also prepared with objectivity. Stakeholders can inappropriately influence the security risk assessment process to limit the expense from security, select preferred security tools or vendors, or come to conclusions that do not inconvenience the organization. If a risk assessment’s outcome has been manipulated, not only does this present additional risk to the organization’s people and assets but also calls into question the security measures selected or overlooked.
The key message is that organizations can perform risk assessments internally under the right conditions and support. Organizations can also turn to experts who perform security risk assessments on a daily basis. Ensure that when your organization invests the time and resources into performing a security risk assessment that it considers the organization’s needs and operations, is reasonable when scrutinized from a liability standpoint, and aligns with security best practices.
Ultimately, security risk assessments are not just a regulatory checkbox, they are a critical component of protecting an organization’s people, operations, and reputation. To be truly effective, they must be approached with the right expertise, methodology, and objectivity. While some organizations may have internal resources to support this effort, the most reliable and defensible assessments are often led by independent security consultants who specialize in this work. These experts bring not only deep experience, but also an unbiased perspective and up-to-date knowledge of evolving threats and best practices. When it comes to safeguarding what matters most, partnering with the right professionals makes all the difference.
Angela Osborne CPP, PSP, PCI
Vice President, Risk + Emergency Management Solutions
Angela J. Osborne, PCI, PSP, CPP specializes in emergency management planning, security risk assessments, and physical security assessments. She has worked with clients in diverse sectors, including education, government, healthcare, legal, energy, manufacturing, and commercial real estate.
SBC hotlineOakland County AARMAGELLAN Monitorship