What's the point of a Threat Risk Assessment?

With the rampant rise of virtual/cyber crimes, it is easy to overlook the fact that organizations can also be affected by physical security threats and risks. All too often organizations don’t see the point in proactively assessing and identifying the risks they face, seemly preferring instead to wait and see if anything happens and only then deal with the impacts. Unfortunately, by then they have taken a monetary loss and a hit to their reputation.


Through use of a Threat Risk Assessment, an organization can proactively identify, assess, evaluate, and mitigate their risks to reduce their overall vulnerability to external threats.


What is a Threat Risk Assessment?

A Threat Risk Assessment – or TRA – is a formal process that uses an analytical approach to assessing risks, and which provides a structure for informing decision-makers of relevant facts, uncertainties, observations, and possible outcomes related to an organization’s assets.


A TRA has five key aspects.

  1. Identify and prioritize assets.

  2. Identify threats and risks.

  3. Assess threats and risks.

  4. Identify mitigative measures.

  5. Review and update the TRA.

Identify and prioritize assets

Assets are anything that has tangible or intangible value to the organization. This may include people, property, core operating processes necessary for business operation, information, and third-party vendors. Assets should be identified and prioritized with a level of detail consistent with the scope of the TRA. This will provide a clear outline of the areas of focus for the “Assess threats and risks” aspect of the TRA.

Identify threats and risks

Threats and risks can range from theft and unauthorized entry to suspicious packages. Threats should be listed as they relate to their potential affect on the identified assets. Information about possible threats and risks an organization may face can be gathered from internal audits, historical data, crime statistics, and media sources.

Assess threats and risks

Threats should be assessed according to the following categories.

  • The likelihood of the threat occurring.

  • The impact to organization if the threat occurs.

  • The priority for the threat to be mitigated.

  • The overall risk exposure the organization faces.

Identify mitigative measures

Mitigative measures are actions that can be taken to reduce and/or prevent the threat and risks identified, thereby reducing the overall vulnerability of the organization. A cost/benefit analysis should be conducted to identify the organization’s risk appetite, risk acceptance, and to provide timelines for implementing these measures.

Review and update the TRA

Threats and risks are constantly evolving, and new threats are always emerging. The Threat Risk Assessment process helps identify changes in the threat environment and implement new mitigative measures. Additionally, the process provides opportunities to review existing mitigative measures and either confirm they still provide the required level of security or identify that changes are needed to address a new threat environment.

The Threat Risk Assessment must be a “living document” that is regularly reviewed to keep the organization as protected as possible.


Author: Aaron Ramhit ABCP, SAS - Intern Consultant