A Physical Security Threat and Risk Assessment (TRA or STRA) should be conducted anywhere security safeguards and countermeasures are put in place to ensure that you are using the most effective and efficient policies, processes, and tools (such as locks, alarms, and cameras) to protect against the most likely and impactful threats and risks. Self-assessments or basic surveys can be fine for many facilities such as homes and commercial spaces where threats are low and there have not been many historical incidents of concern. However, there are times when a professional Threat and Risk Assessment should be conducted by an accredited and independent third party.
A site with critical or sensitive assets
A TRA should be conducted at any site where there are critical or sensitive assets. Not all offices are the same. Assets, information, and operations at the site can change the risk profile of the facility. Nefarious actors are more likely to target places with valuable assets or critical processes which means the site will have an elevated risk profile. These types of sites can include critical infrastructure, government buildings, industrial or manufacturing sites, even office buildings, or residential homes where commercially sensitive information is stored or where a breach would result in Intellectual property loss or significant reputation damage.
To satisfy the requirements of a partner, client or customer
Many small and medium size companies conduct self-assessments because they are comfortable accepting their own risk. These companies may sign contracts to provide goods or services to a larger company or financial institutions that have their own security standards and risk appetite. In this case, the partner or vendor will often require a physical security threat and risk assessment to be conducted by a 3rd party with security qualifications such as the ASIS International PSP or CPP certification in their vendor management or onboarding program. This is done to ensure that the physical security program of all of their partners meets the standard of the larger company or partner.
To achieve or satisfy a recognized industry standard
Many industries, or professional associations develop and maintain security standards to support their members security programs. These can include publicly available checklists and / or self-assessment tools. For example, the Transported Asset Protection Association (TAPA) is an organization comprised of companies or organizations facing cargo crime within the transportation supply chain. They publish their industry standards to provide guidance to their members. It is a good practice to have a trained security professional undertake this physical security assessment benchmarking activity to ensure that these standards are accurately interpreted and applied.
Prior to a large security investment
A threat risk assessment by a security consultant can save money on potential security investments or upgrades. A security vendor will sell the products that they carry and there is a risk of upsell of products and services you may not need. An impartial assessment by a security expert will ensure that security investments are directed at priority areas with the most cost-effective solutions.
As an internal due diligence exercise
A threat and risk assessment can be an important exercise to validate a strong security program to both clients, customers, and employees. The review from a third-party demonstrates a duty of care is being provided to the people accessing the site as well as the responsible custodianship of the information or assets held on site. This can be used as a selling feature attract new clients as well as comfort to potential new hires that may have reservations of returning to an office environment.