← Insights

The Security Risk Assessment: Why Most Organizations Get It Wrong

By Kenneth Wilson · Wilson Global Protection Group

What Most Organizations Actually Have

Most organizations don’t have a security risk assessment. They have a list of things they’ve already installed — cameras, access control panels, a panic button, maybe a monitoring service contract. That’s a hardware inventory. It documents what exists. It says nothing about whether what exists matches the threat environment, whether the vulnerabilities that matter have been identified, or whether the protection architecture is built against the right picture of risk.

The distinction is not semantic. A hardware inventory answers: what do we have? A security risk assessment answers: what are we actually protecting against, and is what we have capable of doing that? The second question is the one that gets principals exposed when it goes unasked.

What a Real Risk Assessment Examines

Principal Exposure

The assessment starts with the principal’s actual exposure profile. Public visibility — media presence, board memberships, public statements, social media footprint — determines who knows who the principal is and what they can learn. Travel patterns create predictability; predictability creates opportunity. Known adversarial contacts — former business partners, litigants, terminated employees with unresolved grievances — represent specific named threat sources rather than general categories. Digital footprint, including metadata embedded in publicly circulated documents and the exposure created by household and support staff social media accounts, is consistently underestimated and rarely formally analyzed. A thorough security risk assessment begins here before examining anything physical.

Physical Environment

The principal’s physical environment includes the residence, primary office, commute routes, and regular venues — each with its own vulnerability profile. A residence may have adequate perimeter control but unvetted contractor access. An office may have strong access control but a lobby that creates extended, unprotected dwell time. Commute routes are often entirely unanalyzed: the same route, the same timing, the same vehicle, every day. Physical environment assessment maps these exposures and identifies which represent the highest-probability attack surfaces.

Personnel Risk

Household and office staff are the most consistently underassessed risk in executive security programs. They have routine access, knowledge of schedules, and physical proximity that external threats rarely achieve without significant effort. Insider risk doesn’t require malicious intent to be a vulnerability — a household employee whose financial situation has changed, whose social relationships haven’t been reviewed, or who was never properly vetted at onboarding represents a channel that external adversaries can exploit. Personnel risk assessment covers vetting standards, access control auditing (who holds keys, codes, and gate credentials, and when that was last reviewed), and behavioral observation as a routine function rather than a reaction to suspicion.

Digital and OPSEC Vulnerabilities

The principal’s digital exposure is rarely mapped in full. Social media posts from a residence reveal location patterns. Calendar invitations sent to external parties telegraph schedules. Metadata embedded in publicly distributed documents — contracts, presentations, regulatory filings — can contain location, device, and identity data. Device access policies for household and support staff, password practices, and two-factor authentication discipline are all part of the OPSEC picture. These are the lowest-cost attack surface available to a threat actor and the most frequently overlooked component of a security program built around physical infrastructure. Our threat assessment services include OSINT collection on the principal’s digital footprint as a standard workstream.

Event and Venue Risk

Recurring exposures that haven’t been formally assessed form their own risk category. An annual board dinner at the same venue. A regular speaking appearance at a predictable industry conference. A charity event the principal has attended for seven consecutive years. These engagements are predictable, publicly known in many cases, and rarely subjected to formal security analysis. Event and venue risk assessment identifies recurring exposure patterns and documents whether each has been assessed, what’s currently in place, and what gaps remain.

Threat Source Mapping

This is where the assessment becomes operationally specific. Not “there is a generally elevated threat environment” — that’s desk analysis. Threat source mapping identifies who specifically may pose a risk to this principal. For each identified source, the framework examines capability (what could they realistically do), intent (is there evidence of hostile intent or escalating behavior), and opportunity (what access, proximity, or information would be required to enable action). The output of this workstream drives every protection decision downstream — from staffing levels to operational posture to the triggers that activate a response.

What the Output Should Look Like

A security risk assessment should produce an operational document, not a report. The distinction matters. A report goes in a drawer. An operational document shapes the protection architecture: staffing model, advance protocols, physical security investment priorities, personnel access policies, and response triggers. If the deliverable from a risk assessment doesn’t directly drive specific, named decisions, something was produced that won’t protect anyone.

The document should be reviewed and updated when the threat environment changes — new adversarial contact, elevated public profile, travel to a new region, a significant life event that expands exposure. It is not a one-time exercise. Our corporate security consulting engagements treat the risk assessment as a living operational document, not a milestone to be checked off.

Who Should Commission One — and When

Any organization about to engage an EP provider should commission a risk assessment first. The assessment defines the threat picture. The threat picture determines whether protection is warranted and what form it should take. Deploying a detail without a threat picture is resource allocation based on anxiety, not analysis.

Any executive whose threat environment has materially changed should commission one: new litigation with a hostile counterparty, a public controversy with volume and intensity, a business conflict that has escalated beyond normal channels, a move to a new geography, travel to a new high-risk region. Any executive who has never had one done should commission one now.

The cost of not having one is reactive protection. Reactive protection deploys after a vulnerability has been exploited or an incident has begun. It costs more, it operates at a disadvantage, and the gap it’s closing was avoidable.

Start with a scoping consultation. We’ll assess whether a full security risk assessment is warranted for your principal’s current situation, identify which workstreams apply, and tell you exactly what the output would look like and what decisions it would drive.

Next Step

Ready to Talk?

Every engagement begins with a structured scoping call. $500. 60 minutes. A working assessment of your principal’s risk picture — which workstreams apply and what the output would drive.

Book the $500 Scoping Call

$500. 60 minutes. Written summary. Direct practitioner access.