Security Risk Assessment · Practitioner-Led · US + International
Security Risk Assessment: Know Your Exposure Before It Becomes a Threat
A practitioner-led diagnostic for organizations and principals reviewing their security posture — threat actor identification, vulnerability mapping, countermeasure audit, and a prioritized findings report.
Every protection program is a prescription. The risk assessment is the diagnostic that should precede it. Most organizations we are brought into already have security measures in place — a contracted vendor, residential controls, an executive protection retainer, a corporate security team. What very few have done is validate, in the last twelve to twenty-four months, whether those measures actually address the threat environment the principal or the organization operates in today. The threat picture changes. The program rarely catches up on its own.
This page is written for the buyer who knows that gap exists. Corporate security directors approaching contract renewals. Chiefs of staff for principals who just received a credible threat. General counsel staring at a litigation matter that has elevated the firm’s exposure. International operations leads about to deploy personnel into an environment they have not previously operated in. The assessment closes the gap between what your security program was designed for and what it is now expected to defend against. Without it, every downstream decision — vendor selection, budget allocation, posture changes — is made on assumption rather than analysis.
The Methodology
What a Professional Security Risk Assessment Covers
A risk assessment is not a checklist exercise. It is a structured threat analysis built around the specific principal, organization, or operating environment under review. Our methodology runs along seven workstreams.
Threat Actor Identification
We build a profile of who has motive, means, and opportunity to act against this principal or organization. That includes named adversaries — disgruntled former employees, litigation counterparties, identified harassers, criminal networks with active interest — and structural threat categories: opportunistic crime in the operating geography, insider risk in specific business units, state-aligned actors where the principal's role or industry warrants. The output is a written threat picture, not a generic risk matrix.
Vulnerability Mapping
Vulnerabilities are assessed across four domains: physical (facilities, residences, vehicles, perimeters), digital (executive digital footprint, family OSINT exposure, communications hygiene), procedural (how decisions get made, where information is held, who has access), and personnel (vetting standards, insider threat indicators, contractor and household staff). Each domain is mapped against the threat picture — a vulnerability only counts if a credible threat actor can exploit it.
Current Countermeasure Audit
We document what is in place — vendors, technology, policies, personnel — and grade each against operational effectiveness. The objective is to separate controls that work from controls that exist on paper. Most programs we audit have a meaningful percentage of countermeasures that are theatre: visible, expensive, and not actually addressing the threat they were procured against.
Route and Facility Exposure Analysis
Primary and secondary routes, residence approaches, office ingress/egress, recurring venues, and predictable patterns are mapped. Where a principal's movement creates exploitable predictability, the analysis says so.
Insider Threat Indicators
Personnel with access — staff, household, executive assistants, drivers, IT administrators, contractors — are reviewed against indicators of elevated risk. This is handled discreetly and never as a unilateral judgment on individuals; the work product is structural, focused on program gaps and access controls.
Third-Party and Vendor Security Review
Vendors with access to the principal, the facility, or sensitive operational information are reviewed against their actual security posture — not their marketing material. This includes incumbent protection vendors, where the assessment is genuinely independent.
Findings Report with Prioritized Recommendations
The deliverable is written to be briefed: prioritized findings, recommended controls, estimated implementation effort, and residual risk acceptance language. It is built to survive a boardroom or a general counsel review.
Clientele
Who Requests a Security Risk Assessment
Five buyer profiles account for the majority of our assessment work.
Corporate security directors at mid-to-large companies engage us ahead of contract renewals or board presentations. The driver is either a vendor RFP cycle, an audit committee question, or a new C-suite hire who wants the program documented before they sign off on next year's budget. The assessment gives them external validation — and, often, the documentation they need to justify the program they have been running.
Chiefs of staff and senior executive assistants managing a C-suite principal who has received a credible threat. The pattern is usually a specific incident — a stalker, a litigation counterparty making explicit statements, social media activity that has crossed from criticism into ideation — and a principal who does not yet have a protection program. The assessment determines whether one is warranted and at what posture.
Family offices evaluating protective coverage for a UHNW principal and their family. These engagements typically cover the principal, spouse, children, residences (often multiple), travel patterns, household staff, and the digital footprint. Family offices retain us when the in-house security director wants an external review of a program they themselves designed.
General counsel at law firms with high-profile litigation clients. The driver is exposure inherited from a matter — a contentious case, hostile counterparties, public attention that has elevated risk to named partners or the firm itself. The assessment is scoped against the matter timeline and the threat picture specific to the litigation.
International operations directors before deploying employees to elevated-risk environments. The assessment is built around the destination, the deployment profile, and the organization's duty of care obligations. Output feeds directly into pre-deployment training, in-country protocols, and contingency planning.
Credentials
Kenneth Wilson’s Analytical Credentials
Wilson Global Protection Group is led by Kenneth Wilson, a New York-based practitioner credentialed across the protection and investigative discipline. The SPI (Security Professional Investigator) credential is particularly relevant to assessment work — it covers the investigative methodology that underpins serious threat actor identification, OSINT, and protective intelligence work. Assessments are run by Kenneth directly, not delegated to a junior analyst.
CPS — Certified Protection Specialist
PPS — Personal Protection Specialist
EPS — Executive Protection Specialist
SPI — Security Professional Investigator
CPO — Certified Protection Officer
Next Steps
What Happens After the Assessment
The findings report is not the end of the engagement; it is the start of an informed decision. Clients typically discover, in the briefing, that one of three pathways fits their situation.
Some discover the program they have is adequate, with two or three specific gaps to close — vendor renegotiation, a residential upgrade, a digital hygiene project. Those clients usually retain us for a structured advisory engagement to oversee implementation. See Corporate Security Consulting for the consulting program structure.
Some discover the threat picture warrants a close protection posture they do not currently have. Those clients move into a scoped protection program — solo or multi-officer, residential or full coverage, domestic or international. See Close Protection Services for how those programs are structured.
A subset of assessments identify an active threat that requires immediate protective response. For New York metro clients, that typically routes into an Executive Protection — New York detail; for clients in crisis or post-incident, it routes into a crisis management retainer.
The assessment is what makes those decisions defensible. Without it, the spend is a guess.
Common Questions
Frequently Asked Questions About Security Risk Assessments
Next Step
Start With an Assessment. Build From There.
This call is for organizations and principals reviewing their security posture and deciding what an appropriate program actually looks like. You leave with a scoped assessment proposal, a clear view of what the engagement will cover, and the timeline to a written findings report.
Book Your Scoping Call — $500$500. 60 minutes. Written assessment proposal. Direct practitioner access.
Prefer to talk first? Reach our team via the contact page.