Vulnerability Assessment – The What, How, and When
A vulnerability assessment ― also known as threat and vulnerability assessment (TVRA) ― evaluates existing security programs, identifies vulnerabilities, and provides recommendations on how to manage them. In the field of executive protection, it is a standard tool that protective agents and teams use when a principal’s family moves into or takes over a residence, among other things.
Overall, proficient protective staff use TVRA to prevent and predict an emergency before it arises. If the principal needs to call in their security team to report an issue ― the vulnerability assessment has already failed. The reason is that it should have anticipated the problem and not allowed for it to occur. Therefore, a vulnerability assessment entails protecting the principal and their:
- Property, and
- Business interests and business secrets.
Using this tool, the security team gains detailed knowledge of the outhouses, buildings, vehicles, garages, entrances and exits. In addition, protective agents can also utilise it to better understand the formation of inner and outer perimeters and ascertain potential perimeter/cordon weaknesses.
As a detailed, in-depth tool employed by professionally trained personnel, a vulnerability assessment centres around establishing the facts. More importantly, it provides the basis for planning an operation and introducing deterrents.
Unlike a risk assessment, which primarily serves to do plenty of guesswork about something that may happen, a threat and vulnerability assessment focuses on threats that someone has made or problems that undoubtedly exist (but have yet to escalate).
In a nutshell, the team leader will scrutinise worst-case scenarios and share them with all protective staff members. Also, there may be some elements of the assessment which could cause concern to the principal. Still, it is important to be transparent with the report and ensuing advice. Full transparency will provide the principal insight into why certain recommendations are being made. It is then up to them to decide if they wish to implement them.
Asking the Right Questions for a Vulnerability Assessment
As with any other type of evaluation, it is crucial to ask the right questions. Secondly, the protective staff must thoroughly assess internal and external variables.
According to security expert and longtime CP practitioner Kevin Horak, there are several questions that protective teams should consider while developing a vulnerability assessment:
- Have threats been made?
- What would potentially happen if these threats were successful?
- Can the threat change? How many threats are there, and how do they impact the principal’s daily life?
- Who is the principal: What is their line of work and professional life, and what is their public status?
- What are the principal’s assets, such as residences, vehicles, and offices?
- Who else is affected by threats and vulnerabilities?
- What is the medical history of the principal?
It may be especially critical to find answers to these questions when the principal’s family relocates. They ― the principal, their family, and their entourage ― may be particularly susceptible to assaults or attacks during this time.
Thus, it is vitally important to secure the vicinity before they arrive at the new location. For instance, it can be helpful to check the surrounding roads and establish the potentially dangerous hotspots in the area.
In less regulated corners of the world, including some regions in Southeast Asia, it could prove invaluable for the security team to:
- Collect sufficient local connections,
- Establish if the principal has a good relationship with the local authorities and law enforcement, and
- Verify if the local community has a favourable view of the principal, their associates, employees, family members, etc.
These considerations may not necessarily apply to most westernised nations. Yet, it certainly makes sense to explore the three above items when visiting or staying in less safe areas of places like Indonesia.
While conducting a vulnerability assessment, the executive protection team needs to have full access to information that has the potential to endanger the principal. However, sometimes it is challenging to establish what kind of details could prove excessive. Thus, we recommend signing a written agreement that obliges the protective staff or security company to not share the obtained information with third parties. This document is also known as a Non-Disclosure Agreement or NDA. These are common practice within the security industry when working with a family office or corporates.
By doing so, the EP team can have access to a variety of data that could help improve the security of the principal. Still, some principals may be hesitant to share this information. At this point, it is vital to note that the executive’s security also depends on their action or inaction. Further, it partially depends on their family, staff, close associates, and employees.
Unfortunately, some protective agents neglect this fact, mistakenly believing that they are the only responsible actors. Thus, they cater to the principal’s actual or perceived needs (and threats) as if they were equally important.
For instance, suppose a principal requests the protection team leave them alone in a neighbourhood with questionable safety. In this case, it is the responsibility of the EP team to attempt to indicate otherwise. If the principal is persistent in this request, there are ways in which protection can be provided other than overtly. In fact, either covert protective surveillance should be considered in this case or some form of proximity cover.
In other words, the principal and their entourage can significantly enhance the efforts of the protective team by taking precautions. Thus, the individual’s safety also depends on their own security awareness.
It’s unlikely that too many enterprise executives and HNWIs would look down on the practice of conducting a TVRA. It can seem like something that consumes plenty of time that the protective staff could have otherwise invested in “actually protecting the principal.” However, this cannot be farther from the truth. The vulnerability assessment itself is part of “actually protecting the principal” and sets a road map for security to follow and cover.
As Kevin Horak put it in his Practical Guide to the Close Protection Industry, “A good threat assessor must have the ability to communicate with the principal as well as other authorities and must handle all situations and communications with tact and absolute discretion.”
Ultimately, the role of a vulnerability assessment is to identify weak spots and provide recommendations on how to manage them. For example, suppose the security team gains no insight into the daily workings of the principal, their business, residence, and family. In that case, one cannot realistically expect them to complete their assignments to the best of their abilities.
Simply put, protection is a two-way street that requires buy-in from both the protector and the protectees.
Companies like Panoptic Solutions support individuals and organisations in enhancing productivity and peace of mind by offering unmatched threat and vulnerability assessment services.