ProtectUK publication date

Planning and undertaking your first risk assessment can be a daunting task. You may not yet feel confident with making decisions, selecting approaches and techniques, or moving through a full risk assessment.

Cycle

The ProtectUK Approach intends to support you through this, offering a pre-set risk assessment process backed by step-by-step guidance, templates and further resources. This intends to help build your maturity and confidence with the risk assessment process so that you can feel empowered to make key decisions around your risk management approach in the future. 

ProtectUK Approach

The ProtectUK Approach forms the basis of the ProtectUK Guidance. It offers a pre-established, generic approach to assessing terrorist risk. It has not been designed with any one sector in mind.

The ProtectUK Approach consists of five key stages:

  • Stage 1: Identify the risks
  • Stage 2: Assess the risks
  • Stage 3: Treat the risks
  • Stage 4: Record your actions
  • Stage 5: Review

These stages are supported by step-by-step guidance and the ProtectUK templates: 

  • ProtectUK Risk Identification Template
    Part I: Threats and Existing Controls
    Supports the assessment of relevant threats and the identification of existing controls in place to manage those threats

    Part II: Vulnerabilities and Consequences
    Supports the assessment of gaps and weaknesses in your current security approach and helps build risk scenarios to identify the consequences of security incidents
     

  • ProtectUK Risk Assessment Template 
    Part I: Risk Analysis and Evaluation
    Supports the analysis and evaluation of risk identified in your risk identification template.

    Part II: Risk Treatment
    Supports the prioritisation and selection of appropriate treatment options for the risks you have identified 

The process of recording and reviewing (Stages 4-5) are actively supported by the consistent use of these templates.
To assess risk, the ProtectUK Approach utilises the techniques listed below. These techniques determine how risks are identified, analysed and evaluated as part of the risk assessment process: 

Consideration Technique  Description
How will I identify risks?
  • Events-based approach 
    (top-down)
Risks are identified by considering terrorist threat types and examining risk scenarios in a top-down approach.
How will I assess risks?
  • Qualitative
    methodology
Risks are analysed and evaluated using qualitative descriptors 
How will I define and set risk criteria?
  • 4 Level Scales
  • 7 Impact Types
  • 4 Risk Bands
Risks are measured using 4 level qualitative scales, with impact measured across 7 key impact types. Risks are subject to 4 risk bands with decision rules
How will I decide between risk treatment options?
  • Judgemental Reasoning
Uses professional judgement to make decisions around risk treatment 

The ProtectUK Approach is additionally supported by two dedicated control lists. These lists can be used by any organisation looking to manage terrorist risk. They are not exclusive to the ProtectUK Approach. Both control lists can be used to help you identify and manage terrorist risk. However, each list has a different purpose: 

ProtectUK Control List
This list provides a broad set of controls over 12 different categories that may be considered by an organisation to help manage terrorist risk. These controls are intended for selection and implementation as part of business as usual activities. The list may be used to help determine the controls necessary to manage risk in key areas, such as incident response planning or access control, or it may be used to help you identify required controls that may be missing from your current security approach. 

Menu of Tactical Options (MoTO)
When the threat level increases to critical, or there has been an incident or attack, the controls you have in place may no longer be working effectively to control risk. MoTO provides a set of prescriptive, enhanced controls that may be introduced alongside existing control measures to offer an enhanced response to terrorist threats as required. Due to their enhanced nature, these controls are unlikely to be unsuitable for your organisation long-term. 

The ProtectUK Approach actively uses both control lists to demonstrate the way these additional resources can be used to help identify and treat risk.

 

Health Warning

The ProtectUK Approach is intended to act as a broad example for those unfamiliar with assessing risk. At no point should it be taken as the definitive approach for assessing terrorist risk.

It should always be your intention to plan and develop your own risk assessment. This includes selecting an appropriate approach for identifying, assessing and treating risk. This will enable you to manage risk in ways that best serve your organisational needs.

If it is your intention to continue to use the ProtectUK Approach without adaption, you should think carefully about whether a broad and generic approach to assessing terrorist risk is suitable for your organisation. You should also consider whether the methods selected and techniques used match your organisational needs. Additionally, you will need to be comfortable with the types of impact selected, the descriptions and levels of each reference scale, and the risk matrix and risk bands used. It is entirely possible that the risk criteria set by the ProtectUK Approach is unable to account fully for your organisational context and risk appetite. This may result in an over or under investment in control measures that could negatively affect the achievement of your organisational objectives if you do not tailor your approach for future assessments. 

It is recommended that you use ProtectUK Approach to familiarise yourself with the way a risk assessment is carried out. Once you are comfortable with this approach, you should look to customise and plan your own risk assessment. 

Notes have been made throughout this guidance to suggest where you might introduce your own approach and methods in the future. Further guidance is also available in Section 2 to support you in customising your approach. 

Keywords
Risk Management
Risk Assessment
Risk
Response
Protective security