Protective Security Risk Assessment: A Practical Guide

A protective security risk assessment is a structured process for identifying, evaluating, and mitigating the risks that terrorism poses to a specific premises, event, or organisation. Unlike general health and safety risk assessments, which focus on accidental harm, a protective security risk assessment considers the deliberate intent of a threat actor to cause maximum harm — and the specific vulnerabilities that could be exploited to achieve that aim.

With Martyn's Law (the Terrorism Protection of Premises Act 2025) now requiring qualifying premises to take protective security measures — and Enhanced tier premises to conduct formal terrorism risk assessments — understanding how to carry out this process has become a professional and legal necessity for thousands of organisations across the UK.

General Security vs Counter-Terrorism Security

Before diving into the assessment framework, it is important to understand why protective security risk assessment differs from general security risk assessment. General security focuses on crimes of opportunity — theft, vandalism, antisocial behaviour. The perpetrators are typically opportunistic, and the measures designed to deter them (locks, alarms, lighting, visible security staff) are well understood.

Counter-terrorism security, by contrast, deals with adversaries who are determined, often willing to sacrifice their own lives, and may spend weeks or months planning an attack. They conduct reconnaissance, identify vulnerabilities, and choose methods designed to cause maximum casualties. The security measures that deter a shoplifter will not deter a determined terrorist. This is why a separate, specialist risk assessment process is needed.

The Assessment Framework: Threat, Vulnerability, Risk, Mitigation

Protective security risk assessment follows a structured framework that moves from understanding the threat landscape through to implementing proportionate mitigations. This framework is used by Counter Terrorism Security Advisors (CTSAs) and is taught as a core competency on the CTPSaP qualification. The four stages are:

1. 1Threat Assessment — understanding who might attack, how, and why
2. 2Vulnerability Assessment — identifying what could be exploited
3. 3Risk Evaluation — determining the likelihood and potential impact
4. 4Mitigation Implementation — putting proportionate measures in place

Step 1: Understanding the Threat Landscape

The first step in any protective security risk assessment is to understand the threat. This means considering the current national threat level (set by the Joint Terrorism Analysis Centre), the types of attack methodologies that are prevalent, and whether your specific premises or sector has been targeted or referenced in extremist material.

Key attack methodologies to consider include:

• Vehicle-as-weapon attacks (driving into crowds)
• Bladed weapon attacks (knife attacks in public spaces)
• Improvised explosive devices (IEDs), including person-borne and vehicle-borne
• Firearms attacks (marauding terrorist firearms attacks)
• Chemical, biological, radiological, and nuclear (CBRN) threats
• Arson and incendiary attacks
• Cyber-enabled attacks affecting physical security systems

The UK threat level system ranges from LOW (an attack is highly unlikely) to CRITICAL (an attack is highly likely in the near future). Regardless of the current national level, your assessment should consider the full range of attack methodologies and evaluate which are most relevant to your specific premises and circumstances.

Step 2: Identifying Vulnerabilities

With the threat landscape understood, the next step is to assess your premises for vulnerabilities — weaknesses that could be exploited by a threat actor. Vulnerabilities fall into three broad categories:

Physical Vulnerabilities

• Lack of perimeter protection or hostile vehicle mitigation
• Uncontrolled or poorly monitored access points
• Inadequate or poorly positioned CCTV coverage
• Glazing that offers no blast protection
• Unprotected areas where crowds gather (queues, entrances, foyers)
• Concealed areas that could be used for placing devices
• Vehicle access routes that approach crowd areas

Procedural Vulnerabilities

• No formal search policy for bags, vehicles, or deliveries
• Lack of lockdown or invacuation procedures
• Inconsistent application of existing security measures
• No protocol for reporting suspicious behaviour
• Absence of a tested emergency communications plan
• No relationship with local Counter Terrorism Security Advisor (CTSA)

Personnel Vulnerabilities

• Staff who have not received any counter-terrorism awareness training
• No culture of security awareness or vigilance
• High staff turnover leading to inconsistent security knowledge
• Reliance on untrained volunteers for crowd management
• No designated individual responsible for protective security

Step 3: Evaluating Risk

Risk is the product of threat and vulnerability, weighted by the potential impact. A formal risk evaluation uses a matrix approach to assess each identified risk on two dimensions:

• Likelihood — how probable is it that a specific attack methodology could be used against your premises, given the current threat landscape and your vulnerabilities?
• Impact — if such an attack were to occur, what would be the consequences in terms of casualties, injuries, damage, and disruption?

By plotting likelihood against impact, you can prioritise your risks and focus your limited resources on the areas where they will have the greatest effect. Not every vulnerability needs the same level of investment — the key is proportionality. A large arena hosting nightly concerts faces a different risk profile than a community hall that occasionally holds events for 250 people.

Step 4: Implementing Mitigations

Mitigation measures should be proportionate to the assessed risk and practicable given the nature of the premises and available resources. Measures generally fall into three categories:

• Physical measures — hostile vehicle mitigation (bollards, planters, barriers), access control (turnstiles, barriers, staffed entrances), CCTV, blast-resistant glazing, secure perimeters
• Procedural measures — search policies, lockdown procedures, communication protocols, incident response plans, regular exercises and drills
• Personnel measures — staff training (CT awareness, hostile reconnaissance detection, Run Hide Tell), designated security coordinator, relationship with local CTSA, security culture development

Step 5: Review and Update

A risk assessment is not a one-off document. The threat landscape evolves, your premises may change, and your mitigations may degrade over time. Your risk assessment should be reviewed:

• At regular intervals (at least annually)
• Following any significant change to the premises (renovation, extension, change of use)
• After any security incident or near-miss
• When the national threat level changes significantly
• After major events in your sector (attacks on similar premises elsewhere)
• When new guidance is published by ProtectUK, the SIA, or Counter Terrorism Policing

Martyn's Law Requirements for Risk Assessment

Under the Terrorism (Protection of Premises) Act 2025, Enhanced tier premises (800+ capacity) are required to conduct a formal terrorism risk assessment as a legal obligation. The Act specifies that this assessment must identify threats, assess vulnerabilities, and lead to the implementation of reasonably practicable measures to reduce risk. The assessment must be documented, reviewed regularly, and made available to the SIA upon request.

Standard tier premises (200-799 capacity) are not explicitly required to conduct a formal risk assessment under the Act, but they are required to implement public protection procedures. In practice, you cannot develop effective public protection procedures without first understanding your risks. Conducting a proportionate risk assessment — even an informal one — is therefore strongly recommended for all qualifying premises.

Common Mistakes to Avoid

• Treating the risk assessment as a tick-box exercise rather than a genuine security tool
• Focusing exclusively on physical measures while ignoring procedural and personnel vulnerabilities
• Failing to involve operational staff who understand the day-to-day realities of the premises
• Copying a generic template without tailoring it to your specific premises and circumstances
• Conducting the assessment once and never reviewing it
• Overcomplicating the process — proportionality applies to the assessment itself, not just the mitigations
• Not engaging with your local Counter Terrorism Security Advisor (CTSA), who can provide free, specialist advice
• Assuming that because no attack has occurred, the risk is low

Get Qualified to Conduct Protective Security Risk Assessments

Protective security risk assessment is both an art and a science. It requires understanding of the threat landscape, structured analytical skills, and the professional judgement to recommend proportionate mitigations. The CTPSaP qualification — endorsed by Counter Terrorism Policing — provides all of this and more.