Risk Management Process

The ProtectUK Risk Management Process (RMP) has been tailored specifically to manage terrorist risk. It is adapted from the general risk management process found in a number of standards, including ISO/IEC 31000 and ISO/IEC 27005. The approach consists of five key stages that capture the following core ProtectUK risk assessment activities:

• Stage 1: Identify the risks (risk identification) 
• Stage 2: Assess the risks (risk analysis and evaluation)
• Stage 3: Treat the risks (risk treatment)
• Stage 4: Record your actions
• Stage 5: Review

The above activities are supported by the ProtectUK risk assessment templates:

• ProtectUK risk identification template
  Supports stage 1 of the ProtectUK risk assessment process 
• ProtectUK risk assessment template 
  Supports stages 2-3 of the ProtectUK risk assessment process

The process of recording and reviewing (stages 4-5) are actively supported by the consistent use of these templates.

The ‘related content’ page on ProtectUK’s Risk Assessment process will take you through this approach step-by-step.

The ProtectUK approach identifies risk by considering relevant terrorist threats and examining risk scenarios. A qualitative risk analysis methodology, generic risk criteria, and a risk matrix are utilised to assess and evaluate risk. The methods and techniques that make up the ProtectUK approach are discussed in greater detail throughout this guidance. 

While the ProtectUK approach forms the basis of this guidance and is freely available for use, its primary intention is to act as a broad example. This is due to its generic nature. In order for you to gain the most value and insight from the risk management process, your risk assessment should move beyond the generic to capture your organisational context and risk appetite. To support you in achieving this, the ProtectUK approach is presented alongside additional information and guidance that will help you tailor your approach to your organisational needs. 

In risk management, a control is any measure or action that modifies risk. In order to address the risk of terrorism, you will need to introduce controls that modify the risk you face to an acceptable level for your organisation. 

The ProtectUK Controls List has been designed specifically to help you achieve this. The list takes its inspiration from the operational level controls included in ISO/IEC 27001, and groups a number of broad controls across 12 distinct categories:

1. Policies and Procedures
2. Internal Organisation 
3. People and Personnel
4. Access Control
5. Physical Environment Security
6. Cybersecurity
7. Asset Security
8. Service Delivery 
9. Communications
10. Security Incident Preparedness and Response
11. Security Incident Management
12. Business Continuity

The ProtectUK Controls list may be used in conjunction with the enhanced controls captured within the Menu of Tactical Options (MoTO) to help manage terrorist risk.

The Menu of Tactical Options provides a list of prescriptive, enhanced controls that should be considered to support your business when there has been an increase in threat level to critical, or following an incident or attack. These controls may be introduced alongside the controls listed in the ProtectUK Controls List to offer an enhanced response to potential terrorist threats. This may include stepping up the measures you already have in place, or introducing new controls temporarily. 

The control measures outlined in MOTO are intended for implementation during times of increased risk and may be unsuitable or unsustainable for your organisation in the long-term. This is due to the increase in resource and financial commitment that these controls are likely to require. MOTO controls should therefore be subject to informed revision when the threat level decreases. This should be assessed and evaluated using the RMP.