Back to Course
Professor Sele
Lead Risk Assessment Specialist | SafeHaven Strategies

"Risk you haven't assessed is risk you've accepted by default."

Module 2

Risk Identification and Hazard Analysis

Professor Sele: You cannot manage a risk you haven't identified. This module covers the full range of methods used to surface threats and hazards — from document review and site inspection to stakeholder interviews and historical analysis.

Section 1 — Categories of Security Risk

Security risks fall into four main categories: physical (intrusion, theft, vandalism, vehicle attack, perimeter breach), personnel/insider (employee misconduct, corruption, sabotage, data theft by trusted insiders), cyber and information (data breaches, system compromise, communication interception), and environmental (flooding, fire, power outages, proximity to industrial hazards, natural disasters).

A comprehensive ESRA addresses all four categories — not only the physical threats that are easiest to see.

Section 2 — Hazard Identification Methods

Document review (previous incident reports, near-miss logs, previous assessments, client security policies); physical site inspection (walking the entire site, testing access points, observing guard procedures, checking equipment); stakeholder interviews (speaking with client management, security staff, and operational personnel about their concerns); historical analysis (reviewing crime statistics and incident patterns for the area); and intelligence review (current threat picture from LNP, OSINT sources, and SafeHaven intelligence).

Section 3 — The Threat vs. Hazard Distinction

A threat involves an intentional actor — a criminal, terrorist, or hostile insider who may choose to act. A hazard is a condition or circumstance that can cause harm regardless of intent — a faulty electrical installation, a flood risk, or an unlit car park.

Both must be identified and assessed. Many organisations focus exclusively on threats and neglect hazards — a fire from a hazard can be as destructive as an arson attack from a threat.

Section 4 — Critical Assets

Part of hazard analysis is identifying critical assets — the people, systems, and resources whose loss or compromise would most severely impact the client's ability to function. These assets become the primary focus of risk controls. Not everything can be equally protected — ESRA helps prioritise.

Key Points
  • Four risk categories: physical, personnel/insider, cyber/information, environmental
  • Hazard identification uses document review, site inspection, interviews, historical analysis, and intelligence
  • A threat involves intentional human action; a hazard can cause harm without intent
  • Both threats and hazards must be identified — neglecting either creates gaps
  • Identify critical assets early — these drive the prioritisation of control measures
Field Note · Professor Sele

"On a site inspection I found a drainage channel running beneath the perimeter wall that was wide enough for a person to crawl through. It was on no security plan, no CCTV angle covered it, and the guards didn't know it existed. The client's maintenance team had built it three years earlier and nobody in security had ever been told. Physical inspection finds what documents don't show. Get out of the office. Walk the site."

Knowledge Check

What does "vulnerability" mean in a security risk assessment?