GCPSG-022 (2025): Threat and risk assessment guide

Purpose

The purpose of this document is to serve as a companion guide for the RCMP LSAs Threat and Risk Assessment (TRA) Course and also to provide GC employees with guidance on conducting a physical security TRA. This is intended to be used by employees leading or assigned to a TRA team, and will explain the seven core phases of the TRA process. This guide will provide foundational knowledge of the TRA process, empower employees to conduct thorough and complete assessments, and provide comprehensive reports to decision makers.

Applicability

This guide applies to GC employees and is applicable to members tasked with leading or participation in a TRA. The guide covers the core concepts of the seven phases of a TRA. Examples are given in the document from specific TRA methodologies, but may be substituted by the TRA team at their discretion. This guide is designed to be a supporting document to the RCMP LSA TRA professional development course, but can be used to support a functional understanding of the TRA process.

Equity, Diversity, and Inclusion in physical security systems

All employees of the GC have a responsibility to safeguard persons, information and assets of the GC. It is important that security policies and practices do not serve as barriers to inclusivity, but instead support and respect all GC personnel while ensuring appropriate security measures are maintained for the protection of GC personnel, assets, and information.

Initiatives to promote equality and inclusion among the diverse communities and heritages within the GC, should be respected in the development and maintenance of physical security systems. Departments and agencies should follow all GC legislation, policy and directives on Equity, Diversity, and Inclusion (EDI) in the promotion of a fair and equitable work environment for all persons while ensuring they meet their mandated security responsibilities.

Departments and agencies should conduct a risk management exercise to ensure, that while the dignity of all is respected, the protection of GC information, assets, and personnel is maintained. All questions on EDI policies and directives should first be addressed to your responsible departmental authority.

Information Technology considerations

With the constantly evolving threat landscape, and the convergence of physical and information technology (IT) security, the requirement to assess the risk of any application and/or software connected to a network to operate and support equipment in GC controlled buildings is critical. Some examples of these control systems could be for items such as, but not limited to, security lighting, perimeter gates, doors, HVAC, etc.

Before implementing any applications and/or software that will control and/or automate certain building functions, your departmental security requires the completion of a Security Assessment and Authorization (SA&A). This will ensure that the integrity and availability of the components the applications and/or software controls are maintained and that any risks highlighted will be mitigated. Starting the SA&A process early is highly recommended to ensure project delivery schedules are not affected. For more information on the SA&A process, please consult your departmental Security.

Preparation

The Preparation Phase, further explained in section 6 will identify the scope of the assessment and the acceptable level of residual risk. The scope of the assessment should be determined by a risk management authority which determines what assets will be evaluated in the TRA. The risk management authority should also assign the assessment to a qualified team of security practitioners.

In this phase, the TRA assessor, or team of assessors, should gather enough information to create a work plan outlining the key deliverables at each stage as well as the required resources to complete the TRA. Once a work plan has been completed, it should be reviewed to ensure it, meets the required timelines, respects the appropriate financial authorities, and resources are available for the project. If the TRA work plan is acceptable, management should document their approval and have the team commence the assessment.

Asset identification and valuation

The Asset Identification and Valuation Phase further explained in section 7 will identify all assets within the scope of the TRA. Time and resources should not be expended on assets that are not part of the TRA unless there are interdependencies tied to relevant assets. All assets that are within the parameters designated in the Preparation Phase should be clearly listed and assigned a value. There are several categories each asset may have, rated from Very Low to Very High. For physical security assessments of assets within the GC, all assets are assessed and assigned values based on the three security categories identified in Appendix J of the DSM: confidentiality, availability and integrity. While not explicitly stated in the DSM, Assessors might also consider the value associated with the assets, either the specific monetary value of the asset, or the cultural or social value associated with the assets compromise.

Asset values are also assigned based on a determination of injury, a representation of the damage that could result should the asset be compromised. While assets can be assigned multiple values based on perceived levels of injury, the highest scoring injury category should be prioritized for assessment.

Threat assessment

The Threat Assessment Phase further explained in section 8 will identify and list all real and potential threats the assets under evaluation for the TRA may realistically face. Threats can be categorized as either deliberate, accidental, or natural. The threats must be listed and assigned a Threat Level ranging from Very Low to Very High. This value is determined by comparing the likelihood of a threat occurring, with the gravity of the threat; in other words, a determination of what might happen if the threat impacts the asset.

Vulnerability assessment

During the vulnerability assessment, the TRA team will assess the assets under evaluation to identify what safeguards are in place to protect them. Once identified, assessors critically determine whether these safeguards are effective based on a probability of compromise and severity of outcome should the identified threats compromise the assets. Vulnerabilities contribute to risks by increasing threat probability, increasing likelihood of compromise, and enabling threats to cause more damage. This is further explained in section 9.

Calculation of residual risks

Residual risk is the remaining level of risk after assets, threats, safeguards and vulnerabilities have been compared against each other. Assessors can determine the residual risk in a TRA by comparing the total values for the assets, threats and vulnerabilities under the scope of the TRA. Various TRA methodologies will prompt assessors to convert each asset, threats and vulnerability value into a number using predefined risk assessment tables. These assigned numbers allow assessors to quickly determine the residual risk for each asset being evaluated by multiplying the asset value with the values for the relevant threat(s) and related vulnerability. The total value represents a score of residual risk for the asset.

Each residual risk can then be compared to the level of risk tolerance determined at the start of the TRA. Those risks that align or fall below the level of risk tolerance do not require risk mitigation; however, those residual risks that exceed the level of risk tolerance will require additional mitigation measures to reduce the residual risk to an acceptable level.

Recommendations

The Recommendation Phase further explained in section 10 contains the TRA team's comparison of the risks calculated against the acceptable risk level identified in the Preparation Phase. For residual risks that are at or below the target level of risk tolerance, the team should recommend the status quo be maintained, or safeguards be moderated to save resources. In the event safeguards are reduced or removed, a recalculation of the residual risk is required for management consideration. In all cases where residual risk exceeds the acceptable level, the TRA team needs to propose alternative measures to reduce the residual risk to the acceptable level. The TRA risk acceptance authority identified during the preparation phase will then review all proposed safeguards and determine what recommendations will be implemented to reduce residual risk. It is very important to note that the departments overall risk tolerance should not be adjusted to meet the TRAs residual risk score. Rather, safeguards should be employed to adjust the residual risk to a level commensurate with the departments risk tolerance.

The final TRA report

The TRA report further explained in section 11 is the main deliverable of the TRA process. The final report must be well explained and contain enough information to enable the responsible team to initiate the recommended and approved safeguards. A final TRA report will contain a summary of each phase of the TRA:

• Work Plan
• Asset Assessment
• Threat Assessment
• Vulnerability Assessment
• Prioritized Residual Risk list
• Recommendations

Also included will be management's decision to accept or decline recommended safeguards, maintain, increase, or decrease existing safeguards, and a formal signature acknowledging these decisions. More information on the risk management process can be found within GCPSG-018 Guide to the Risk Management Process for Physical Security. Only after the CSO or their delegate signs the TRA report will this process be complete.

Establish approval authorities

Before initiating a TRA, a risk assessment authority must be identified to approve the allocation of resources necessary for the project and with whom the authority rests to make risk assessment decisions. If these roles are held by different people, all must be informed and approve the commencement of the TRA. The authority to make risk assessment decisions generally belongs to an organization's Chief Security Officer (CSO), who is permitted by the Directive on Security Management 4.1.2.2 (DSM) to delegate this authority. If it is unclear to whom risk management authority has been delegated, assessors should confirm with their CSO office through their appropriate management chain. There will be costs associated with conducting a TRA; staff hours required, as well as additional monetary expenses may be incurred. Ensure there is a commitment from the financial authority to allow these resources to be directed toward the completion of the TRA. The approval authority can also be referred to as the risk owner as they accept any risk that result from the TRA findings.

Mandate and project scope

Once these authorities are identified, a project mandate must be established and agreed upon by the approval authorities. The mandate should include the GC organization's:

• Risk tolerance level
• Approved resources for the TRA project
• Budget/time limitations for recommendations
• The parameters that will limit the TRA scope in any way

The mandate should also identify who will sign off on the complete report and if they have been delegated authority by the CSO to accept any residual risk that exceeds the level of risk acceptable to the organization. Before starting the TRA, the project authorities and team members should have a clear understanding of the scope and mandate of the project. This may include assets to be assessed and, based on the assets' current level of criticality, the depth of assessment warranted. The scope of the TRA will vary based on the time needed to complete the assessment and the amount of resources available. The focus of a TRA may vary from a narrow assessment, such as a room housing sensitive documents within a GC facility, to a broad assessment that could encompass all assets in a multi-building portfolio.

When considering the scope of a TRA, assessors should consider if it is a general strategic level assessment which looks at a specific area, or an in depth and detailed assessment that explores various scenarios with only a handful of assets, threat, or vulnerability variables. This will assist in establishing the criteria of the assessment, what is to be assessed, and what is within or beyond the scope of the assessment. It is imperative for project authorities and TRA team members to agree upon clear and defined parameters in order to avoid the scope expanding beyond, or failing to meet, the intended evaluation of the required areas.

Understanding management's level of risk tolerance

A Deputy Head is responsible for determining how much overall risk a department is willing to accept and the CSO is delegated to assess the amount of residual risk they are willing to accept from a security perspective. Each organization should establish a level of risk tolerance that reflects the sensitivity of the work they perform and the types of assets they use to perform their key services. The CSO may further delegate risk management decisions, which can result in different units having risk tolerance levels that are different than the baseline. Assessors must identify who is responsible for managing the risk associated to the assets under assessment for the TRA. This individual will be identified as the Authority having Jurisdiction (AHJ). Larger TRA projects may have multiple AHJ responsible for different assets that will be evaluated, you must engage all of them in risk tolerance discussions. There must be consensus between all AHJ and the TRA team regarding the risk tolerance levels. It is imperative the AHJ and TRA team agree on the target level, as well as what that level will look like when implemented. Ensure the AHJ understands the metrics being used to measure residual risk, and confirm this matches their stated risk tolerance level.

It is crucial that management and the assessment team have a common understanding regarding risk tolerance, project sign-off, and any prior assumptions or determinations. If there is any confusion or disagreement, it can delay the project, or lead to inadequate or inappropriate recommendations that do not align with management expectations.

Team selection

Having the right team composition greatly improves the efficiency of the TRA process, and contributes to the best possible analysis and recommendations. While many TRAs will likely be done by one or two individuals, the team size and composition will be dictated by the following considerations:

• The scope of assessment
• Complexity of assets
• Urgency of the situation
• Distribution of assets
• Availability of qualified personnel

A team should have at least 1 member with one or more of the following:

• A strong understanding of the TRA process
• A detailed understanding of the department/unit's operational requirements
• A thorough understanding of security standards and other safeguards
• The authority and security screening levels to access a facility or location where the assets under assessment are found

Without appropriately qualified personnel, representing both operational interests and security considerations, the resulting TRA might contain insufficient information to address the concerns that caused the assessment's initiation.

Depending on the scope of the project, the TRA team can also be composed of individuals who can provide details of the assets, threats, or vulnerabilities that the rest of the team can use to efficiently complete the assessment. These resources could include:

• Facility Security Personnel - local guard supervisor, site security manager, or member(s) of the security team
• Facility Management - members of real property, architects, or engineers to advise on design considerations
• Subject Matter Experts - specialists responsible for specific systems if these fall within the scope of the TRA being performed (Information Technologists, Custodians of Classified Materials)

Depending on the size and complexity of the TRA, or the number and experience level of the assessment team members, expertise may be acquired from other departments to provide specialized support and guidance on various topics. These specific departments are listed in the Policy on Government Security (PGS) under section 5 "Roles of other government organizations."

Identifying assets

There are two types of assets to consider when conducting a TRA, tangible and intangible.

• Tangible assets are easier to identify and evaluate as they encompass things that can be physically touched and damage to them is easier to measure. Computer servers and equipment, documents, and vehicles are all examples of tangible assets
• Intangible assets, which can be harder to identify. Levels of injury for intangible assets are often subjective and are open to interpretation by assessors and stakeholders. These assets include concepts such as public trust in an organization, reputation, and confidence in the department or agency's ability to deliver critical services

Personnel are also assets to an organization, as they interact with tangible assets to deliver services. Service delivery can have an effect on intangible assets such as employee perceptions and client expectations. The ability for employees to deliver services using tangible assets has a direct effect on these intangible assets. Personnel value can be measured by using their intrinsic value, or their operational value, whichever is higher. Personnel who can prevent wide-scale death by completing their operational duties would have a higher operational value than measuring the intrinsic value of their life alone. When assessing assets, carefully consider the services the assets are responsible for delivering, as this can help guide analysis of assets and potential levels of injury based on the criticality of the service being provided. The greater the impact on the assets, the greater the disruption to the service delivery, which in turn, affects those intangible assets like employee perceptions or client expectations. The relationship between assets, personnel, and the delivery of service is highlighted in the graphic below.

Text description: Employees, assets, and services relation chart

A gray-scale diagram illustrates a model of service delivery. Rectangular boxes, with light gray shading and subtle shadows, represent key elements. Two boxes, labeled "Employees" and "Tangible Assets," are positioned above and slightly to the left of a third box labeled "Services." An arrow connects the "Employees" and "Tangible Assets" boxes to the "Services" box, signifying a combined input. A slanted, gray-shaded box, labeled "Affect," is below and connected to the "Services" box. This box influences or impacts "Intangible Assets," which is an additional box positioned below the "Affect" box and is further detailed as "Employee Perceptions" and "Client Expectations". The diagram visually depicts how tangible assets, coupled with employee efforts, lead to service delivery that affects intangible assets like customer perceptions and expectations.

It is vital that all categories of assets are considered when determining which assets are within the TRA scope, and when determining interdependencies. When conducting a TRA, there is a high probability that there will be additional assets found that are not within the defined scope of the TRA. Resources should not be expended unnecessarily for any assets that are not within the scope of the assessment, or do not have valid interdependencies unless these have been established through the assessment process.

Assessing asset injury

Following the identification of all assets within the scope of the TRA, assessors need to determine the level of injury for each asset. Asset injury represents a determination of what might happen if the asset is subject to compromise and not able to contribute to the delivery of the organization's critical services. Injury can be assessed based on several categories: physical harm, psychological harm, environmental damage, diminished reputation, and loss of trust in the institution.

Most TRA methodologies have a system for assigning injury scores based on the potential harm caused by a compromise. While the specific calculation formulas vary depending on the TRA methodology, the underlying principles remain the same - the higher the level of compromise for the asset, the higher the asset will be scored for potential injury.

The DSM provides specific criteria for determining injury. As outlined in Appendix J of the DSM, injury results from an asset losing one or more of the following criteria:

Prioritized Asset List

Once all assets have been assessed and have values, they may be compiled in a Prioritized Asset List starting with the assets of highest injury value (highest priority) and in descending order to the lowest value (lowest priority).

In cases where multiple assets hold identical numerical scores, the TRA team will have to re-evaluate and select the order in which they will be listed. This can be done by comparing the second-highest values if applicable. If the assets have equal scores in subsequent values the team may make a subjective call on the order the assets are prioritized and include an explanation for the decision. When making a subjective call to rank these assets, the TRA team should align these with the overall objectives of the TRA, the organization's mandate, and any service deliverables that may be affected. Consideration can also be given to which asset is more likely to be targeted or affected by a compromise. The asset that is more likely to be targeted or affected should be placed at a higher priority.

Threat categories

Threats can stem from a variety of sources. Various TRA methodologies breakdown threats into one of three common categories: deliberate, accidental, and natural hazards. Each category should be evaluated unless excluded by the scope of the TRA. Working through each category individually is advised, as it can be easy to overlook natural and accidental threats with the greatest attention being paid to deliberate threats.

Assessing threat likelihood

Threat likelihood is the probability that a threat will compromise an asset, and can be difficult to accurately determine given the uncertainties around particular threats. TRA methodologies will generally include matrices to help determine a likelihood score to be used in their calculations. Inputs can include regional data, such as incidents involving similar facilities or assets, frequency of criminal events, historic weather data and other such info.

Table 4 is a likelihood assessment tool used in HTRA Methodology. The assessor will collect data to determine the frequency of a threat, where the threat has taken place and compare the location where the assets are located, other assets at the same location or similar assets at alternate locations. These values are then used to determine an overall likelihood value for the specific threat. This table should be used for critically thinking through threat scenarios.

Example: A federal ballot counting facility. The scope is specifically evaluating the risk when a count is taking place. An identified threat is anti-government protestors attempting to disrupt the ballots from being counted. Data shows this is an incident type that happens regularly and during every election for this location. Elections are only held every four years, so using the chart, the past frequency would be every 1,000 to 10,000 days. With this data input, the likelihood output would assessed as Low. This score however is not reflective of the actual likelihood, as the incident occurs every time the ballots are counted. Considering the scope of the assessment, it is more accurate to determine the past frequency as daily, given similar incidents have occurred at this location every time the parameters of the assessment are present. Recalculating the likelihood with this more accurate information would give the more reflective likelihood rating of High. This reasoning should be explained in the TRA to demonstrate how the likelihood score was determined.

Assessing Threat Gravity

The gravity of a threat reflects the consequence of the threat affecting the asset under evaluation, and the level of damage that can occur. To assess the threat's gravity, compare it to each asset's highest scoring injury categories identified in Section 7: Asset Identification and valuation. Next, analyze the amount of damage that a threat could cause, should the threat compromise the asset. The more harm a threat can potentially cause, the higher the threats gravity. Consider the threat's effect on an asset's criticality, confidentiality, availability, integrity, monetary value and potential casualties if an incident occurs. Each methodology determines the gravity of a threat, usually in a matrix such as that used by HTRA. The example in 8.2 Assessing Threat Likelihood is expanded on below using this chart to demonstrate the practical application of assessing gravity.

Example: Local law enforcement has shared data from previous encounters with this anti-government group. Data suggests they are associated ideologically with an international protest movement. The group operates exclusively in local cells, with no direct cooperation with any sibling groups. Communication between groups is limited to easily monitored public social media pages. A review of incident reports at this location involving the group suggest they are willing to cause minor damage to property (graffiti), and will conduct low skill denial of service tactics (gluing locks, obstructing roadways, blocking staff access, etc). A review of data shows the group does not have any violent intentions but will passively resist arrest if police become involved. Local police and private security services have managed to contain and control the group within three hours in all recorded incidents at this location. When using this information to determine the group's capabilities, they portray limited resources and skill. When determining the impact of incidents caused by the group, data suggests the group is modestly destructive and causes interruption of service, usually no longer than three hours. This data corresponds to a gravity level of Low, in the HTRA matrix.

Calculating Threat Levels

Overall threat levels can be determined by comparing threat levels associated with the likelihood a threat will occur and the impacts of what happens if the threat does occur, the threat's gravity. The higher the score, the more serious the threat. These scores will generally use the potential casualties, loss of financial value, damage to reputation or denial of service severity to allocate a threat score. The chosen TRA methodology will generally have a calculation or matrix that will compare likelihood and gravity scores/levels to generate an overall threat level. Below is an example from the HTRA Methodology using data collected in the example case in 8.2 Assessing Threat Likelihood and 8.3 Assessing Threat Gravity a threat level will be generated using the matrix.

Example: The anti-government group has received a likelihood score of High and a gravity score of Low. When this data is input to the HTRA Matrix, it generates a final threat score of Medium. Based on the analyzed information this output is reflective of the situation and will be recorded with any supporting data in the final TRA report. Once all threats have been addressed, the final step of this phase is to create a prioritized threat list beginning with the highest threat level to the lowest. This provides decision makers a snapshot of all the threats that have been identified including notes on each, and the calculation it received.

Vulnerability assessment

A vulnerability assessment evaluates the potential susceptibility to compromise of the asset against the identified threats and provides a basis for determining mitigation measures for the protection of those assets. The purpose is to analyze the effectiveness of safeguards, as opposed to analyzing the threat for which the safeguards are intended to protect. This is the difference between doing just a vulnerability assessment and looking at vulnerabilities for a wider risk assessment.

Unlike with the threat or the asset, security professionals can have a greater influence over the vulnerability in the TRA process. It is always possible to alter or correct the vulnerability as a pre-emptive approach to a threat. The vulnerability assessment phase is comprised of five sequential steps:

Calculation of Residual Risk

Residual risk represents the amount of risk remaining, following a determination of values for asset, threat, and vulnerability data. A residual risk calculation is to determine residual risk levels ranging from Very Low to Very High based upon the value of assets identified during the assessment, the threats that might compromise these assets, employees and services, and any related vulnerabilities. Various TRA methodologies will prompt assessors to use a basic mathematical calculation to convert risk levels into numerical values which can be compared together to express a total level of residual risk. In HTRA, risk is a function of asset, threat, and vulnerability values or R =f (Aval, T, V). Each value is multiplied together to give an overall risk score. This allows for more accuracy when determining which risk to address first, and how each risk should be handled accordingly based on the prioritized list.

As part of the analysis, each of the three variables (Assets, Threats and Vulnerabilities) have been assigned a level from Very Low to Very High. To determine the residual risk, each of the three factors Asset, Threat and Vulnerability values should be assigned a numeric score from one to five in accordance with the first half of table 14 above. Once the risk levels are given numeric scores from one to five for each variable, the final results for residual risk may range from 1 to 125 (Asset × Threat × Vulnerability).

An example would be an Asset's value of (5) × the Threat value (5) × the Vulnerability value (5), produces an overall risk score of 125.

When calculating residual risk using HTRA, there are few things assessors should remember to keep in mind when selecting levels to use in HTRA's residual risk formula:

Multiple threats affecting the same asset

Since assets can be affected by multiple threats (sometimes with different overall threat levels), assessors should create separate entries for assets based on which threat is affecting them. This will allow for one overall asset and threat level to be used for the calculation and vulnerabilities specifically selected for the threat scenario

Multiple vulnerabilities affecting the same asset

It is often the case that an asset could be exposed to injury based on multiple vulnerabilities, either involving deficient safeguards, and related vulnerabilities. When selecting from multiple vulnerabilities to determine an overall vulnerability level for the asset, assessors should prioritize the highest overall vulnerabilities based on the threat scenario under analysis. If there is more than one vulnerability with the highest level for the scenario, assessors can use this level and explain in their rationale that the highest vulnerability level represents the various elevated vulnerabilities and then provide a description of those vulnerabilities.

When considering which vulnerabilities represent the highest overall vulnerability levels, assessors should make sure to carefully consider safeguard performance and extended vulnerability assessment when determining and prioritizing vulnerabilities.

There are instances when using the previous levels from Very Low to Very High, that would allow for improper prioritization of risks to address first. For example, if you have two risks that are at the High level, it might be difficult to determine which risk to prioritize over the other. If one high-risk level translates to a risk score of 36, and the other translates to a risk score of 45, the risk score of 45 (risk level of High) should be prioritized first in the list.

Identification of Unacceptable Risks

To determine if a risk is unacceptable, the defined risk tolerance identified in the preparation phase is compared against the prioritized list of residual risks. Any residual risk that exceeds the defined risk tolerance level are unacceptable and require mitigation recommendations that can lower the risk level to the approved risk tolerance level.

Selection of Potential Safeguards

Each unacceptable risk identified should recommend one or more strategies to mitigate the risk. One of the most effective ways at reducing residual risk is by adding supplementary or modifying existing safeguards for all assets under evaluation for the assessment. Effective safeguards will perform proper PDRR functions, reduce vulnerabilities and threat impacts and serve to mitigate multiple vulnerabilities at the same time is possible. Assessor must ensure the proposed mitigation recommendations are reasonable. This information is necessary for the signing authority to make an informed decision regarding implementation. They will assess the possibility of accepting higher risk, increasing the budget or extending the timeline of the project

Assessment of Projected Residual Risk

Once the TRA team has identified and proposed safeguards to mitigate any risks that exceed established levels of risk tolerance, these recommendations are assessed to determine their projected residual risk once implemented. To determine this, return to 9.1 Vulnerability Assessment and 9.2 Calculation of Residual Risk and complete these phases again using the data from the proposed safeguards. Proposed safeguards are unlikely to have historic data available on site, and will therefore require collection using alterative means. This can be through specifications provided by the manufacturer, reviewing service offerings from contract companies, or analyzing data from similar facilities that are utilizing the safeguard in their operations. This will give you a projection of the residual risk in the event the proposed safeguards are implemented.

If the proposed safeguards do not bring the projected residual risk equal to or lower than the risk tolerance level repeat section 10.2 Selection of Potential Safeguards, and 10.3 Assessment of Projected Residual Risk until a proposed safeguard brings the residual risk within acceptable levels, or all plausible mitigation efforts have been explored. The point of this process is to reduce the level of risk to the lowest level possible, ideally at or below the established risk tolerance level. There may be cases where the threat or vulnerabilities present may make achieving the desired risk tolerance level unfeasible; in these cases, those sponsoring the project may need to consider formally accepting a higher level of risk. All assessments and recommendations, including ones that do not achieve the desired residual risk score, should be included in the final report. The possibility of reducing risk even if the target level is not achieved can be beneficial to an organizations overall total risk score.

Report Sign Off - Risk Acceptance Authorities' Role(s)

Once all information has been compiled into a final report the Risk Acceptance Authority, as identified in the Preparation Phase signs off to complete the TRA. The TRA is not considered final until this step is complete.

When signing final TRA report, the signing authority identifies which recommendations, if any, will be initiated. If the selected recommendations do not bring the residual risk to within the risk tolerance level, the signing authority should then accept the higher residual risk and record this for future reference. For information on the risk acceptance process consult GCPSG-018 Guide to the Risk Management Process for Physical Security.

For all approved recommendations, steps should be put in place to ensure they are completed within the timelines determined in the TRA. A plan should also be developed to review and evaluate the implemented recommendations after an appropriate length of time to assess how effective they are reducing the residual risk to the acceptable level. Details on this process can be found in GCPSG-016 Guide to the Facility Assessment and Authorization Process.