What a threat and vulnerability assessment actually examines

A threat and vulnerability assessment is easy to describe in the abstract and harder to do well. The abstract version is a review of risks and recommendations. The useful version is an account of how risk actually accumulates in a specific organisation, and what can be done about it.

The difference lies in where you look. A weak point in isolation is rarely the problem. A single procedural gap, a single physical weakness, a single assumption about behaviour: on their own, these are usually survivable. It is when they line up that they create a pathway, and pathways are what an assessment should be hunting for.

The layers

We examine physical and environmental exposure, the procedural and process gaps that sit beneath day-to-day operations, and the cultural and behavioural factors that determine how all of it is actually applied. We look at access, escalation and incident response, not as documents but as they function under pressure.

Crucially, we look at how these layers interact. A door control that depends on a habit, a reporting policy no one has time to follow, a contractor arrangement that quietly bypasses a check: these only become visible when you stop assessing each layer separately.

How the work is done

Sound assessment is built on structured engagement across the organisation, supported by targeted interviews, document review and consultation with leadership. The interviews matter as much as the documents, because the gap between the written process and the lived one is where risk tends to live.

An assessment can be proactive or prompted by a specific concern. Either way, the measure of a good one is not the length of the risk register. It is whether leadership finishes the report knowing what to do first.

The outcome should be proportionate. A catalogue of every conceivable risk is not an assessment; it is an abdication. The value is in judgement: what matters, why, and in what order.