What it is

A systematic evaluation of threats, vulnerabilities, and consequences to your people, assets, and operations. We identify gaps in your current security controls and recommend prioritised, cost-effective mitigation strategies tailored to your risk tolerance and budget.

When to use this service

• You have experienced a security incident (theft, fraud, breach, sabotage) and need to understand root causes and prevent recurrence

• You are opening a new facility or site and need to establish baseline security posture

• Your current security controls are outdated, untested, or not aligned to operational changes‍ ‍

• You are preparing for a compliance audit, tender requirement, or regulatory review

• You want to benchmark your security against industry peers or best practice standards

• You are planning a major operational or physical change and need to assess security implications

What you will receive

• Detailed security risk register (MS Excel) with identified threats, vulnerabilities, consequences, current controls, and residual risk ratings

• Executive summary with top 10 risks and recommended actions, suitable for board or senior leadership review

• Detailed findings report with site observations, photographs, and evidence-based analysis

• Prioritised action plan with implementation options, cost estimates, and risk reduction benefits

• 60-minute stakeholder debrief to confirm understanding, answer questions, and support decision-making

Our process ‍

1. Initial consultation and scope definition: We confirm your objectives, facility type, operating environment, compliance drivers, and budget parameters

2. Information gathering: We collect existing security policies, incident history, floor plans, access control arrangements, and CCTV details

3. Site inspection and observation: We conduct a structured walkthrough to assess perimeter, entry points, access control, lighting, barriers, and operational security behaviours

4. Stakeholder engagement: We interview facility managers, operations teams, and security personnel to understand pain points and practical constraints

5. Threat and vulnerability assessment: We identify realistic threats relevant to your sector and location, and evaluate gaps across physical, procedural, and human controls

6. Risk analysis and evaluation: We assess consequence and likelihood for each risk, document assumptions, and determine overall risk ratings

7. Recommendations and prioritisation: We develop staged, proportionate recommendations aligned to your budget and risk appetite

8. Reporting and debrief: We deliver the risk register and report, conduct a stakeholder debrief, and discuss implementation priorities

Standards we follow

• ISO 31000 — Risk Management principles and framework

• HB 167:2025 — Handbook guide to managing security related risk

• Industry benchmarks — Comparison against peer organisations and best practice standards

Frequently asked questions

1. How long does a security risk assessment take? Typically 2–5 days on-site depending on facility size and complexity. Analysis and reporting add 1–2 weeks. The total engagement is usually 3–4 weeks from initial consultation to final debrief.

2. What is the difference between a risk assessment and a security audit? A risk assessment identifies what could go wrong and recommends controls to prevent it. An audit evaluates whether existing controls are working as intended. Many organisations benefit from both: a risk assessment to identify gaps, then an audit later to confirm controls are effective.

3. Do you recommend specific security products or vendors? We recommend only products and vendors that meet Australian sovereign data security standards, comply with Australian Privacy Principles, and have no known vulnerabilities. We remain independent and do not accept commissions from vendors.

4. Can you help us implement the recommendations? Yes. We offer implementation support including security technology design, vendor sourcing, documentation, staff training, tender management, and executive presentations.

5. What if we cannot afford all the recommendations? We prioritise recommendations by risk level and cost-effectiveness. Many organisations implement in phases based on budget availability. We can model the risk reduction benefit of staged implementation.

6. How do you handle disagreements about risk ratings? We use evidence and benchmarking to explain the basis for our risk assessments. Where stakeholders disagree, we facilitate discussion and document the rationale for our ratings. Your risk tolerance ultimately guides which risks you choose to accept or mitigate.

Related services

• Security Master Planning

• PSPF Implementation & Compliance

• Security Technology Design

• Security Audits & Reviews

Ready to understand your security risks? Contact us for a confidential consultation

‍ ‍